- Information
- AI Chat
This is a Premium Document. Some documents on Studocu are Premium. Upgrade to Premium to unlock it.
CA v1.0 Skills Assessment-1
Course
cyber security (INTE2557)
27 Documents
Students shared 27 documents in this course
University
Royal Melbourne Institute of Technology
Academic year: 2021/2022
Uploaded by:
Anonymous Student
This document has been uploaded by a student, just like you, who decided to remain anonymous.
University of MelbourneRecommended for you
Preview text
Introduction
You have been hired as a junior security analyst. As part of your training, you were tasked to determine any
malicious activity associated with the Pushdo trojan.
You will have access to the internet to learn more about the events. You can use websites, such as VirusTotal,
to upload and verify threat existence.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluate event alerts using Squil and Kibana.
o Use Google search as a tool to obtain intelligence on a potential exploit.
o Use VirusTotal to upload and verify threat existence.
Content for this assessment was obtained from malware-traffic-analysis/ and is used with
permission. We are grateful for the use of this material.
Required Resources
Host computer with at least 8GB of RAM and 45GB of free disk space
Latest version of Oracle VirtualBox
Security Onion virtual machine requires 4GB of RAM using 25GB disk space
Internet access
Instructions
Part 1: Gather the Basic Information
In this part, you will review the alerts listed in Security Onion VM and gather basic information for the
interested time frame.
Step 1: Verify the status of services
a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.
c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password
cyberops.
Step 2: Gather basic information.
Questions:
a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.
2017-06-27 from 13:38:34 to 13:44:
b. List the alerts noted during this time frame associated with the trojan.
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Terse alphanumeric executable downloader high
likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup Domain (myip .com in DNS
lookup)
ET TROJAN Backdoor.Win32 Checkin
ET TROJAN Pushdo CnC response
ET POLICY TLS possible TOR SSL traffic
c. List the internal IP addresses and external IP addresses involved.
Internal IP address:
192.
External IP addresses:
143.
119.
145.
62.
119.
208.
208.
198.
Part 2: Learn about the Exploit
In this part, you will learn more about the exploit.
Step 1: Infected host
Questions:
a. Based on the alerts, what is the IP and MAC addresses of the infected computer? Based on the MAC
address, what is the vendor of the NIC chipset? ( Hint : NetworkMiner or internet search)
I P: 192.
MAC: 00-15-C5-DE-C7-3B
NIC Vendor: Dell Inc.
b. Navigate to virustotal input the SHA256 hash to determine if these were detected as malicious
files. Record your findings, such as file type and size, other names, and target machine. You can also
include any information that is provided by the community posted in VirusTotal.
gerv:
58 engines detected this file
File type: Win32 EXE
File size: 236 KB (241664 bytes)
Names:
gerv
test
tmp523799.
tmp246975.
tmp213582.
extract-1498570714-HTTP-FG0jno3bJLiIzR4hrh
0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272
vector
Target Machine: Intel 386 or later processors and compatible processors
trow:
63 engines detected this file
File type: Win32 EXE
File size: 323 KB (330752 bytes)
Names:
Pedals
Pedals
trow
test
2017-06-28_18-18-14
bma2beo4
Target Machine: Intel 386 or later processors and compatible processors
wp:
55 engines detected this file
File type: Win32 EXE
File size: 300 KB (307712 bytes)
Names:
wp
test
test_
4da48f6423d5f7d75de281a674c2e620
wp-msdownload
Target Machine: Intel 386 or later processors and compatible processors
c. Examine other alerts associated with the infected host during this timeframe and record your findings
ET POLICY External IP Lookup Domain (myip .com in DNS lookup) –
infection started when the user of the 192.168 host performed a DNS
lookup through a malicious domain – destination IP: 208.
Step 3: Report Your Findings
Summarizes your findings based on the information you have gathered from the previous parts, summarize
your findings.
The host with IP 192.168, a PC running Windows, accessed a malicious
domain for a DNS query, and was infected with the Pushdo trojan. The
Pushdo trojan pretends to be an Apache webserver, listening on port 80. After
infection, the Pushdo trojan downloads various malware. In the examined PC,
three malwares were downloaded and installed – gerv, trow and
wp. These files were checked in virustotal, using their SHA256 hash,
and verified as malware by most source.
End of document
Was this document helpful?
This is a Premium Document. Some documents on Studocu are Premium. Upgrade to Premium to unlock it.
CA v1.0 Skills Assessment-1
Course: cyber security (INTE2557)
27 Documents
Students shared 27 documents in this course
University: Royal Melbourne Institute of Technology
Was this document helpful?
This is a preview
Do you want full access? Go Premium and unlock all 5 pages
Access to all documents
Get Unlimited Downloads
Improve your grades
Already Premium?
CyberOps Associates v1.0 - Skills Assessment
Introduction
You have been hired as a junior security analyst. As part of your training, you were tasked to determine any
malicious activity associated with the Pushdo trojan.
You will have access to the internet to learn more about the events. You can use websites, such as VirusTotal,
to upload and verify threat existence.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
oEvaluate event alerts using Squil and Kibana.
oUse Google search as a tool to obtain intelligence on a potential exploit.
oUse VirusTotal to upload and verify threat existence.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.
Required Resources
Host computer with at least 8GB of RAM and 45GB of free disk space
Latest version of Oracle VirtualBox
Security Onion virtual machine requires 4GB of RAM using 25GB disk space
Internet access
Instructions
Part 1: Gather the Basic Information
In this part, you will review the alerts listed in Security Onion VM and gather basic information for the
interested time frame.
Step 1: Verify the status of services
a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.
c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password
cyberops.
Step 2: Gather basic information.
Questions:
a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.
2017-06-27 from 13:38:34 to 13:44:32
b. List the alerts noted during this time frame associated with the trojan.
2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5www.netacad.com
Why is this page out of focus?
This is a Premium document. Become Premium to read the whole document.