New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CCOA Exam - Topic 1 Question 6 Discussion

Actual exam question for Isaca's CCOA exam
Question #: 6
Topic #: 1
[All CCOA Questions]

SIMULATION

Following a ransomware incident, the network team provided a PCAP file, titled ransom.pcap, located in the Investigations folder on the Desktop.

What is the full User-Agent value associated with the ransomware demand file download. Enter your response in the field below.

Show Suggested Answer Hide Answer
Suggested Answer: A

To identify the full User-Agent value associated with the ransomware demand file download from the ransom.pcap file, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to the Investigations folder located on the desktop.

Locate the file:

ransom.pcap

Step 2: Open the PCAP File in Wireshark

Launch Wireshark.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > ransom.pcap

Click Open to load the file.

Step 3: Filter HTTP Traffic

Since ransomware demands are often served as text files (e.g., README.txt) via HTTP/S, use the following filter:

http.request or http.response

This filter will show both HTTP GET and POST requests.

Step 4: Locate the Ransomware Demand File Download

Look for HTTP GET requests that include common ransomware filenames such as:

README.txt

DECRYPT_INSTRUCTIONS.html

HELP_DECRYPT.txt

Right-click on the suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Analyze the HTTP headers to find the User-Agent.

Example HTTP Request:

GET /uploads/README.txt HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 5: Verify the User-Agent

Check multiple streams to ensure consistency.

Confirm that the User-Agent belongs to the same host (10.10.44.200) involved in the ransomware incident.

Answe r:

swift

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Step 6: Document and Report

Record the User-Agent for analysis:

PCAP Filename: ransom.pcap

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36

Related File: README.txt

Step 7: Next Steps

Forensic Analysis:

Look for more HTTP requests from the same User-Agent.

Monitor Network Activity:

Identify other systems with the same User-Agent pattern.

Block Malicious Traffic:

Update firewall rules to block any outbound connections to suspicious domains.


by Celestine at May 01, 2025, 09:26 AM

Limited Time Offer

25%

Off

Get Premium CCOA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
An
2 months ago
Wait, is it really that easy to find?
upvoted 0 times
...
Cammy
2 months ago
I think it’s a common browser string.
upvoted 0 times
...
Eliseo
2 months ago
The User-Agent is usually in the HTTP headers.
upvoted 0 times
...
Geoffrey
3 months ago
Totally agree, should be straightforward!
upvoted 0 times
...
Myrtie
3 months ago
I’m not so sure it’s just in the headers…
upvoted 0 times
...
Stephane
3 months ago
I feel like I’ve seen the User-Agent string before, but I’m a bit confused about whether it’s in the GET request or somewhere else in the packet details.
upvoted 0 times
...
Cherilyn
3 months ago
This reminds me of a similar question we did in class about identifying malware signatures. I hope I can remember how to filter the traffic correctly.
upvoted 0 times
...
Deja
4 months ago
I think the User-Agent is usually found in the HTTP headers, but I can't recall the exact steps to find it in Wireshark.
upvoted 0 times
...
Audria
4 months ago
I remember we practiced analyzing PCAP files, but I’m not sure how to extract the User-Agent specifically.
upvoted 0 times
...
Devorah
4 months ago
This is straightforward. I'll just extract the User-Agent from the relevant HTTP request in the PCAP file. Piece of cake!
upvoted 0 times
...
Rupert
4 months ago
No problem, I've got this. I'll use a tool like Wireshark to dig into the PCAP and follow the HTTP conversations. The User-Agent should be in the request headers.
upvoted 0 times
...
Nada
4 months ago
Wait, how do I find the ransomware demand file in the PCAP? I'm a bit confused on where to start with this one.
upvoted 0 times
...
Tracie
5 months ago
Okay, let's see. I'm going to open the PCAP file and filter for the HTTP requests. That should give me the User-Agent information I need.
upvoted 0 times
...
Cecilia
5 months ago
Hmm, this looks like a classic network forensics question. I'll need to analyze the PCAP file to find the User-Agent value associated with the ransomware demand file download.
upvoted 0 times
...
Dorinda
8 months ago
That makes sense, the User-Agent value can give us clues about the type of device and browser used to download the ransomware.
upvoted 0 times
...
Lino
8 months ago
I believe the User-Agent value in the ransom.pcap file is 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'.
upvoted 0 times
...
Dorinda
8 months ago
I agree, the User-Agent value can help us track down the source of the ransomware.
upvoted 0 times
...
Lino
9 months ago
I think the User-Agent value is important for identifying the ransomware demand file download.
upvoted 0 times
...
Tyra
9 months ago
Ha! Ransomware, huh? I bet the bad guys used the most generic User-Agent ever. Let's see what they've got.
upvoted 0 times
...
Lorrie
9 months ago
Hmm, PCAP files always make me a little nervous. Hope I can find the answer in there somewhere.
upvoted 0 times
Eleonora
8 months ago
Let's take it step by step and analyze the ransom.pcap file carefully.
upvoted 0 times
...
Marguerita
8 months ago
I think we just need to focus on finding the User-Agent value associated with the ransomware demand file download.
upvoted 0 times
...
Ezekiel
9 months ago
I know what you mean, PCAP files can be intimidating.
upvoted 0 times
...
...
Arleen
10 months ago
The User-Agent value is definitely the key to solving this one. Can't wait to see what it is!
upvoted 0 times
Irma
9 months ago
I found the User-Agent value in the ransom.pcap file, it's 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
upvoted 0 times
...
Cecily
9 months ago
I agree, let's check the ransom.pcap file to find out the full User-Agent value.
upvoted 0 times
...
Matthew
9 months ago
I think the User-Agent value might be something unique to the ransomware.
upvoted 0 times
...
...

Save Cancel