Malware Traffic Analysis — RIG Exploit Kit
This sample, questions, and answers are based off the post on Malware Traffic Analysis.
LEVEL 1 QUESTIONS:
What is the IP address of the Windows VM that gets infected?
The host most likely is infected via the internet so we can filter wireshark by http.request and see that almost all requests have 172.16.165.165 as the source:
What is the host name of the Windows VM that gets infected
We can get the hostname, IP, and MAC address from the details. If the host used DHCP to we can get that info:
What is the IP address of the compromised web site?
We can see that the infected host is reaching out to the website ciniholland
What is the IP address and domain name that delivered the exploit kit and malware?
The last http request is most likely where the exploit kit is delievered, we can see that there are multiple GET requests to this domain
126.96.36.199 or stand[.]trustandprobaterealty[.]com
LEVEL 2 QUESTIONS:
What is the redirect URL that points to the exploit kit (EK) landing page
Referer is found inside one of the GET requests from stand[.]trustandprobaterealty[.]com
Besided the landing page (which contains the CVE-2013–2551 IE exploit), what other exploit(s) sent by the EK?
From the export HTTP objects we can see that there is a x-shockwave-flash and java-archive
How many times was the payload delivered?
The main payload was x-msdownload which was delivered 3 times
Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts
LEVEL 3 QUESTIONS:
What file or page from the compromised website has the malicious script with the URL for the redirect?
Following the stream for ciniholland and searching for corp, we can see that the url redirect has 24corp
Extract the exploit file(s). What is(are) the md5 file hash(es)?