Thanks to those who participated in our latest Challenge! You can watch the webinar walkthrough here:
We’ve been a big fan of malware-traffic-analysis.net. They have a huge archive with cool examples of malicious network attacks and malware attempts and do a great job taking even newbies through the examples. We wanted to bring one of those examples to our users to see how to solve it in CloudShark.
The Challenge
https://www.cloudshark.org/captures/670fc39e61c3
This is a capture with multiple hosts in it, and something “bad” has happened to one of them. How would we figure which one it was and what happened?
While it’s probably easy to find the answer to what’s wrong in the file, we want you to use CloudShark to do it! Figure out each step below and give us the links we’re looking for (remember, everything in CloudShark is a URL).
Start with finding some information about the hosts:
- Provide a link to the ethernet endpoints in the capture. Can you figure out which three MAC addresses are the three hosts in this capture? What are the other ones?
- What IP addresses are associated with each host? Give us CloudShark URLs that show http requests each host made. Set the columns using the HTTP Quick Preset by clicking on the Profile button and saving it for everyone viewing this capture.
- Open the Advanced Threat Assessment for this capture. Which host looks to be the one something bad happened to? Provide a link with all of the threats for this host. Better yet, clean up the view by removing the endpoints we don’t care about.
- Other than the infected host, what DNS names do the other IP addresses map to? Hint: you can use our DNS Activity Tool. Add a link showing the HTTP objects from the hostname(s) you found above.
That’s it! Good luck and we’ll see you on September 27th!