How many times was the payload delivered?.Submit the pcap to VirusTotal and find out what snort alerts triggered.What are the EK names are shown in the Suricata alerts? The source of all traffic is 172.16.165.165, so I can assume that this is the infected VM. There are many ways to check that as demonstrated in this article. We got the MAC address in the 2nd question, but alternatively, we can see it in all the frames’ details: I selected one of the frames, and in the frame details, I went to Bootstrap Protocol and then in the options we find the hostname and MAC address: I chose to filter the traffic on bootp to reveal the DHCP traffic. If we filter the GET requests ( = GET), we can follow the referers. So I assume / is the compromised website and its IP is 82.150.140.30 The user visited “ciniholland” and through the referers of each GET requests, we see that it leads to a very suspicious website which initiates downloads on the machine.
0 Comments
Leave a Reply. |