CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

 IT Questions Bank Commands Help Ebooks  IP Calculators »  Donations

Search the site 

 Home  CCNA » Security » CyberOps » Linux »

 IT Questions Bank CCNA » CCNA Security v2.0 » Cybersecurity » Linux »

Networking Essentials IoT » IOS Commands Help IP Subnet Calculators »

Donation Contact

CyberOps Associate Skills

Assessment Answers – CA v1.0 Skills CCNA Cyber Ops Exam
Answers
Exam
 Sep 21, 2020 |  Last Updated: Dec 9, 2022 | CyberOps Associate v1.0
 CyberOps Associate |  28 Comments
Cyber Ops v1.1
 Share  Tweet  Share  Pin it

Modules 1 - 2: Threat
Actors and Defenders
Group Exam Answers

CyberOps Associates v1.0 – Skills Modules 3 - 4: Operating

System Overview Group
Assessment Exam Answers

Introduction Modules 5 - 10: Network

Fundamentals Group
You have been hired as a junior security analyst. As part Exam Answers
28
of your training, you were tasked to determine any
Modules 11 - 12:
malicious activity associated with the Pushdo trojan.
Network Infrastructure

You will have access to the internet to learn more about Security Group Exam
the events. You can use websites, such as VirusTotal, to Answers
upload and verify threat existence.

The tasks below are designed to provide some guidance

through the analysis process.
x

1 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

You will practice and be assessed on the following skills: Modules 13 - 17:

▪ Evaluate event alerts using Squil and Kibana. Threats and Attacks
Group Exam Answers
▪ Use Google search as a tool to obtain intelligence on
a potential exploit. Modules 18 - 20:
▪ Use VirusTotal to upload and verify threat existence. Network Defense Group
Content for this assessment was obtained from Exam Answers
http://www.malware-traffic-analysis.net/ and is used with
Modules 21 - 23:
permission. We are grateful for the use of this material.
Cryptography and
Endpoint Protection
Required Resources Group Exam Answers

▪ Host computer with at least 8GB of RAM and 45GB of Modules 24 - 25:
free disk space Protocols and Log Files
▪ Latest version of Oracle VirtualBox Group Exam Answers
▪ Security Onion virtual machine requires 4GB of
Modules 26 - 28:
RAM using 25GB disk space
Analyzing Security Data
▪ Internet access Group Exam Answers

Instructions [Skills Exams] CA

Skills Assessment
Part 1: Gather the Basic Information
CyberOps Associate
In this part, you will review the alerts listed in Security (Version 1.0) Practice
Onion VM and gather basic information for the interested Final Exam Answers
time frame.
CyberOps Associate
Step 1: Verify the status of services (Version 1.0) - FINAL
a. Log into Security Onion VM using with the username EXAM ANSWERS
analyst and password cyberops.
CyberOps Associate
b. Open a terminal window. Enter the sudo so- (200-201) Certification
Practice Exam
status command to verify that all the services are
ready.

Right click Desktop backgroud, go to Open Terminal

28
Recent Comments
analyst@SecOnion:~$ sudo so-status 
Status: securityonion Spesh on CCNA 1 v7.0 Final
* sguil server Exam Answers Full – Introduction
Status: seconion-import to Networks
* pcap_agent (sguil)
* snort_agent-1 (sguil) EVAS on IoT Connecting Things
* barnyard2-1 (spooler, unified2 format) 2.0 – Chapter 3 Quiz Answers
x

2 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Status: Elastic stack IT Administrator on CCNA 2 v7.0

* so-elasticsearch Final Exam Answers Full –
* so-logstash Switching, Routing and Wireless
Essentials
* so-kibana
* so-freqserver
IT Administrator on CCNA 2 v7.0
Final Exam Answers Full –
c. When the nsm service is ready, log into Sguil or Switching, Routing and Wireless
Kibana with the username analyst and password Essentials
cyberops.
obscene obsidian on Which plane
Open Sguil using the shortcut on the Desktop. Login with
is centralized by an SON
the username analyst and password cyberops. Click controller?
Select All to select the interfaces and then Start SGUIL.

Related Posts
CyberOps
Associate: Module
17 – Attacking
What …
Nov 20, 2020 •
0

Module 14:
Common Threats
and Attacks Quiz …
Feb 9, 2022 • 0

Module 12: Network

Step 2: Gather basic information. Security
Infrastructure Quiz
Answers
Feb 9, 2022 • 0

28.3.4 Check Your

Understanding –
Identify the …
Jun 14, 2022 •
0
28
CyberOps

Associate: Module
26 – Evaluating
Alerts
Nov 26, 2020 •
0

3 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

a. Identify time frame of the Pushdo trojan attack,

including the date and approximate time.
2017-06-27 from 13:38:34 to 13:44:32

b. List the alerts noted during this time frame associated

with the trojan.

ET CURRENT_EVENTS WinHttpRequest Downloading EXE

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Terse alphanumeric executable downloader
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup Domain (myip.opendns .com in D
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET TROJAN Pushdo.S CnC response
ET POLICY TLS possible TOR SSL traffic

c. List the internal IP addresses and external IP addresses

involved.

Internal IP address:
28
▪ 192.168.1.96
External IP addresses: 
▪ 143.95.151.192
▪ 119.28.70.207
▪ 145.131.10.21
▪ 62.210.140.158
▪ 119.28.70.207
x

4 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

▪ 208.67.222.222
▪ 208.83.223.34
▪ 198.1.85.250

Part 2: Learn about the Exploit

In this part, you will learn more about the exploit.

Step 1: Infected host

a. Based on the alerts, what is the IP and MAC addresses
of the infected computer? Based on the MAC address,
what is the vendor of the NIC chipset? (Hint:
NetworkMiner or internet search)
IP: 192.168.1.96
MAC: 00-15-C5-DE-C7-3B
NIC Vendor: Dell Inc.

Explanation: Right-click Alert ID: 5410 –> Select

NetworkMiner.

28

5 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

b. Based on the alerts, when (date and time in UTC) and

how was the PC infected? (Hint: Enter the command date
in the terminal to determine the time zone for the displayed
time)
2017-06-27 13:38:32 UTC
The gerv.gun malware was executed through the Pushdo
trojan.

On NetworkMiner windows, click Files tab to

determine date and time in UTC:

How did the malware infect the PC? Use an internet

search as necessary.

The user in the 192.168.1.96 PC accessed a malicious

domain, and the Pushdo trojan was used to install the
malware.
Pushdo is a “downloader” trojan, meaning its purpose is to
download and install additional malicious software. When
executed, Pushdo reports back to one of several control
28
server IP addresses embedded in it code. The server
listens on TCP port 80, and pretends to be an Apache

webserver. If the HTTP request contains the correct
parameters, one or more executabl es will be delivered via
HTTP. The malware to be downloaded by Pushdo
depends on the value following the”s-underscore” part of
the URL

6 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Pushdo keeps track of the IP address of the victim,

whether or not that person is an administator on the
computer, their primary hard drive serial number (obtained
by SMART_RCV_DRIVE_DATA IO control code), whether
the filesystem is NTFS, how many times the victim system
ha s executeda Pushdo variant, and the Windows OS
version as returned by the GetVersionEx API call.

Step 2: Examine the exploit.

a. Based on the alerts associated with HTTP GET
request, what files were downloaded? List the malicious
domains observed and the files downloaded.

gerv.gun – matied.com/gerv.gun
trow.exe – lounge-haarstudio.nl/oud/trow.exe
wp.exe – vantagepointtechnologies.com/wp.exe

Explanation: Right-click Alert ID: 5410 –> Select

Transcript

28

7 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Right-click Alert ID: 5420 –> Select Transcript

Right-click Alert ID: 5421 –> Select Transcript

28

8 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Use any available tools in Security Onion VM, determine

and record the SHA256 hash for the downloaded files that
probably infected the computer?

gerv.gun =
0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272
trow.exe =
94a0a09ee6a21526ac34d41eabf4ba603e9a30c26e6a1dc072ff45749dfb1fe1
wp.exe =
79d503165d32176842fe386d96c04fb70f6ce1c8a485837957849297e625ea48

Explanation: Use NetworkMiner tool:

Right-click Alert ID: 5410 –> Select NetworkMiner
–> Click Files tab –> Right click first line –> Select
Calculate MD5 / SHA1 / SHA256 hash

Do the same for Alert ID: 5420 and 5421 to

determine SHA256 hash for the files: trow.exe and
wp.exe

b. Navigate to www.virustotal.com input the SHA256 hash

to determine if these were detected as malicious files.
Record your findings, such as file type and size, other
names, and target machine. You can also include any
information that is provided by the community posted in
VirusTotal. 28

gerv.gun: 
▪ 58 engines detected this file
▪ File type: Win32 EXE
▪ File size: 236.00 KB (241664 bytes)
▪ Names:
▪ gerv.gun
x

9 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

▪ test
▪ tmp523799.697
▪ tmp246975.343
▪ tmp213582.420
▪ extract-1498570714.111294-HTTP-
FG0jno3bJLiIzR4hrh.exe
▪ 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272.bin
▪ vector.tui
▪ Target Machine: Intel 386 or later processors and
compatible processors
trow.exe:

▪ 63 engines detected this file

▪ File type: Win32 EXE
▪ File size: 323.00 KB (330752 bytes)
▪ Names:
▪ Pedals
▪ Pedals.exe
▪ trow.exe
▪ test3
▪ 2017-06-28_18-18-14.exe
▪ bma2beo4.exe
▪ Target Machine: Intel 386 or later processors and
compatible processors
wp.exe:

▪ 55 engines detected this file

▪ File type: Win32 EXE
▪ File size: 300.50 KB (307712 bytes)
▪ Names:
▪ wp.exe
▪ test2
▪ test_3
▪ 4da48f6423d5f7d75de281a674c2e620.virobj
28
▪ wp.exe.x-msdownload
▪ Target Machine: Intel 386 or later processors and 
compatible processors

Explanation:Open Chromium Web Browser –>

access to www.virustotal.com –> Click Search –>
Enter Hash
x

10 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

28

11 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

c. Examine other alerts associated with the infected host

during this timeframe and record your findings

ET POLICY External IP Lookup Domain

(myip.opendns .com in DNS lookup) – infection started
when the user of the 192.168.1.96 host performed a DNS
lookup through a malicious domain – destination IP:
208.67.222.222

Step 3: Report Your Findings

Summarizes your findings based on the information you
have gathered from the previous parts, summarize your
findings.
28
The host with IP 192.168.1.96, a PC running Windows,
accessed a malicious domain for a DNS query, and was 
infected with the Pushdo trojan. The Pushdo trojan
pretends to be an Apache webserver, listening on port 80.
After infection, the Pushdo trojan downloads various
malware. In the examined PC, three malwares were
downloaded and installed – gerv.gun, trow.exe and
x

12 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

wp.exe. These files were checked in virustotal.com, using

their SHA256 hash, and verified as malware by most
source.

Download .ova files:

[sociallocker id=”57850″]

▪ Security Onion VM (security_onion.ova)

▪ How to use: 1.1.5 Lab – Installing the Virtual
Machines
[/sociallocker]

← Previous Article Next Article →

Modules 26 – 28: CyberOps Associate 1.0
Analyzing Security Data Practice Final Exam
Group Exam (Answers) (Answers)

Join the discussion

28 COMMENTS

Laura  1 year ago

Hi , Currently completing this but could you

28
explain how we know the attack began at 13.38
even tho the malicious domain wasnt accesed til 
after this time ?Many thanks

6 0 Reply

13 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Rajesh soni  2 years ago

Hi,
can anyone please share the answer sheet for the
reference on this email, palesapal@mail.com. I’m
struggling to answer the question in report and
supporting findings. Any help is much
appreciated. thanks

0 0 Reply

Marcos Renato Rocha de Medeiros

 2 years ago

I think you’re trying on the wrong date because

even in the earliest print-screen, the date is
2017-06-27. And if you make a query with that
date on Sguil you’ll notes that the event correlated
to pushdo trojan occurs between 13:38 e 13:45

2 0 Reply View Replies (4) 

Gng  2 years ago

Can someone please send me your answer for

comparison? My email
is ggg123vix@outlook.com
28
0 0 Reply


Hmod  2 years ago

When the instructor mode will publish?

0 0 Reply
x

14 of 15 12/17/22, 3:53 PM
CyberOps Associate Skills Assessment Answers - CA v1.0 Ski... https://itexamanswers.net/cyberops-associate-skills-asses...

Mark  2 years ago

Do you know when it will be published? More or

less than 2 weeks?

2 -2 Reply View Replies (18) 

ITExamAnswers.net Copyright © 2022. Privacy Policy | Contact

28

15 of 15 12/17/22, 3:53 PM