ISC’ crew have a montly Traffic Analysis Quiz, and I want to practice some Network Forensic Kung-Fu, so allow me to introduce you Mr Natural.

What we have

• a packet capture (pcap) of infection traffic (let’s keep reading, don’t open it yet!)
• an image of the alerts shown in Squil (em ok)
• a text file listing the alerts with a few more details (now this is yummy)
• a PDF document with answers to the questions below. (SPOILERS!)

What do we know

• LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
• Domain: mrnatural.info
• Domain controller: 10.12.1.2 – MrNatural-DC
• LAN segment gateway: 10.12.1.1
• LAN segment broadcast address: 10.12.1.255

What our b0$$ want to know

1. What is the IP address of the infected Windows host?
2. What is the MAC address of the infected Windows host?
3. What is the host name of the infected Windows host?
4. What is the Windows user account name used on the infected Windows host?
5. What is the date and time of this infection?
6. What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72?
7. Which two IP addresses and associated domains have HTTPS traffic with “Internet Widgets Pty” as part of the certificate data?
8. Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?