Lab 1: Identifying malware using Wireshark traffic analysis.

Use Wireshark application to examine network traffic, search for downloaded malware files, determine the infected machines, and determine the compromised web site that delivers the malware(s).

Steps:

Install Wireshark at your local machine.

After installing Wireshark at your local machine, open Lab1.pcap file (located in week 2 module) and answer the following questions.

Deliverable:

include screenshot of the packet that is related to each question.

Q1- Insert a screenshot that shows the seven downloaded files? (5 points)

Q2- What are the content type of the downloaded files? (5 points)

Save the downloaded files (rename each file with file1, file2, etc.) and upload each file to "virustotal.com" site to get more information about the downloaded files.

Q3- List the MD5 hash values of the downloaded files? (10 points)

Notice: In case a host downloaded same file more than once, you should see redundant hash values

Insert one screenshot for "virustotal.com" site that shows a hash value of one file.

Q4- List the unique hash values for the files that could be malware files? (10 points)

Q5- What is the URL/domain name of the compromised website? (5 points)

Insert screenshot that shows the value.

Q6- What is the IP address of the infected website? (5 points)

Insert screenshot that shows the value.

Q7- What is the IP address of the infected host? (5 points)

Insert screenshot that shows the value.

Q8- What is the MAC address of the infected host? (5 points)

Insert screenshot that shows the value.