Provide steps to analyze pre-captured logs and traffic captures.

In Part 2, you will work with the nimda.download.pcap file. Captured in a previous lab, nimda.down-
load.pcap contains the packets related to the download of the Nimda malware. Your version of the file,

if you created it in the previous lab and did not reimport your CyberOps Workstation VM, is stored in
the /home/analyst directory. However, a copy of that file is also stored in the CyberOps Workstation
VM, under the /home/analyst/lab.support.files/pcaps directory so that you can complete this lab
regardless of whether you completed the previous lab or not. For consistency, the lab will use the
stored version in the pcaps directory.
While tcpdump can be used to analyze captured files, Wireshark’s graphical interface makes the task
much easier. It is also important to note that tcpdump and Wireshark share the same file format for
packet captures; therefore, PCAP files created by one tool can be opened by the other.

a. Change directory to the lab.support.files/pcaps folder, and get a listing of files using

the ls –l command.
```
[analyst@secOps ~]$ cd lab.support.files/pcaps
[analyst@secOps pcaps]$ ls -l
total 7460
-rw-r--r-- 1 analyst analyst 3510551 Aug 7 15:25 lab_prep.pcap
-rw-r--r-- 1 analyst analyst 371462 Jun 22 10:47 nimda.download.pcap
-rw-r--r-- 1 analyst analyst 3750153 May 25 11:10 wannacry_download_pcap.pcap
[analyst@secOps pcaps]$
```

b. Issue the command below to open the nimda.download.pcap file in Wireshark.
```
[analyst@secOps pcaps]$ wireshark-gtk nimda.download.pcap
```

c. The nimda.download.pcap file contains the packet capture related to the malware
download performed in a previous lab. The pcap contains all the packets sent and
received while tcpdump was running. Select the fourth packet in the capture and
expand the Hypertext Transfer Protocol to display as shown below.

d. Packets one through three are the TCP handshake. The fourth packet shows the request
for the malware file. Confirming what was already known, the request was done over
HTTP, sent as a GET request.

e. Because HTTP runs over TCP, it is possible to use Wireshark’s Follow TCP Stream
feature to rebuild the TCP transaction. Select the first TCP packet in the capture, a SYN
packet. Right-click it and choose Follow TCP Stream.

f. Wireshark displays another window containing the details for the entire selected TCP

flow.

What are all those symbols shown in the Follow TCP Stream window? Are they con-
nection noise? Data? Explain.

____________________________________________________________________________
____________________________________________________________________________
The symbols are the actual contents of the downloaded file. Because it is a binary file,
Wireshark does not know how to represent it. The displayed symbols are Wireshark’s
best guess at making sense of the binary data while decoding it as text.
There are a few readable words spread among the symbols. Why are they there?
____________________________________________________________________________
____________________________________________________________________________
Those are strings contained in the executable code. Usually, these words are part of
messages provided by the program to the user while it runs. While more of an art than
a science, a skilled analyst can extract valuable information by reading through these
fragments.
Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not
the famous worm. For security reasons, this is another executable file that was renamed
as W32.Nimda.Amm.exe. Using the word fragments displayed by Wireshark’s Follow
TCP Stream window, can you tell what executable this really is?
____________________________________________________________________________
____________________________________________________________________________
Scrolling all the way down on that window reveals that this is the Microsoft Windows
cmd.exe file.

g. Click Close in the Follow TCP Stream window to return to the Wireshark nimda.down-
load.pcap file.