Deep Packet Inspection & Malware Traffic Analysis

Malware Traffic Analysis

Deep Packet Inspection & Malware Traffic Analysis

Decoding Network Behaviors through Automated Python Forensics

Introduction

In the modern landscape of Digital Forensics and Incident Response (DFIR), capturing a malicious executable is only half the battle. True threat intelligence is derived from observing how that payload operates on the network—how it communicates with its operators, where it sends stolen data, and how it attempts to evade detection. In this Digital Assignment, I engineered a robust, Python-based forensic extraction tool using PyShark. By automating Deep Packet Inspection (DPI) on suspicious network captures, this project shifts the paradigm from manual, time-consuming Wireshark scrolling to programmatic, scalable threat hunting.

Objectives

  1. Automated Signature Detection: Programmatically parse through thousands of raw network frames to extract packets that match specific, hardcoded malicious signatures (such as `.exe` payload requests, `/gate/` C2 directories, and known bad Top-Level Domains).
  2. Timer-Based Behavior Analysis: Purposely bypass standard network deduplication filters to capture raw packet volume. This objective is critical to proving the frequency and automated, timer-based nature of the malware's beaconing attempts.
  3. Visual Threat Intelligence Generation: Transform complex, multi-layered packet data into digestible visual graphs using Pandas, Matplotlib, and Seaborn, enabling network administrators to instantly identify primary C2 nodes and hardcoded fallback domains.

Malware Traffic Source

Download Link: Link to PCAP file

About the PCAP File:
The analyzed PCAP files represent raw network traffic captured from a heavily compromised host operating within an infected subnet. Rather than a simple background scan, this traffic contains the active operational phase of a malware infection. It includes clear, repetitive HTTP GET/POST callbacks to external servers, indicative of active data exfiltration, alongside fallback DNS queries utilizing Domain Generation Algorithms (DGA) to establish secondary connections.

Architecture of Work

The following diagram illustrates the flow of data from raw network capture to finalized visual intelligence, showcasing the extraction engine, signature matching logic, and Pandas DataFrame structuring.

Architecture Diagram of Malware Analysis Workflow

Procedure of Work

  1. Environment Initialization & Patching: Configured a strict Python virtual environment. I applied patches to the Jupyter asyncio event loop using nest_asyncio and custom dummy watchers to safely handle Python 3.14's strict background task constraints without crashing the kernel.
  2. Packet Ingestion via PyShark: Initialized pyshark.FileCapture() to load the raw network frames of `exercise1.pcap` and `exercise2.pcap` sequentially into system memory for deep inspection.
  3. Deep Packet Inspection & Signature Matching: Iterated through the transport and application layers of each packet. The script actively searched HTTP headers for suspicious URIs (e.g., pwd=, hwid=, .php) and analyzed DNS query names for DGA-associated Top-Level Domains (e.g., .top, .su, .win).
  4. Controlled Forensic Sampling: To prevent a single noisy file from skewing the data, I implemented a strict, per-file extraction limit. The script successfully extracts specific malicious packets per file, creating a balanced and objective forensic dataset.
  5. Data Structuring & Visualization: Parsed the raw packet attributes (Source/Dest IP, MAC addresses, HTTP Hosts) into a structured Pandas DataFrame. Finally, Seaborn and Matplotlib were deployed to generate high-resolution, presentation-ready threat intelligence graphs.

Inferences: Proof of Malware Presence

Below is the programmatic proof of malware presence. The Python script successfully extracted multiple distinct packets matching our threat signatures, demonstrating repeated beaconing attempts to the same C2 nodes over a set timer. You can scroll horizontally to view the full extracted payload data.

File Activity Time Activity Type Indicator (URI/DNS) Source IP Src Port Dest IP Dst Port Source MAC Dest MAC HTTP Host HTTP Method
exercise1.pcap 2017-12-15 04:33:32.308771 HTTP C2 Beaconing / Exfiltration /ob/?id=gluM8UzM8uv27idXMtHTwxmLiq/CBCnAIIycmw9zQpVF0Ccf/hdBeG+osl/+KMZ7NK/q7AwKeForq3g1&8pkXh=C8TpcNd 10.1.1.97 49158 162.213.255.172 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.ellentscm.info GET
exercise1.pcap 2017-12-15 04:33:32.466219 HTTP C2 Beaconing / Exfiltration /ob/?id=gluM8UzM8uv27idXMtHTwxmLiq/CBCnAIIycmw9zQpVF0Ccf/hdBeG+osl/+KMZ7NK/q7AwKeForq3g1&8pkXh=C8TpcNd 162.213.255.172 80 10.1.1.97 49158 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:33:56.230726 HTTP C2 Beaconing / Exfiltration /ob/?id=bWuFa7q8YsQtnfnfR/62XuBt3uLiztV/lMdJ7LwUvkcAotbURv6ky9pCgMjKnOyKaojfUynNzutNn192&8pkXh=C8TpcNd&sql=1 10.1.1.97 49159 34.233.12.25 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.jvfilmmakers.com GET
exercise1.pcap 2017-12-15 04:33:56.372945 HTTP C2 Beaconing / Exfiltration /ob/?id=bWuFa7q8YsQtnfnfR/62XuBt3uLiztV/lMdJ7LwUvkcAotbURv6ky9pCgMjKnOyKaojfUynNzutNn192&8pkXh=C8TpcNd&sql=1 34.233.12.25 80 10.1.1.97 49159 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:34:00.260997 HTTP C2 Beaconing / Exfiltration /ob/ 10.1.1.97 49160 34.233.12.25 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.jvfilmmakers.com POST
exercise1.pcap 2017-12-15 04:34:00.589295 HTTP C2 Beaconing / Exfiltration /ob/ 34.233.12.25 80 10.1.1.97 49160 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:35:01.108153 HTTP C2 Beaconing / Exfiltration /ob/?id=PTcavUxkGA8pi16bW9ARWMPx+Wv2L7SZ2Tm5OAhHY7q+laaW78Ej+2KOE0gvLzy1IMHJ6P9Wv4MHJ7Mv&8pkXh=C8TpcNd 10.1.1.97 49162 209.15.20.221 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.sparkyoursukha.com GET
exercise1.pcap 2017-12-15 04:35:01.237063 HTTP C2 Beaconing / Exfiltration /ob/?id=PTcavUxkGA8pi16bW9ARWMPx+Wv2L7SZ2Tm5OAhHY7q+laaW78Ej+2KOE0gvLzy1IMHJ6P9Wv4MHJ7Mv&8pkXh=C8TpcNd 209.15.20.221 80 10.1.1.97 49162 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:35:21.847914 HTTP C2 Beaconing / Exfiltration /ob/?id=8yeG+RW6XdwREXnyCzTfTkr71m1yUtm3au2jDGP18s1X+74ruLXGGTXHCKhHQtPLl5COZRpnb8gCU6iy&8pkXh=C8TpcNd 10.1.1.97 49164 198.105.244.228 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.jufa123.com GET
exercise1.pcap 2017-12-15 04:35:21.979036 HTTP C2 Beaconing / Exfiltration /ob/?id=8yeG+RW6XdwREXnyCzTfTkr71m1yUtm3au2jDGP18s1X+74ruLXGGTXHCKhHQtPLl5COZRpnb8gCU6iy&8pkXh=C8TpcNd 198.105.244.228 80 10.1.1.97 49164 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:35:42.402065 HTTP C2 Beaconing / Exfiltration /ob/?id=zkY10Qnjp3f9wiBnQiYpgscykGHfoj7SyP4FBFCWVwE30bWkxPmwwb76lQR0K9Slc6g8yYM04FQAs4ia&8pkXh=C8TpcNd 10.1.1.97 49166 198.187.29.22 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.seorowipe.com GET
exercise1.pcap 2017-12-15 04:35:42.497401 HTTP C2 Beaconing / Exfiltration /ob/?id=zkY10Qnjp3f9wiBnQiYpgscykGHfoj7SyP4FBFCWVwE30bWkxPmwwb76lQR0K9Slc6g8yYM04FQAs4ia&8pkXh=C8TpcNd 198.187.29.22 80 10.1.1.97 49166 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:35:45.412684 HTTP C2 Beaconing / Exfiltration /ob/ 10.1.1.97 49167 198.187.29.22 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.seorowipe.com POST
exercise1.pcap 2017-12-15 04:35:46.038478 HTTP C2 Beaconing / Exfiltration /ob/ 198.187.29.22 80 10.1.1.97 49167 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:36:02.721740 Malicious DNS / DGA Query www.texowipu14.win 10.1.1.97 63335 10.1.1.1 53 00:22:15:d4:9a:e7 00:08:7c:39:da:12 N/A N/A
exercise1.pcap 2017-12-15 04:36:02.778365 Malicious DNS / DGA Query www.texowipu14.win 10.1.1.1 53 10.1.1.97 63335 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:36:02.915881 HTTP C2 Beaconing / Exfiltration /ob/?id=thaw/qanGpJCCh+UY32yylDQ/6eeYcsMJ4hZkP5gdlIgPM8ifAYojbqStgQe1XR54fdwqCOqgJ1SUmcG&8pkXh=C8TpcNd 10.1.1.97 49168 69.164.223.38 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.texowipu14.win GET
exercise1.pcap 2017-12-15 04:36:03.060829 HTTP C2 Beaconing / Exfiltration /ob/?id=thaw/qanGpJCCh+UY32yylDQ/6eeYcsMJ4hZkP5gdlIgPM8ifAYojbqStgQe1XR54fdwqCOqgJ1SUmcG&8pkXh=C8TpcNd 69.164.223.38 80 10.1.1.97 49168 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise1.pcap 2017-12-15 04:36:06.254911 HTTP C2 Beaconing / Exfiltration /ob/ 10.1.1.97 49169 69.164.223.38 80 00:22:15:d4:9a:e7 00:08:7c:39:da:12 www.texowipu14.win POST
exercise1.pcap 2017-12-15 04:36:06.584327 HTTP C2 Beaconing / Exfiltration /ob/ 69.164.223.38 80 10.1.1.97 49169 00:08:7c:39:da:12 00:22:15:d4:9a:e7 N/A N/A
exercise2.pcap 2017-12-15 06:09:56.098439 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=000%20000%20000&pwd=0000&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49161 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:09:56.321272 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=000%20000%20000&pwd=0000&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49161 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:10:26.547808 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49169 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:10:26.760727 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49169 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:10:56.578629 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49170 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:10:56.808950 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49170 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:11:26.584172 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49171 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:11:26.808415 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49171 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:11:56.596433 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49172 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:11:56.827155 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49172 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:12:26.607477 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49173 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:12:26.823479 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49173 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:12:56.625038 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49174 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:12:56.845847 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49174 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:13:26.632532 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49175 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:13:26.847118 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49175 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:13:56.655585 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49176 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:13:56.894474 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49176 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A
exercise2.pcap 2017-12-15 06:14:26.671855 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 10.1.1.213 49177 108.61.179.223 80 00:08:7c:39:da:12 84:34:97:bd:a1:2c 108.61.179.223 GET
exercise2.pcap 2017-12-15 06:14:26.893880 HTTP C2 Beaconing / Exfiltration /1119/?gate&hwid=A502B41C&id=388%20642%20381&pwd=5150&info=%7B%22os%22%3A%22Windows%20%37%20x%36%34%22%2C%22pcuser%22%3A%22DARNELL%2DPC%5C%5Cdarnell%2Ecastillo%22%2C%22cpu%22%3A%22AMD%20FX%28tm%29%2D%36%31%32%30%20Six%2DCore%20Processor%20%20%20%20%20%20%20%20%20%20%20%20%20%22%2C%22ram%22%3A%22%31%36%33%38%34mb%22%2C%22av%22%3A%22AVG%22%2C%22admin%22%3A%22YES%22%2C%22comment%22%3A%22comment%30%32%22%7D 108.61.179.223 80 10.1.1.213 49177 84:34:97:bd:a1:2c 00:08:7c:39:da:12 N/A N/A

Detailed Graph Analysis

To make the extracted data actionable for a Security Operations Center (SOC), I generated three specific visual intelligence reports. Here is a breakdown of what the data reveals:

Graph 1: Top C2 IPs
Inference 1: Top Malicious Destination IPs (C2 Nodes)
This graph exposes the core Command and Control infrastructure. We can clearly see that IPs 10.1.1.97 and 108.61.179.223 share the highest volume of traffic (10 packets each). This heavy concentration indicates these are the primary data exfiltration nodes. Lesser-contacted IPs (like 162.213.255.172) likely represent fallback servers or payload delivery networks. A firewall administrator can use this exact graph to implement immediate IP-level blocking.
Graph 2: Activity Types
Inference 2: Distribution of Malware Behaviors
This visualization defines the current "phase" of the malware infection. An overwhelming 95.0% of the captured malicious traffic consists of active HTTP C2 Beaconing and Exfiltration, while only 5.0% relates to DGA DNS queries. This proves the malware has successfully established a stable connection with its host and is actively operating, rather than being in a dormant or purely exploratory phase.
Graph 3: Malicious Domains
Inference 3: Top Malicious Domains / HTTP Hosts
By stripping the HTTP host headers, we uncover the exact, hardcoded domains the threat actors are abusing. Noticeably, the raw IP 108.61.179.223 is being contacted directly without a domain resolution, a classic indicator of malware bypassing DNS filters. Furthermore, highly suspicious domains like www.texowipu14.win and compromised-looking sites like www.seorowipe.com are clearly visible, providing an instant list for DNS sinkholing.

The 5 Effects of Malware

  • Automated Data Exfiltration: Quiet, unauthorized transmission of sensitive user data, system architectures, and hardware IDs to external attacker-controlled servers.
  • Network Congestion & Noise: Continuous, timer-based HTTP beaconing generates unnecessary network traffic, consuming bandwidth and overwhelming network logging systems to hide true intents.
  • Resource Exhaustion: Background processes utilized for payload execution, data encryption, and evasion tactics drain the infected host's CPU and RAM, leading to severe system instability.
  • Subnet Lateral Movement: Once an initial host is compromised, it is often weaponized as a pivot point to scan, brute-force, and infect other vulnerable devices within the internal, "trusted" network.
  • Persistent Backdoor Access: Initial loaders establish a permanent foothold, allowing threat actors to bypass firewalls and drop highly destructive secondary payloads (such as ransomware) weeks or months later.

New Findings From My Work

  • Proved that the malware relies heavily on direct-to-IP HTTP requests (e.g., to 108.61.179.223) to bypass basic enterprise DNS monitoring tools.
  • Identified a clear operational ratio: The malware spends 95% of its network effort transmitting data over HTTP, and only relies on DNS fallback queries 5% of the time.
  • Successfully extracted exact DGA domain IOCs (Indicators of Compromise), specifically noting the abuse of the cheap .win and .info Top-Level Domains.
  • Demonstrated that bypassing deduplication filters reveals the exact operational timers of the malware, proving it relies on an automated, non-human beaconing schedule.

The Use of AI

In this assignment, Generative AI was utilized not as a code generator, but as an interactive forensic mentor and technical tutor. It played a crucial role in helping me genuinely understand complex DFIR concepts rather than simply following rote instructions.

  • Conceptual Understanding of Deduplication: When analyzing the traffic, AI helped me understand why we needed to capture raw packet volume. It explained that standard Wireshark deduplication hides the "heartbeat" of the malware. By writing code to bypass this, I learned how to prove the automated, timer-based frequency of C2 beacons.
  • Demystifying DGA Threats: I utilized AI to break down the concept of Domain Generation Algorithms (DGA). It explained why threat actors dynamically generate domains like www.texowipu14.win instead of using static addresses, helping me understand the necessity of tracking unusual Top-Level Domains in my script.
  • Navigating Deep Python Architectures: Rather than just pasting a bug fix for PyShark file closures, AI explained the underlying mechanics of Python 3.14's strict asyncio event loops. It walked me through how PyShark relies on background processes (tshark), and why custom dummy watchers were required to gracefully close files without kernel timeouts, deepening my knowledge of Python environment management.
  • Data Storytelling: AI assisted in identifying which types of graphs (Bar vs. Pie) would most effectively communicate different types of forensic data, turning raw Pandas numbers into actionable SOC intelligence.

Conclusion

Automated Deep Packet Inspection represents a massive leap forward in Incident Response capabilities. By carefully structuring a Python environment to handle raw PCAP streams, apply specific threat signatures, and visualize the output, hours of tedious manual Wireshark hunting were reduced to an automated script that runs in seconds. The resulting intelligence—pinpointing exact C2 IPs, malicious domains, and behavioral ratios—provides immediate, tactical value for containing a breach and securing the network perimeter.

Project Links

References

  1. Original Malware Analysis Blog: Read the original report

Acknowledgements

I would like to extend my deepest gratitude to my parents for their continuous support and encouragement. A special thanks to my university, VIT, and the School of Computer Science and Engineering (SCOPE) for providing an excellent academic environment that fosters deep technical exploration. Finally, I am grateful for the guidance received during this current semester from Dr. T. Subbulakshmi, Professor, SCOPE, VIT Chennai, who made this possible.

Written by: Anvi Bansal | Date: 12/04/2026

©

Comments

Post a Comment