PCAP Analysis – 4

Posted by

As my winter vacations come to an end, I decided to start warming up my brain in preparation for the final semester of my graduate program. Malware-Traffic-Analysis.net is a very good resource for practicing PCAP analysis. In this article, I describe my answers to the analysis questions of the PCAP file available here.

Note: In this article, I’m using Splunk / Wireshark for the complete PCAP analysis.

Hostname, IP and MAC Address of Infected Host

The infected host’s information is available in DHCP traffic as seen in the snap below. The hostname of the infected host is Mike-PC, IP address is 172.16.137.40 and MAC address is 08:00:2b:ef:ab:7c.

Malware Activity

The infected host communicates with two suspicious domains and downloads a .jpg file.

  • harveyouellet[.]com
  • cwvancouver[.]com

Using Wireshark, I extracted the .jpg file, hashed it and checked on VirusTotal. The file seems to be an Upatre Trojan sample.

root@malnet:~/malware_traffic_exercises/2015-02-08/Files# sha256sum arrowu.jpg 
99e832a42f6b22057816170b18fc0af66b1a34cd745973fd0d6e62cb33258562  arrowu.jpg

Google searching the suspect domains indicated that the malware running on the infected host is Dyreza Trojan.

Summary

The user executed a Dyreza Trojan sample on his system. This sample might have arrived through spam, external media, etc. The sample communicated with the malicious domains to download the Upatre Trojan.

Thanks for reading!

In this article, I described my analysis for the provided PCAP file. This was an easy PCAP to analyze and wasn’t very challenging.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Leave a Reply

Your email address will not be published.