Ism Da

Name – Govind Maheshwari
Reg No. – 20BCE2802
Lab Digital Assignment 1

Information security management (CSE3502)

Slot – L25+26
Q1.
a)
Aim – To an Analyse the 2019-07-19-traffic-analysis-exercise.pcap.zip file using PcapXray.
Procedure –
Step1. Install PcapXray by cloning it from GitHub
Step2. Install python3-pip
Step3. Install the python3-tk package:

Step4. Install the Graph Visualization Software (graphviz)
Step5. Install the final Python dependency :

Step6. Change to the PcapXray directory and show the contents of the directory:
Step7. Install certain requirements :

Step8. Run PcapXray :
Step9. Download the given file and then add the location in the file path by extracting it and
then analyse it.
Step10. After analysing, visualize it :

Step11. Use InteractiveMagic button

Step12. Narrow down your view by clicking on the All button in the menu above the traffic
visualization and selecting malicious and then click visualize :
Observations : It was observed that the given file was analysed using the tools required.
Inferences :The result was successfully implemented using the given data.
b)
Aim – To Prepare an experimental report along with your observations and inferences for
Hancitor with Ficker Stealer and Cobalt Strike.
Procedure –
Step1. Download the zip file form the given location
Step2. After setting up Wireshark :

Step3. Two URLs ending in .php that deliver a malicious Word document for Hancitor.
Step4. Filtering specifically for the two URLs :
Step5. Following HTTP stream for traffic to somdeeppalace[.]com.

Step6. HTTP stream should show saveAs function followed by base64 text.
Step7. Script should show file name for the malicious Word document and refreshing the
browser to a different URL.
Step8.Using Wireshark we will export HTTP objects from the pcap
Step9. Now we will save the second entry for sickness.php from the HTTP object list.
Step10. Now we will view our saved HTML page in a web browser.
Observation : : It was observed that the given file was analysed using the tools required.
c)
Aim - To prepare an experimental report along with your observations and inferences for Part
1: Hancitor with Ficker Stealer and Cobalt Strike.
Procedure –
Step1. Traffic from part one, filtered in Wireshark using a basic web filter.
Step2. IP address checks and Hancitor C2 traffic.
Step3. 6. Hancitor sends follow-up malware for Cobalt Strike and Ficker Stealer.
Step4. Menu path for the Decode As window.
Step5. Now we will create a new entry in the Decode As window to decode TCP port 1080
as HTTP.
Step6. Traffic caused by Cobalt Strike :

Step7. TCP stream of the initial HTTP GET request to 104.160.190[.]114:8080.
Step8. First HTTP request for Cobalt Strike C2 traffic returned 48 bytes of data.
Inferences :The result was successfully implemented using the given data
d) C
Aim - To prepare an experimental report along with your observations and inferences for
Part 2: Hancitor C2, Cobalt Strike C2 and Send-Safe Spambot Malware.
Procedure –
Step1. Traffic from part two of our second example filtered in Wireshark using a basic web
filter.
Step2. Hancitor retrieves Windows executable for Send-Safe spambot malware
Step3. Export the Send-Safe spambot EXE from the pcap.

Step4. UDP traffic caused by Send-Safe-based spambot malware.
Step5. HTTPS and spambot traffic caused by Send-Safe-based malware.
Step6. Send-Safe-specific certificate issuer data in HTTPS traffic caused by Send-Safe

malware.
Step7. Export mails caused by the Send-Safe spambot malware.
e) C
Aim: Prepare an experimental report along with your observations and inferences for
Hancitor with Ficker Stealer, Cobalt Strike and a Network Ping Tool.
Procedure :
Step1. Traffic from the fourth pcap filtered in Wireshark using our basic web filter.
Step2. ICMP traffic from a network ping tool sent through Cobalt Strike.
f)
Aim: To prepare an experimental report along with your observations and inferences for
Hancitor with Ficker Stealer, Cobalt Strike and NetSupport Manager RAT.
Procedure :
Step1. Traffic from the fifth pcap filtered in Wireshark using our basic web filter.
Step2. Traffic generated by NetSupport Manager RAT.

Step3. TCP stream of NetSupport Manager RAT C2 traffic.

Ism Da

Uploaded by

Copyright:

Available Formats

You might also like

Ism Da

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ism Da

Uploaded by

Copyright:

Available Formats

Name – Govind Maheshwari

Reg No. – 20BCE2802

Lab Digital Assignment 1

Name – Govind Maheshwari

Step2. Install python3-pip

Step3. Install the python3-tk package:

Step4. Install the Graph Visualization Software (graphviz)

Step5. Install the final Python dependency :

Step7. Install certain requirements :

Step8. Run PcapXray :

Step10. After analysing, visualize it :

Step11. Use InteractiveMagic button

Step2. After setting up Wireshark :

Step4. Filtering specifically for the two URLs :

Step5. Following HTTP stream for traffic to somdeeppalace[.]com.

Step2. IP address checks and Hancitor C2 traffic.

Step4. Menu path for the Decode As window.

Step6. Traffic caused by Cobalt Strike :

Step7. TCP stream of the initial HTTP GET request to 104.160.190[.]114:8080.

Step2. Hancitor retrieves Windows executable for Send-Safe spambot malware

Step3. Export the Send-Safe spambot EXE from the pcap.

Step4. UDP traffic caused by Send-Safe-based spambot malware.

Step5. HTTPS and spambot traffic caused by Send-Safe-based malware.

Step6. Send-Safe-specific certificate issuer data in HTTPS traffic caused by Send-Safe

Step7. Export mails caused by the Send-Safe spambot malware.

Step2. Traffic generated by NetSupport Manager RAT.

Step3. TCP stream of NetSupport Manager RAT C2 traffic.

You might also like