Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca Exam CCOA Topic 1 Question 6 Discussion

Actual exam question for Isaca's CCOA exam
Question #: 6
Topic #: 1
[All CCOA Questions]

SIMULATION

Following a ransomware incident, the network team provided a PCAP file, titled ransom.pcap, located in the Investigations folder on the Desktop.

What is the full User-Agent value associated with the ransomware demand file download. Enter your response in the field below.

Show Suggested Answer Hide Answer
Suggested Answer: A

To identify the full User-Agent value associated with the ransomware demand file download from the ransom.pcap file, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to the Investigations folder located on the desktop.

Locate the file:

ransom.pcap

Step 2: Open the PCAP File in Wireshark

Launch Wireshark.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > ransom.pcap

Click Open to load the file.

Step 3: Filter HTTP Traffic

Since ransomware demands are often served as text files (e.g., README.txt) via HTTP/S, use the following filter:

http.request or http.response

This filter will show both HTTP GET and POST requests.

Step 4: Locate the Ransomware Demand File Download

Look for HTTP GET requests that include common ransomware filenames such as:

README.txt

DECRYPT_INSTRUCTIONS.html

HELP_DECRYPT.txt

Right-click on the suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Analyze the HTTP headers to find the User-Agent.

Example HTTP Request:

GET /uploads/README.txt HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 5: Verify the User-Agent

Check multiple streams to ensure consistency.

Confirm that the User-Agent belongs to the same host (10.10.44.200) involved in the ransomware incident.

Answe r:

swift

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 6: Document and Report

Record the User-Agent for analysis:

PCAP Filename: ransom.pcap

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Related File: README.txt

Step 7: Next Steps

Forensic Analysis:

Look for more HTTP requests from the same User-Agent.

Monitor Network Activity:

Identify other systems with the same User-Agent pattern.

Block Malicious Traffic:

Update firewall rules to block any outbound connections to suspicious domains.


by Celestine at May 01, 2025, 09:26 AM

Limited Time Offer

25%

Off

Get Premium CCOA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Lino
4 days ago
I think the User-Agent value is important for identifying the ransomware demand file download.
upvoted 0 times
...
Tyra
15 days ago
Ha! Ransomware, huh? I bet the bad guys used the most generic User-Agent ever. Let's see what they've got.
upvoted 0 times
...
Lorrie
17 days ago
Hmm, PCAP files always make me a little nervous. Hope I can find the answer in there somewhere.
upvoted 0 times
Ezekiel
7 days ago
I know what you mean, PCAP files can be intimidating.
upvoted 0 times
...
...
Arleen
1 months ago
The User-Agent value is definitely the key to solving this one. Can't wait to see what it is!
upvoted 0 times
Irma
9 days ago
I found the User-Agent value in the ransom.pcap file, it's 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
upvoted 0 times
...
Cecily
11 days ago
I agree, let's check the ransom.pcap file to find out the full User-Agent value.
upvoted 0 times
...
Matthew
26 days ago
I think the User-Agent value might be something unique to the ransomware.
upvoted 0 times
...
...

Save Cancel