As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.
Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.
Hostname, IP and MAC Address of Infected Host
The infected host’s information is available in DHCP traffic as seen in the snap below. The hostname of the infected host is
Mike-PC, IP address is
172.16.137.40 and MAC address is
The infected host communicates with two suspicious domains and downloads a
Using Wireshark, I extracted the
.jpg file, hashed it and checked on VirusTotal. The file seems to be an Upatre Trojan sample.
root@malnet:~/malware_traffic_exercises/2015-02-08/Files# sha256sum arrowu.jpg 99e832a42f6b22057816170b18fc0af66b1a34cd745973fd0d6e62cb33258562 arrowu.jpg
Google searching the suspect domains indicated that the malware running on the infected host is Dyreza Trojan.
The user executed a Dyreza Trojan sample on his system. This sample might have arrived through spam, external media, etc. The sample communicated with the malicious domains to download the Upatre Trojan.
Thanks for reading!
In this article, I described my analysis for the provided PCAP file. This was an easy PCAP to analyze and wasn’t very challenging.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!