Part 1
Scenario: You’re a SOC analyst working for a large organization. Someone in your organization alerted you to a suspect executable on their computer that they did not recognize and they have sent it to you for further analysis. Using your malware analysis workstation you created a brand new “victim” Windows VM and after setting up a packet capture for the VM you ran the executable to see what it does from a network perspective.
Now that you have the packet capture you need to analyze it and determine what the suspect executable does from a network perspective when it runs.
Items of note:
I’LL PROVIDE THE .pcap of captured pocket after accepting the quetion The victim VM’s IP address is 192.168.2.157
The network gateway for the VM network is 192.168.2.2
The packet capture is large (1762 packets!) so making use of filters to narrow down what you are analyzing will be helpful. (Review the class slides and the Wireshark User’s Guide for more details on Wireshark filters.)
The Network Primer may be helpful to review for some protocol information.
Part 2
Scenario: You are a Senior SOC Analyst with your organization. A Junior SOC Analyst has been analyzing the data from an alert they received and has asked you to review the packet capture around a suspected information stealing malware infection of something known as RedLine Stealer. They believe this is a legitimate alert and would like your help reviewing the packet capture to confirm that assessment.
Items of Note:
I’LL PROVIDE THE .pcap of captured pocket after accepting the question
LAN segment range: 10.7.10.0/24
Domain: coolweathercoat.com
Domain controller IP address: 10.7.10.9
Domain controller hostname: WIN-S3WT6LGQFVX
LAN segment gateway: 10.7.10.1
LAN segment broadcast address: 10.7.10.255
……………………………………………………………………..
Questions to answer:
Deliverable
Part 1
Answers to the following questions:
Reviewing the network traffic, what is the first thing that the executable does? Why do you think it is doing it?
There is a large number of ARP queries, why do you think that is? What might the executable be doing?
Does the executable make any calls out to a command and control (C2) server? If so, what is the IP address, host name, and/or URL it calls out to? Based on the response received does the C2 server appear to be currently operational? Why or why not? After reviewing the packet capture of the network traffic generated by the executable and answering questions 1-3 what is your final determination – is the executable malicious? Provide a short write up on why or why not you believe the executable is malicious
Part 2
Answers to the following questions:
1. What is the date and time in GMT/UTC the infection started?
2. What is the hostname of the infected Windows client?
3. What is the user account name from the infected Windows host?
4. What type of information did RedLine Stealer try to steal?
(You are welcome to use include screenshots from Wireshark or any other packet analysis tool in your answers for this assignment.)
Important - Read this before proceeding
These instructions reflect a task our writers previously completed for another student. Should you require assistance with the same assignment, please submit your homework details to our writers’ platform. This will ensure you receive an original paper, you can submit as your own. For further guidance, visit our ‘How It Works’ page.