As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.
Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.
Split PCAP Into Zeek Logs
root@malnet:~/malware_traffic_exercises/2014-11-23# zeek -Cr 2014-11-23-traffic-analysis-exercise.pcap root@malnet:~/malware_traffic_exercises/2014-11-23# ls 2014-11-23-traffic-analysis-exercise.pcap conn.log dns.log files.log http.log ntp.log packet_filter.log pe.log ssl.log x509.log
After splitting the PCAP file into Zeek logs, I ingested them into Splunk and extracted the relevant fields as mentioned inside each
IP Address of Infected Windows VM
The infected host would be making
POST requests to remote hosts/domains. In the below snap, source IP address
172.16.165.132 is the infected Windows VM address.
IP Address and Domain of Compromised and Malware-Delivery Website
The infected VM contacts
hijinksensue[.]com and also communicates with it the most.
Hypothesis: It is possible that the user might have been redirected to a malicious site from
In the snap below, we can see that there is traffic to
h[.]trinketking[.]com on unusual port,
51439. From past experience, I know that malware often communicates on unusual ports. The referrer website is
In the below snap, we can see that multiple files were downloaded from the said suspicious domains.
After extracting the files using Wireshark, I hashed them and checked on VirusTotal.
Both files were detected as malicious on VirusTotal with one of them possibly being Qakbot.
With the above information, it can be said that
g[.]trinketking[.]com with IP,
h[.]trinketking[.]com with IP,
37[.]143[.]15[.]180 are delivering malware. The domain,
hijinksensue[.]com with IP,
192[.]30[.]138[.]146 is compromised because it is capable of redirecting users to the above malicious domains.
Thanks for reading!
In this article, I described my analysis for the provided PCAP file. The most important aspect of this analysis was to recognize that unusual ports can be used by malware and traffic on those ports might indicate compromise.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!