Open in app

Sign in

Write

Sign in

Malware - Traffic Analysis

Ahmet Göker
5 min readJun 21, 2023

--

Hi! Malware freaks! Today, I am going to delve into malware analysis with the help of Wireshark. I hope that this walkthrough will help you by enhancing your malware research skills. Let’s get started.

The quiz is asking us: Can you identify the infected host? For a Windows computer, the basic identifiers are the following:

Our goal is to find the relevant information to find the correct answers.

This month, our infected host is a stand-alone Windows client. In addition to Windows system traffic, the pcap also contains unencrypted SMTP traffic generated by the malware. This traffic contains additional information, so we can determine all four of the above identifiers.

SMTP traffic includes various login credentials from the infected host. Of note, this traffic does not contain legitimate credentials. We populated the host with fake login data before we ran the malware. Despite the fake data, this traffic provides a better understanding of data stolen by Agent Tesla variants like Origin Logger.

Review the pcap and answer the following questions for this month’s Unit 42 Wireshark quiz:

When did the malicious traffic start at UTC?

In order to find the answer, we can use Wireshark.

This has been given as PST (Pacific Standard Time) and we can convert it to UTC.

Oke, as you can see we found the correct answer: 5 January 2023 22:51

What is the victim’s IP address?

We are now going to find the IP address of the victim. This should be an easy question because of the given ARP:

The answer will be: 192.168.1.27

What is the victim’s MAC address?

As you can see, DNS protocol is used in this case.

If we click on DNS, and then onto source: Hewlett’s MAC address, we will be able to see the correct answer.

What is the victim’s MAC address: bc:ea:fa:22:74:fb

What is the victim’s Windows host name?

This will be an easy question to answer. You should filter: “dns or smb” to get the hostname of the source address:

As you can see, if you filter with “dns or smb” you will see “Microsoft Windows Browser Protocol”

What is the victim’s windows hostname: DESKTOP-WIN11PC

Victim’s Windows user account name: windows11userVictim’s Windows user account name: windows11user

What is the victim’s Windows user account name?

To find the victim's Windows user account name, we need to dive into the traffic. If the information is being sent to C2 that means that the information is being sent over to SMTP protocol. You can check our SMTP protocols.

What is the victim’s Windows user account name: windows11user

How much RAM does the victim’s host have?

On the same page, we can find the correct answer:

How much RAM does the victim’s host have: 32165.83. This was an easy one.

What type of CPU is used by the victim’s host?

On the same page, we can find the correct answer.

CPU: Intel(R) Core(TM) i5–13600K

What is the public IP address of the victim’s host?

What type of account login data was stolen from the malware?

We can see that, email address and web account are given to the treat actor.

We can conclude that the victim has been hacked. We can decode the base64 string, but you can also check at mail from section.

Conclusion

Wireshark is a powerful open-source tool that allows security analysts to capture and inspect network traffic in real-time. By analyzing the traffic captured with Wireshark, experts can gain insights into the activities of malware, such as command and control (C&C) communications, data exfiltration, or exploit attempts.

When examining malware traffic using Wireshark, analysts focus on various network protocols, such as TCP, UDP, HTTP, or DNS. They dissect packet-level details to identify suspicious behavior, abnormal traffic patterns, or communication with known malicious IP addresses or domains.

The process typically involves capturing network traffic using Wireshark, filtering the captured packets based on relevant criteria, and then examining the individual packets for indicators of compromise (IOCs). These IOCs may include malicious payload signatures, unusual port usage, non-standard protocols, or specific patterns of communication.

Once potential malware traffic is identified, analysts can extract relevant artifacts, such as payloads or malware samples, for further analysis using specialized tools or sandboxes. This allows them to study the malware’s code, behavior, and potential impact.

I hope you enjoyed the blogpost where I covered the main steps of analyzing the PCAP file. Please stay tuned for more such blogposts.

Thanks for reading this blogpost and I will see you next time.

Ahmet Göker | Threat Cases Operator

Malware
Reverse Engineering
Programming
Software Development
Wireshark

--

--

Ahmet Göker
Ahmet Göker

Written by Ahmet Göker

1.7K Followers
15 Following

Full stack Reverser | Linux-Kernel | Windows API

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams