ANALYSING PCAP FILES WITH WIRESHARK-PART 1

Hello everybody,

In one of my previous posts I have given little bit information about Wireshark and how to install and use it in Linux OS , you can check it out here: https://medium.com/@salim.y.salimov/wireshark-in-ubuntu-or-linux-mint-74d62032d4a5

Today I am going to demonstrate how to find out what’s hidden in a sample .pcap file,using Wireshark and it’s functions as a tool for analyzing suspicious network activities. To be able to cover this topic I am going to divide it in two shorter parts instead of creating one very long and boring post .

What do we need ? :

1. Virtual Machine (Linux OS VM preferably) — as we are going to deal with real malicious files. Doing this inside Virtual machine is highly recommended
2. Wireshark installed on your virtual machine system(if you don’t have it installed yet you can get it from here: https://www.wireshark.org/download.html)
3. A pcap file to analyse. cap files are previously captured and saved network traffic packets which includes a lot of information about network traffic , different communications , network protocols, network layers , may also include files and documents that we can extract and analyse…etc( here is a good place to get one : https://www.malware-traffic-analysis.net/ )

Let’s get started.

1. Start up your virtual machine ( I am skipping this step as I will be using Wireshark in my Linux laptop ,so don’t worry if icons or interface is looking a bit different in my screenshots )
2. Inside your virtual machine open the Wireshark application

3. Open the pcap file in Wireshark by :

- Clicking FILE then from drop down menu OPEN then browse to find the pcap file .

— Or simply drag and drop the file anywhere in the Wireshark window.

4. Once file is loaded to Wireshark we can start analysing process.

ANALYSING PROCESS (Part 1-Exporting Objects)

As a pcap file may include so much information we can not look and read everything in it , we need to use Wireshark filters to narrow down the information to see only what we need. But On this post i am going to show first thing I would like to do,and that is to extract/export all the files which are captured in this pcap file.

1. Export objects

To do this just follow this drop down menu FILE/ Export objects/HTTP…

In the new window that opens we see the list of files that has been transferred during network traffic been captured. If the files are too many we can filter them by type or search for specific one to export.

As I don’t know which of them may be suspicious at this point I am going to save them all and analyse one by one . Create a new folder in Desktop for easy access press save all and browse to de newly created folder as destination.

Once exported the files before I close this window I would like to take note of all the host Ip addresses and websites listed there or I simply save a screenshot of it, to be able to investigate these Ip addresses and websites later on.

2. Next I am going to Upload and Scan Exported files with VirusTotal : https://www.virustotal.com/gui/home/upload

- Open “Exported objects” folder and VirusTotal website side by side

opened side by side the two windows

- drag and drop files from the folder to the website to see if they are detected as malicious files , taking notes of those that are detected , then I would separate them in two subfolders for detailed investigation with other tools.

drag and drop for easy uploading

created two subfolders to separate detected and undetected files

Results for the first file do not show any sign of infection to be detected and I move this file into “Not Detected ”folder (please note that this only shows that this file does not contain any known malware, but still might contain some new malicious code , script or other kind of malware, that is not known yet.)

when I have completed uploading/scanning all .txt files half of them turned out as not detected as malicious and the other half turned out detected as malicious by one vendor only as you can see in the next screenshot .

detected by one vendor

So I have moved them into “Malicious” folder and continued with next files. There are two .cab files which are most likely some windows component update files but to eliminate the suspicion I am going to scan them too.

.cab files scanned

As they both seems good according to Virustotal results I move them to “Not Detected” folder.

What left for scanning now are some files with .png extensions which means they supposed be some pictures or image files , but as I have seen before this extensions might be used just for hiding and trick victims to execute malware by trying to open an image file. Lets scan them in Virus total to see if this is the case.

.png files scanned

Indeed all .png files turned out detected as malicious files and they all goes in the “Malicious “ folder .

Now after we have checked all the exported objects/files in Virus total , I am going to check the ip addresses and websites they are coming from as well. If we get back to “extract objects”window on Wireshark or open the screenshot of it which I have saved earlier in the Hostname column I can see some websites or ip addresses where the files has been downloaded from. Let’s see what Virus total knows about them.

• Open VirusTotal website and click on url and type in the hostnames presented as websites

scanning hosts presented as websites

• All the website Hostnames return results with no detection of malware, those are the ones associated with the files with not malware detected too , that can be seen in the “export objects”

• All the other hostnames are presented by Ip addresses , which makes them suspicious already. But let’s scan them too and see the results. Looks there are only two ip addresses as hostnames where multiple files are downloaded from and the scan results shows these ip addresses are both malicious.

ip hostnames are all detected

• So some files that where not detected as malicious has been downloaded from from these ip addresses, they are actually all the .txt files except ncsi.txt file . So I am going back to my exported objects folder and move all the txt files from “Not Detected “ folder to “Malicious”folder, leaving there only ncsi.txt with the two .cab files.

These files might seems to be harmless,and not detected as malware but they may contain important information about malware or might be used to help the actual malware ,so we still need to treat them as they are and investigate them further.

I hope this was useful and interesting article, Thank you for reading and I will see you on next part of this topic.

link to part 2 https://medium.com/@salim.y.salimov/analysing-pcap-files-with-wireshark-part-2-5185cf9837c1