2025-01-22 - TRAFFIC ANALYSIS EXERCISE: DOWNLOAD FROM FAKE SOFTWARE SITE

ASSOCIATED FILE:

• Zip archive of the pcap:  2025-01-22-traffic-analysis-exercise.pcap.zip   20.5 MB (20,534,228 bytes)

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

BACKGROUND

You work as an analyst at a Security Operation Center (SOC). Someone contacts your team to report a coworker has downloaded a suspicious file after searching for Google Authenticator. The caller provides some information similar to social media posts at:

• https://www.linkedin.com/posts/unit42_2025-01-22-wednesday-a-malicious-ad-led-activity-7288213662329192450-ky3V/
• https://x.com/Unit42_Intel/status/1882448037030584611

Based on the caller's initial information, you confirm there was an infection.  You retrieve a packet capture (pcap) of the associated traffic.  Reviewing the traffic, you find several indicators matching details from a Github page referenced in the above social media posts.  After confirming an infection happened, you begin writing an incident report.

LAN SEGMENT DETAILS FROM THE PCAP

• LAN segment range:  10.1.17[.]0/24   (10.1.17[.]0 through 10.1.17[.]255)
• Domain:  bluemoontuesday[.]com
• Active Directory (AD) domain controller:  10.1.17[.]2 - WIN-GSH54QLW48D
• AD environment name:  BLUEMOONTUESDAY
• LAN segment gateway:  10.1.17[.]1
• LAN segment broadcast address:  10.1.17[.]255

TASK

For this exercise, answer the following questions for your incident report:

• What is the IP address of the infected Windows client?
• What is the mac address of the infected Windows client?
• What is the host name of the infected Windows client?
• What is the user account name from the infected Windows client?
• What is the likely domain name for the fake Google Authenticator page?
• What are the IP addresses used for C2 servers for this infection?

ANSWERS

• Click here for the answers.

Click here to return to the main page.