Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Isaca Exam CCOA Topic 1 Question 6 Discussion

Actual exam question for Isaca's CCOA exam
Question #: 6
Topic #: 1
[All CCOA Questions]

SIMULATION

Following a ransomware incident, the network team provided a PCAP file, titled ransom.pcap, located in the Investigations folder on the Desktop.

What is the full User-Agent value associated with the ransomware demand file download. Enter your response in the field below.

Show Suggested Answer Hide Answer
Suggested Answer: A

To identify the full User-Agent value associated with the ransomware demand file download from the ransom.pcap file, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to the Investigations folder located on the desktop.

Locate the file:

ransom.pcap

Step 2: Open the PCAP File in Wireshark

Launch Wireshark.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > ransom.pcap

Click Open to load the file.

Step 3: Filter HTTP Traffic

Since ransomware demands are often served as text files (e.g., README.txt) via HTTP/S, use the following filter:

http.request or http.response

This filter will show both HTTP GET and POST requests.

Step 4: Locate the Ransomware Demand File Download

Look for HTTP GET requests that include common ransomware filenames such as:

README.txt

DECRYPT_INSTRUCTIONS.html

HELP_DECRYPT.txt

Right-click on the suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Analyze the HTTP headers to find the User-Agent.

Example HTTP Request:

GET /uploads/README.txt HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 5: Verify the User-Agent

Check multiple streams to ensure consistency.

Confirm that the User-Agent belongs to the same host (10.10.44.200) involved in the ransomware incident.

Answe r:

swift

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 6: Document and Report

Record the User-Agent for analysis:

PCAP Filename: ransom.pcap

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Related File: README.txt

Step 7: Next Steps

Forensic Analysis:

Look for more HTTP requests from the same User-Agent.

Monitor Network Activity:

Identify other systems with the same User-Agent pattern.

Block Malicious Traffic:

Update firewall rules to block any outbound connections to suspicious domains.


by Celestine at May 01, 2025, 09:26 AM

Limited Time Offer

25%

Off

Get Premium CCOA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!


Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77