Skip to main content

Malware Traffic Analysis 1

📅 Published: 2026-04-16 15:43 | 🔄 Last Updated: 2026-05-22 14:04

https://cyberdefenders.org/blueteam-ctf-challenges/malware-traffic-analysis-1/


Basic triage

First we extract all the related ip, and use networkminer to extract host name:

172.16.165.165 [K34EN6W3N-PC] (Windows)
37.200.69.143[stand.trustandprobaterealty.com]
74.125.233.96youtube
82.150.140.3082.150.140.30 [www.ciniholland[.]nl] (Other)
204.79.197.200Bings
188.225.73.100[24corp-shop[.]com] (Other)
172.16.165.254none

Base on 172.16.165.165 is a windows pc and should be the victim.

Take look at Zui Alert using: event_type=="alert" alert.severity==1 | cut src_ip,dest_ip, alert.signature

All the alerts also relate to 172.16.165.165

Q1 What is the IP address of the Windows VM that gets infected?

2014-11-16T02:13:10.986516Z

src_ip:37.200.69.143

src_port: 80

dest_ip: 172.16.165.165

Q2 What is the IP address of the compromised web site?

Gotta use the basic query: ip.addr==172.16.165.165 &&http then follow TCP stream

Seem like the user access to: 82.150.140.30 [www.ciniholland[.]nl] after searching on Bing

To actually check [www.ciniholland[.]nl] is compromised, i used this query: http.referer contains "http://www.ciniholland.nl"

The website redirect to 188.225.73.100[24corp-shop[.]com] and

185.53.178.9 [adultbiz[.]in GET /new/jquery.php HTTP/1.1

in which jquery.php is Javascript library, and legitimate requests always end in .js not .php

→ the compromised website is 82.150.140.30 [www.ciniholland[.]nl]

Q3 What is the IP address of the server that delivered the exploit kit and malware?

Exploit kit often times deliver with .swf (shockwave flash file), which is famous with a lot of vulnerabilities that can be exploited by EK (famously Angler EK)

Using export HTTP object and choose x-shockwave-flash we got the ip 37.200.69.143 as the suspicious one.

using http.host == "stand.trustandprobaterealty.com" filter

we see that the page was directed from 188.225.73.100[24corp-shop[.]com] as in the previous question

37.200.69.143

Q4 What is the FQDN of the compromised website?

82.150.140.30 [www.ciniholland.nl] (Other)

Q5 What is the FQDN that delivered the exploit kit and malware?

37.200.69.143 [stand.trustandprobaterealty.com] (Other)

Q6 What is the redirect URL that points to the exploit kit (EK) landing page?

Referer: http://24corp-shop.com/

Q7 Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with "J". Provide the full application name.

Java

The answer is obvious - jar - package format based on the ZIP file format, used to bundle multiple Java class files, associated metadata, and resources (text, images, audio) into a single file

Q8 How many times was the payload delivered?

We knew that attacker employed http&&ip.src==37.200.69.143 to deliver EK

  • application/x-shockwave-flash : exploiting Adobe flash player
  • application/java-archive : JAVA exploit
  • application/x-msdownload: the main payload
  • calculate the hash show that it a data file

Q9 The compromised website has a malicious script with a URL. What is this URL?

Using ip.addr==82.150.140.30 && http contains "<script>” filter, i found only one packet that have the script lead to: http://24corp-shop.com/

Q10 Extract the two exploit files. What are the MD5 file hashes? (comma-separated )

Using networkminer and extract the respective hashes

7b3baa7d6bb3720f369219789e38d6ab index.php.swf 1e34fdebbf655cebea78b45e43520ddf index.php[1].jar

The Attack chain

  • The user access 82.150.140.30 [www.ciniholland[.]nl] (which was already compromised and taken over by attacker - waiting for the prey) by searching the website from Bings.
    • The website then silently redirect user to 2 malicious website:
      • 188.225.73.100[24corp-shop[.]com] - transfer station
      • 185.53.178.9 adultbiz[.]in - initial malicious script loader (jquery.php)
  • From 188.225.73.100[24corp-shop[.]com] attacker continue to redirect user to 37.200.69.143 [stand.trustandprobaterealty[.]com] - the attacker base camp
    • Attacker then try to exploit adobe flash and java vulnerabilities by sending swf, jar
    • then send the payload index.php.msdownload to proceed other malicious intention.