Scribd
Upload
47 views

Lab 1

The student analyzed network traffic and found HTTP packets indicating a host accessed a compromised website and downloaded a zip archive containing a file that, when executed, downloaded an obfuscated executable file. This file then downloaded an automatic updater used to compromise security on Windows systems. The malware began exfiltrating data like passwords and system information to another IP address, compromising the host.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views

Lab 1

The student analyzed network traffic and found HTTP packets indicating a host accessed a compromised website and downloaded a zip archive containing a file that, when executed, downloaded an obfuscated executable file. This file then downloaded an automatic updater used to compromise security on Windows systems. The malware began exfiltrating data like passwords and system information to another IP address, compromising the host.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

MINISTERUL EDUCAȚIEI ȘI CERCETĂRII

Universitatea Tehnică a Moldovei


Facultatea Calculatoare Informatică și Microelectronică
Departamentul Ingineria Software și Automatică
Programul de studii: Securitate Informațională

RAPORT
La disciplina: AMID

Lucrare de laborator 1
"Analiza traficului malitios de retea"

.
Student: Ciubotaru Vadim, SI-211M
Evaluator: Persianov Svetoslav

Chișinău, 2021
While analyzing traffic, we find some http packets:

Image 1 – Http packets


Maybe the host access a website and download something. To check this, we can export all http
objects:

Image 2 – Export http objects

Here we can see all http objects and the attack workflow.
1. Host (10.9.25.101) accessed compromised website (www.dchristjan.com), downloaded the zip
archive and executed the file “InvoiceAndStatement.ink”

Image 3 – Infected zip archive


2
2. After executing the file from archive, a file “solar.php” was been downloaded from host
“144.91.69.195”. This file is not a php file but an obfuscated exe.̰ ̴

Image 4 – Obfuscated exe “solar.php”


3. Downloaded “authrootstl.cab” what is an automatic updater of untrusted certificates for
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
4. Malware started to exfiltrate data, that’s mean host is infected:

5.
Image 5 – Exfiltrated passwords
3
After passwords, malware exfiltrate some information about host like “PROCESS LIST”,
“SYSTEMINFO”, ipconfig, net view. All this data malware sends to “170.238.117.187” and will
try to find other hosts to compromise.

In the final, host is full compromised!!!

You might also like