2017-06-28 – Traffic analysis exercise – Infection at the Japan field office.

APTFilter AVGNews CERT-LatestNews FSecureNews KasperskyNews Malware McAfeeNews Security News SocialEngineering SophosNews SymantecNews ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic TrendMicroNews Uncategorized VulnerabilitiesAdobe VulnerabilitiesAll VulnerabilitiesApple VulnerabilitiesApplications VulnerabilitiesCisco VulnerabilitiesCrypto VulnerabilitiesDBMS VulnerabilitiesFirmware VulnerabilitiesGoogle VulnerabilitiesHardware VulnerabilitiesLinux VulnerabilitiesMicrosoft VulnerabilitiesMozilla VulnerabilitiesNetwork VulnerabilitiesOS VulnerabilitiesVMWare VulnerabilitiesVOIP



  • Zip archive with a pcap of traffic from the infected computer:    7.5 MB (7,504,577 bytes)
  • Zip archive with text files containing the Snort and Suricata alerts:    51.7 kB (51,661 bytes)

All ZIP files on this site are password-protected with the standard password.  If you don’t know it, look at the “about” page of this website.


You work as a security analyst for a company with locations world-wide, and it recently opened a field office in Japan.

Shown above:  It’s a very small office in Tokyo, so you might have a hard time finding it.

On Tuesday 2017-06-27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS).  One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata using the EmergingThreats Pro ruleset.

The results indicate a Windows computer was infected at your company’s Japan field office.  You are tasked to investigate!  You have the pcap, a text file containing the Snort alerts, and a text file containing the Suricata alerts.

For this traffic analysis exercise, please answer the following questions:

  • What is the MAC address, IP address, and host name of the infected Windows computer?
  • What is the date and time (in UTC) the computer was infected?
  • Based on the Snort and Suricata alerts, what was the computer infected with?
  • Based on indicators from first HTTP GET request, determine how the computer was infected.
  • Based on the previous answer, what is the SHA256 hash for the file that probably infected the computer?
  • The pcap contains 3 Windows executable files sent over HTTP.  Export them from the pcap.  What are the SHA256 file hashes of the those 3 files?

Note:  Times for the Suricata alerts are not correct, because they were generated using tcpreplay some hours after the original infection.

You feel bad for the businessman who infected his computer at the company’s Japan field office.  Rumor has it he’s been forced to use a tablet while his computer is getting fixed.

Shown above:  Using a tablet for work is often frustrating.


  • Click for the answers.

to return to the main page.