Question

Malware is suspected on a server in the environment. The analyst is provided with the output of commands
from servers in the environment and needs to review all output files in order to determine which process
running on one of the servers may be malware.

Instructions:
Servers 1, 2 and 4 are clickable. Select the Server which hosts the malware, and select the process which
hosts this malware.
If any time you would like to bring back the initial state of the simulation, please select the Reset button. When
01FBAEF084FA42B3BDA0C32C94CD0BF3
you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Have to pick either server 1, server 2, or server 4. Than pick one process from the process list.

$X Server2 Log C:\Windows\system32>netstat -ano PID 716 Active Connections Proto Local Address Foreign Address State TCP 0.0.0$$x Server4 Log C:\Users\Team3>netstat - oan Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:49154 0.0$$x Server1 Log C:\Users Team3>netstat-oan Active Connections Proto Local Address Foreign Address State ICP 0.0.0.0:49154 0.0.0$

Answer 1

The correct answer to the question is Server 4 & the process infected is Svchost.exe

Explaination:-

• The IPs are within the RFC1918 class B range of 172.16.0.0 – 172.31.255.255
• Both Server 1 & 4 (internal) have same communication with same IPs, for the same RDP(Remote Desktop Protocol [responsible for remote connecting to servers or computers with the same Windows OS])
• which shows they are remotely managed by the system administrator
• A connection between Server 1 & 4 is establishing with notepad.exe on server1 is connecting to port 443 on server 4

As per the question in logical perspective, server can be the webserver where svchost.exe is listening to different port rather than 443 & server 1(on DMZ) is trying to access internal network on Server4 [which is malicious]

Answer 2

if you see in the netstat command output you can see the established connection with the IP 172.30.0.148:49242 with process ID 348 and 172.30.0.101:445 with process ID 4 where this IPs are unknown with the given network diagram so this looks suspecious.

now find its process name using tasklist output with process id 348 is mapped with svchost.exe file and process id 4 is mapped with system services.

if you have any doubt then please ask me without any hesitation in the comment section below , if you like my answer then please thumbs up for the answer , before giving thumbs down please discuss the question it may possible that we may understand the question different way and i can edit and change the answers if you argue, thanks :)