Malware Traffic Analysis Exercise - EGGNOG SOUP

This challenge is from MALWARE-TRAFFIC-ANALYSIS.NET. Download the PCAP ZIP yourself here. Check their about page for the password.


LAN segment data:

  • LAN segment range: ( through
  • Domain:
  • Domain controller: - EggNogSoup-DC
  • LAN segment gateway:
  • LAN segment broadcast address:


  • How many hosts besides the Domain Controller at are active on the network?
    • 9 hosts

Filtered with ip.src == and ip.src != and counted.

  • List the IP addresses for the hosts found when investigating the previous question.
  • Which IP address represents a host running Ubuntu?

Filtered on http.user_agent contains Ubuntu.

  • What type of host is using IP address
    • iPhone

Filtered on ip.addr == and http and the User-Agent was Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1.

  • Which IP address is mostly likely an Amazon Fire tablet?

Filtered on contains amazon and found the device with that IP had a MAC address of AmazonTe_d2:5e:47 (b0:fc:0d:d2:5e:47).

  • Which three IP addresses represent Windows hosts that connect to the domain controller at
    • - GOODSON-WIN-PC$ - emelda.goodson
    • - VARNER-WIN-PC$ - conception.varner
    • - PALUMBO-WIN-PC$ - odell.palumbo

Filtered on ip.src == and kerberos.CNameString with CNameString as a column.

  • Which of the three Windows hosts shows indications of an infection with Emotet and IcedID banking Trojan (Bokbot)?

Per an image of the Emotet and IcedID traffic, I could check what looks similar.


Filtering on ip.src == and (http.request or ssl.handshake.type == 1), I see similar traffic and a GET request to a host on a .pw address for a /data2.php file.

  • Which IP address is a host running Android 8.0.0?

I first tried filtering on http.user_agent contains Android to no results, but I found the answer after putting quotes around "Android".

  • What is the brand and model of the phone running Android 8.0.0?
    • moto e5 play, Motorola_91:a6:ed (bc:ff:eb:91:a6:ed)

Checking the Ethernet II and HTTP layers on packets from the previous filter, we get our model.

  • What is the brand and type of device on
    • Samsung Galaxy Tab E Lite

Filtering on ip.addr == and http, I grab the following info: Android 4.4.4; SM-T113 Build/KTU84P, SamsungE_99:41:07 (68:e7:c2:99:41:07). Googling SM-T113, I found the device to be a Samsung Galaxy Tab E Lite which lines up with the other info.