PCAP
You work for a private forensics company. One of your clients ended up with malware on one of their machines. They have provided you with a network sample around the time of infection. Can you gure out whats going on?
What is the rst protocol in the PCAP? Give a brief explanation of its general purpose. Solution:
What would a lter look like that lters only HTTP responses with code 200 and does not show any OCSP responses?
Solution:
Are there any URI's that are just IP Addresses? (Hint: make a column for URI and lter for HTTP) Solution:
Are there any les downloaded? Do any look malicious or suspicious?
Solution:
Malware
For this part of the HW, screenshots are encouraged. Be as descriptive as you can for full credit.
What is stage one doing? How can you avoid being infected by stage one? Solution:
Provide an analysis of stage two.
Solution:
What is the motivation behind this attack? provide an exact quote. Solution:
What is the purpose of check something? (EC +1)
