PCAP Analysis – 2

Posted by

As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.

Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.

Split PCAP Into Zeek Logs

root@malnet:~/malware_traffic_exercises/2014-11-23# zeek -Cr 2014-11-23-traffic-analysis-exercise.pcap 

root@malnet:~/malware_traffic_exercises/2014-11-23# ls
2014-11-23-traffic-analysis-exercise.pcap  conn.log  dns.log  files.log  http.log  ntp.log  packet_filter.log  pe.log  ssl.log  x509.log

After splitting the PCAP file into Zeek logs, I ingested them into Splunk and extracted the relevant fields as mentioned inside each .log file.

IP Address of Infected Windows VM

The infected host would be making GET/POST requests to remote hosts/domains. In the below snap, source IP address is the infected Windows VM address.

IP Address and Domain of Compromised and Malware-Delivery Website

The infected VM contacts hijinksensue[.]com and also communicates with it the most.

Hypothesis: It is possible that the user might have been redirected to a malicious site from hijinksensue[.]com.

In the snap below, we can see that there is traffic to g[.]trinketking[.]com and h[.]trinketking[.]com on unusual port, 51439. From past experience, I know that malware often communicates on unusual ports. The referrer website is hijinksensue[.]com.

In the below snap, we can see that multiple files were downloaded from the said suspicious domains.

After extracting the files using Wireshark, I hashed them and checked on VirusTotal.

Both files were detected as malicious on VirusTotal with one of them possibly being Qakbot.

With the above information, it can be said that g[.]trinketking[.]com with IP, 37[.]143[.]15[.]180 and h[.]trinketking[.]com with IP, 37[.]143[.]15[.]180 are delivering malware. The domain, hijinksensue[.]com with IP, 192[.]30[.]138[.]146 is compromised because it is capable of redirecting users to the above malicious domains.

Thanks for reading!

In this article, I described my analysis for the provided PCAP file. The most important aspect of this analysis was to recognize that unusual ports can be used by malware and traffic on those ports might indicate compromise.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Leave a Reply

Your email address will not be published.