A PCAPS Tale

Corey Hartman
4 min readJun 9, 2023

--

So I decided to randomly grab a PCAP from https://www.malware-traffic-analysis.net/ and analyze it, specifically the sample https://www.malware-traffic-analysis.net/2022/02/23/index.html

Lets get to it I guess?

I started off looking directly at the HTTP queries to see what sites had been visited as a lot of malware use the HTTP protocol for communications and such, it may be of interest to look into the DNS queries as well, however it should be stated because of caching and other things, you may miss what was visited.

Applying the HTTP filter to Wireshark

Initially we can see the highlighted packet looks odd, specifically the GET request made. Now, I should state just because a GET request looks weird doesn’t mean it is, it could be a website improperly handling sessions by sending them as part of the GET request (don’t do this unless you want session hijacking), or it simply could be a random encoding scheme or obfuscation scheme implemented by the site. This definitely requires more investigation, as we may have a vulnerability or malicious traffic!

The GET packets HTTP section

Upon opening this packet up and looking we see a request to ajaxmatters[.]com and upon putting that in https://urlhaus.abuse.ch/ we see it is indeed malicious! This URL is associated with Emotet!

URLHaus results

Since we know this is now associated with the Emotet malware, lets look more at the TCP stream to see if there is anything interesting.

The TCP stream for this session

Upon looking at the stream in Wireshark, we can see the payload starts with MZ and contains “This program cannot be run in DOS mode.” This definitely sets off red flags for being a malicious binary. And if we extract it and run it through VirusTotal we can see it is indeed malicious.

Virus Total Results

At this point in time we know whatever victim system was involved with this traffic is infected. Out of curiosity though lets keep digging.

Because the malicious traffic appears to be using HTTP as at least one method of communication, lets take a look at that traffic more to see what else comes up, if anything. We can see below all HTTP files that Wireshark found.

All HTTP files Wireshark found

The JPEG file itself to me looks odd for two reasons, first, it has a random name and second its hostname associated with it is an IP address rather than a URL The hostname associated with an IP address instead of a URL is a red flag in my opinion so lets take a look at this image.

The JPEG payload in Wireshark

Within Wireshark if we follow the stream associated with the JPEG we can see what looks initially like random data, however, after closer inspection we can see what appears to be some DLL names backwards. Is this an executable or DLL as a payload but backwards?

Yep, it is, upon running strings on the payload we can see it has “This program cannot be run in DOS mode.” backwards as a string, and if we look at the bytes making up the payload it starts with ZM (the PE header backwards)

Running strings
Payload contents

And upon running this payload through VirusTotal.

JPEG Virus Total results

We know this system is very much infected at this point so I just ended traffic analysis here, although it is recommended to continue to see if it is interacting with other systems on the network so we know how to handle this incident.

Anyways, I thought that was a fun PCAP to dig through so I wanted to share it with you all. As always I hope you learned something or at least had fun, if you have any questions please reach out.

--

--

Corey Hartman

PhD who researches applying machine learning to reverse engineering