Quiz InstructionsThis is a quiz only in name. It is meant to guide you through your exploration of the files and there is no time limit. It can start and be resumed at any time (it autosaves) but...

Follow the instruction at the top of the question.docx file and then answer ALL questions in regard to the corresponding pcap file. Let me know when you need pcap 5 and 6 because I could not attach them to the assignment.



Quiz Instructions This is a quiz only in name. It is meant to guide you through your exploration of the files and there is no time limit. It can start and be resumed at any time (it autosaves) but once submitted scores will be final. Do NOT submit unless you are ready. Once submitted, if you would like to see your answers stop by my office. Wireshark is probably a familiar tool to you all and it is also the quickest tool to help you evaluate peculiar traffic as long as you have full packet capture data available. Often as an analyst this may not be the case since you may be monitoring systems containing sensitive data (e.g., medical records) but as long as you have PCAP data, you might as well use them. This assignment is all about that golden scenario that PCAP data are available and you need to find what's in them. To make it more fun, this is a scavenger hunt of sorts in the sense that I am giving you the PCAP files and the only thing I am telling you is that each one, hides something bad. The trick is for you to be smart about how you traverse through these records and to also use publicly available tools to save you some time. VirusTotal and PacketTotal are two tools that you could use for this: · https://www.virustotal.com/#/home/upload  Links to an external site.  https://packettotal.com/  Links to an external site.  https://w3techs.com/sites · Links to an external site. Then rebuild the story of each one of the traffic logs. Sidenote: no need to go too much in depth about non-interesting regular traffic (i.e., just say that there is some typical http and smtp traffic along with the suspicious one). Describe in depth the suspicious traffic/attack.  PCAP files: Exercise PCAP dirty traffic.zip Download Exercise PCAP dirty traffic.zip   Important PCAP files can also be played against Bro, Suricata or Snort (or any other IDS for that matter). If you use tcpreplay to play back the PCAP file to a network interface make sure you are playing it on loopback or some other fake network adapter (otherwise lots of people may notice the malware coming out of your primary network adapter...bad bad)   What to use for the assignment You can utilize VirtualBox (or some other VM) to build your testing machines. Lab computers may be more appropriate if you load demanding machines. Use primary secondary websites and Wireshark for this assignment.   Useful distros that you can further play around with but are not necessary to complete the assignment include: · SELKS: https://www.stamus-networks.com/open-source/#selks  Links to an external site.  SecurityOnion: https://securityonion.net/  Links to an external site.  Kali: https://www.kali.org/ · Links to an external site. SO is by far the most demanding requiring a min of 8GB if ELK stack is utilized. With SELKS, you can get away with 3GB. Kali is useful for pentests but many of these you can initiate from your host computer. If you do not have sudo access in the host machine check this guide if you need to build several tools from source: Installing with no sudo access Top of Form   Question 1 1 pts ex1.pcap. What is the name of the Trojan that was used in the attack? Type just the main name (x) not the variants (x.A, x.N, etc.)   Question 2 1 pts ex1.pcap.  Read more on the Trojan, Search the web and records on Common Vulnerabilities and Exposures (CVE). Then read bit further on: http://oemhub.bitdefender.com/11-frequently-asked-questions-about-malware-botnets-%E2%80%93-answered Bottom of Form Links to an external site. The outbound IP addresses that are the likely C&C for the trojan were: and The countries of origin were: and   Question 3 1 pts ex1.pcap. Why are there many DNS requests to seemingly random domain names? Group of answer choices The trojan utilizes a domain generation algorithm. The trojan has the addresses hard-coded in its code. There are just normal DNS requests by other programs on the computer. It is an obfuscation tactic by the trojan to hide real traffic.   Question 4 1 pts ex2.pcap. What is the name of the bot that we do observe? (enter just the base name)   Question 5 1 pts ex2.pcap. What domain name did it come from? (enter only as example.com) Check via Wireshark, there events happening moments before the appearance of Lokibot. This will indicate how that malware appeared in the victim's computer.   Question 6 1 pts ex2.pcap. How did the user navigate to that domain? What service/software/activity were they using before that likely lead them to making the http request?   Question 7 1 pts ex3.pcap. What domain did the bad redirect came from? (enter only as example.com)   Question 8 1 pts ex3.pcap. Is the website were the redirect came from a malicious website? (This can be answered in several ways, using whois tools, blacklists and the waybackmachine.) Group of answer choices No Yes   Question 9 1 pts ex3.pcap What software framework was the website that issued the redirect running? [hint: I am NOT looking for a programming language]   Question 10 1 pts ex3.pcap. What is the suspicious top domain? (You can answer this question if you do a bit of research on the domains without even looking at the pcap) Group of answer choices .tk .com .net .gr   Question 11 1 pts ex3.pcap. What is the attack all about? Group of answer choices Scam Malware Virus Botnet   Question 12 ex4.pcap. What's the attack? Group of answer choices Ransomware Botnet Virus Spyware   Question 13 1 pts ex4.pcap. Where is the C&C for the ransomware? Group of answer choices .onion address single IP address domain generation algorithm multiple IP addresses   Question 14 1 pts ex5.pcap. You'll need to do a bit of research on the vulnerability alerts you will get through analyzing this pcap. It has several stages and you may get several alerts for each. Let's start with an easy one. What is the domain of the compromised website? It is the one that start the sequence of events. Hint: it runs a particular website framework. (enter as example.com)   Question 15 1 pts ex5.pcap. What is the name of the executable that is downloaded?   Question 16 1 pts ex5.pcap. What is the installed software, the end goal of the attack? ET PRO (Emerging Threats Pro) signatures (one of the websites supports these) will indicate the type of software that is observed. Type only the main name (single word). Hint: It is a legitimate software.   Question 17 1 pts ex6.pcap. What is the name of the malware/trojan found on the pcap? Enter just its basic name (Michael) and no variants (Michael.x, michael/y)   Question 18 1 pts ex6.pcap. Read more on the type of attack in regards to the infection chain. You will need to look around the time the infection happened (yes, trojan have multiple lifetimes). What was the likely infection chain? Group of answer choices Mail spam -> office macro -> download exe Website scam -> download exe Website scam -> redirect -> download exe Network scan for 49759 tcp open port -> connect using tcp to service and execute remote exe code Skeeyah.A!rfn