Threat analysis assignments
Note 1 : if you will export files from the captures, you’d better practice in a virtual environment. There is a chance that your PC is infected by the malware!
Note 2: You should report what you found and also more importantly how you found the answers. Explain your line of thought: why certain filters were used, why you looked into certain packet for certain information, how you got the information that you were looking for etc. Only providing answers/screenshots to the questions will be grades as insufficient!
You noticed that there is some bittorrent traffic in the network of your organization. Torrent traffic is not necessarily malicious, however, it often associated with sharing copyright-protected content. You would like to find out more information about the torrent content.
Go to Canvas and download and open the packet capture traffic_analysis_1.pcap. Answer the following questions. Put your answers as well as how you find out the answers in a short report.
1. Find out the following information about the PC that generates torrent traffic:
a. IP address
b. MAC address
c. Windows user account
d. Windows version
2. At what time (in UTC) occurred the first torrent activity?
3. What torrent file was downloaded?
4. Can you find other torrent traffic?
5. What torrent file was shared by the torrent client? Which torrent client was used? (hint: check out info_hash value, convert URL encoded to Hexadecimal value, and then search google)
You are analyzing the alerts generated by the IDS system and noticed that an executable malware was sent as an image.
Note: if the last digit of your student number is an odd number, take the following files:
· traffic_analysis_2_odd Alerts.jpg
Note: if the last digit of your student number is an even number, take the following files:
· traffic_analysis_2_even Alerts.jpg
Answer the following questions. Put your answers as well as how you find out the answers in a short report.
1. How many clients do you see in this capture? Find out the information related to the clients, including their IP/MAC address and operating system. For windows clients, also find out their user accounts.
2. Which client is the victim?
3. How was the malware downloaded?
4. Export the malware and search the Internet to find out the name of the malware.
Note: if the last digit of your student number is an odd number, take the following task:
· An attack has been captured in traffic_analysis_3odd.pcapng. It is your task to find out what the attack is. Observe the packets and find out the IP address of the victim and the attacker. Write a short report on how the attack has happened and which techniques were used.
Note: if the last digit of your student number is an even number, take the following task:
· One of the hosts in this capture traffic_analysis_3even.pcapng has been infected with malware. It is your task to find out the information about the victim and what had happened. Write a short report on your findings.
Look for a phishing/spam email from your mailbox. Download the header and make some analysis on: the sender, receiver, mail servers, SPF, DKIM, DMARC, etc. Discuss the evidence that you find out.