Open in app

Sign in

Write

Sign in

Malware Traffic Analysis : 2014-11-16

Girithar Ram Ravindran
5 min readSep 6, 2021

--

The Malware-traffic-analysis is a source for pcap files and malware samples.

Target audience:

Malware-traffic-analysis provides pcap files that are captured in a live environment.

These pcaps are provided as an exercise or challenge which can benefit a person who’s interested to get into SOC[Security Operations Center] and are great ways to brush up on network forensic skills.

The exercises gives a person knowledge on:

  • How network traffic flow occurs between a client and a server.
  • How certain protocols work and their purpose.
  • Type and signature of several malwares.

Objective:

The challenge contains set of questions which I will try to cover and explain in this post.

Note:

Usually the pcaps are monitored and analysed using a free and open-source packet analyzer called wireshark which gives user GUI experience.

For a change , I will use a similar tool called Tshark which is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn’t necessary or available. It supports the same options as wireshark.

The pcap files are protected by a password “infected”.

Malware Traffic Analysis : 2014–11–16:

In this post we will be playing with a pcap file that has been published on 2014–11–16 here.

In the first set of question we were told to find IP, host name and MAC address of the host and IP and domain name of some sites.

Try to open the pcap file using the following command followed by the file name in tshark:

$ sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap

The following will be printed.But for our analysis we only need http traffic.

So to filter those out we use the following filter in tshark

$ sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap -Y http.request

The -Y parameter appends the filter used in wireshark

IP and MAC address of the machine:

We can see an IP 172.16.165.165 is communicating with some other IP address in the network and we can conclude that, it is the IP of the host system.

To find the MAC of the host use the following filter:

sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap -Y eth.src

By cross-verifying with the ARP protocol and the IP we found previously the MAC address is found to be f0:19:af:02:9b:f1

Or can be found by giving the following filter:

sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap -T fields -e eth.src -e ip.src

Host Name of the machine:

Host Name of a windows machine can be found by sorting out the NBNS[NetBios name service] traffic

It can be filtered in Tshark by giving:

sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap -Y nbns

And the host name is found to be K34EN6W3N-PC .

IP and domain of the compromised site:

  • After a normal bing search, it's been observed that the host is visiting a website “ciniholland”
  • After examining the packet flow of the host visiting ciniholland, the host visits a website adultbz:ixx
  • After analysing the http header of adultbz:ixx and a search in google, it is found that it didn’t contain any redirection site or any malicious content or a payload.
  • So moving forward, it has been observed that the host is visiting a site “http://24corp-shop.cxx/".
  • When searched in google, it shows that it is a compromised website.When analysing the http headers of the site it is observed that it has a redirect URL “stand.trustandprobaterealty:cxx” in its body.
  • And the http over tcp stream traffic of the traffic analysis shows that the referrer was “http://24corp-shop.cxx/" which in this case is concluded to be a Redirected URL.

The http over tcp stream traffic can be displayed by using the following filter:

sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap -z follow,tcp,ascii,20

From the following analysis we found that the IP of the compromised site is 82.150.140.30 and the domain name is www.ciniholland.nl .

The EK landing page:

After exporting the objects of “stand.trustandprobaterealty.com”, it is found that, it has sent the host a DLL file “x-msdownload” and a x-shockwave-flash Macromedia Flash data file.

The objects can be exported using the following commands:

sudo tshark -r 2014-11-16-traffic-analysis-exercise.pcap  --export-objects http,sample

And the file type can be displayed by using:

file ./*

This displays the type of every file inside a folder.

Then the exported files were uploaded to virustotal and they were found to be malicious and a type RIG RK.

“The End”

I hope this article gives you an idea of analysing a network packet.

I will recommend you to try it yourself, as it will give you an experience.

Finally, I thank whoever reading this, for spending your valuable time on my article.

Author: Girithar Ram R

Contact: https://www.linkedin.com/in/girithar-ram-ravindran-a4341017b/s

Malware Traffic Analysis
Network Forensics
Packet Analysis
Tshark
Malware

--

--

Girithar Ram Ravindran

Written by Girithar Ram Ravindran

53 Followers

Passionate Security Specialist with a versatile set of skills and experience

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams