Shulou(Shulou.com)06/01 Report--

Analytical report

Data packets:

LAN SEGMENT Attributes:

IP Range: 10.1.75.0/24 (10.1.75.0 to 10.1.75.255)

Gateway IP: 10.1.75.1

Broadcast IP: 10.1.75.255

Domain Controller (DC): PixelShine-DC, 10.1.75.4

Domain Name: pixelshine.net

Requirements:

State the time and date of the infection.

Determine the IP address of the infected Windows client.

Determine the host name of the infected Windows client.

Determine the MAC address of the infected Windows client.

Determine the Windows user account name used on the infected Windows client.

Determine the SHA256 hash value of the Word document downloaded by the victim.

Determines the SHA256 hash value of the first malware binary sent to an infected Windows client.

Determine when the domain controller (DC) at 10.1.75.4 was infected.

Determine the SHA256 hash value of the second malware binary sent to the infected Windows client (the same file retrieved by radiance.png and table.png).

What are two file hashes of executable files that can be retrieved from SMB traffic using Wireshark?

Identify two types of malware infected with Windows clients.

A malware family identified as DC infected.

Determine the public IP address of the infected Windows client.

Use WireShark's Protocol Rating under Statistics to view traffic:

Use the section to view the agreement

State the time and date of the infection.

###The first document; that is, the time when the file in word format is downloaded

Determine the IP address of the infected Windows client.

IP address: 10.1.75.4

Determine the host name of the infected Windows client.

Host name: rigsby-win-pc$

Determine the MAC address of the infected Windows client.

MAC Address: 84:2B:2B:D3:55:73

Determine the Windows user account name used on the infected Windows client.

User account name: jubson.rigsby

Determine the SHA256 hash value of the Word document downloaded by the victim.

###Export object, select HTTP, save locally

###Right-click to view the text check of a file

hash value: 1112203340b2d66f15b09046af6e776af6604343c1e733fe419fdf86f851caa3

Determines the SHA256 hash value of the first malware binary sent to an infected Windows client.

###Click HTTP to find resources obtained by GET

###Go back to Wireshark, filter search http, find relevant information.

###Same as above, export object, save locally to view hash value

hash value: 0d7a4650cdc13d9217edb05f5b5c2c5528f8984dbbe3fbc85f4a48ae51846cc3

Determine when the domain controller (DC) at 10.1.75.4 was infected.

Time: October 2, 2018 3:01

Determine the SHA256 hash value of the second malware binary sent to the infected Windows client (the same file retrieved by radiance.png and table.png).

hash value: 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

What are two file hashes of executable files that can be retrieved from SMB traffic using Wireshark?

##Use Wireshark to view file hashes by exporting objects, selecting SMB

hash value: 1) 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

2）cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560

Identify two types of malware infected with Windows clients.

Macro class, wood. Horse Type

A malware family identified for DC infection.

(Back door) Wood. Horse Series

Determine the public IP address of the infected Windows client.

Public IP address: 109.238.74.213

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.