Objective 5

The attacks don't stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.

I downloaded the zip file and found the connection log files but I also found an installation of Rita in the ELFU sub-directory, which had pre-loaded data. As malware tends to send out regular connections with small payloads I looked in the Beacons tab. There 192.168.134.130 was making the most number of connections but with a small payload. Therefore, my submitted answer was 192.168.134.130.

RITA

Answer

The Answer is “192.168.134.130”