A Basic Guide to Malware Traffic Analysis Through Wireshark

In this tutorial, we will be collecting information on IOC ( Indication of Compromise) which include the following things :

1. Infected Files 
2. URL/ Domains of the infected Site
3. IP Address and port of the infected machine
4. Mac address of the infected machine 

Step 1: Start Wireshark and select the interface whose packets you want to capture ( In our case we will be capturing Local Area Connection packets.

Screen 1: Selecting the interface

Screen 2: Captured packets after selecting interface

Step 2: Now we will see a whole lot of packets being captured so lets first sort the outputs we are getting and customise the results like adding up columns like source port , destination port, etc.

For that to figure out go to columns heading right click and select Column Preferences.

Screen 3 : Clicking on Edit Column option

Screen 4: Click on + and adding columns.

Step 3 : Now add two columns naming Source port and Destination port and select type as src port ( resolved) and Dest port (resolved ) respectively . Drag them and make it aligned with source ip and destination Ip so that it seems more convenient to identify which port was used and by which IP address. You can even remove the column if not needed by a simple uncheck option. Click on OK.

Screen 5 : Final column Preferences 

Step 4: Change the Time display format in order to identify the Timestamp of the file being flowed over the network. To do this go to View -> Time Display Format -> Date and Time of Day.

Screen 6 : Selecting Time Display Format

If we look at the panel now in Info we can see the requested URL but we are unable to check for the HOST through which it is being generated. To add that column we can either add it in the same way done in Step 3 or another way is through Packet Detail Panel. 

Step 5: Click on any Packet in the Summary panel and click on any packet they go to its detail panel lookout for HOST: right-click and select  Apply as a column

Screen 7 : Applying HOST  name as a Column

After doing this you will see a new column named as host.Now we want to see the request made through HTTP so for that we need to apply filter.

Step 6 : In the filter bar type http and press enter  OR click on Statistics -> Protocol Hierarchy -> Hypertext Transfer Protocol right-click on it and click on Apply as Filter -> Selected . Click on Close

Screen8: Applying HTTP as a filter

As we can now analyse all the HTTP traffic but we need to check for objects or files transmitted.

Step 7: Go to File -> Export Objects -> HTTP 

Screen 9 : Exporting all HTTP based Objects

Step 8 : Select the object you want to download like here in our example I am going to export to files which were downloaded on the system 192.168.220.164. Save it accordingly like the first file is Application/Force-download possibly it could be an exe so go to Save  -> name the file -> Save .

Screen 10: Exporting the object in the Desktop for analysis. 

Now we have the file with us what we can do is either check that file through our anti-malware or navigate ourself to Virustotal.com (more preferable as it will show you the behavior of the file and it will be checked by the knowledge base of several anti-malwares. )

Step 9 : Upload the file in VirusTotal.com it will check for hashes and give you proper analysis.

Screen 11 : Uploading the object/file in VirusTotal.com

Screen 12: Results found by the calculated hash of that file 

For further knowledge on its behaviour you can head toward the behavior tab.

Screen 13: Behaviour analysis of the HTTP object

Till this point we have gone through the most complex part of our tutorial ( which seems to be an easy one now ;) ) lets head towards finding out the other IOC's which we discussed earlier.

Determining the Hostname of the Infected Website : 

In the earlier tutorials, we have added a column Host in the column bar which will provide us the hostname or domain. Select the package and you will see the Host which provided the file.

Screen 14: Select row shows you the HOST provided the file.

Determining the Internal Computer which downloaded the File for that just below the request sequence ( the selected one) we see something getting done on port 80 which is that application file.

The destination in this case will be an infected computer and source will be the domain from where it is downloaded. 

Screen 15 : Application downloaded on IP 192.168.220.164 

The last thing we need to find about the infected machine is it's MAC address so for that have a close look on the Packet Detail panel below the summary panel click on the Ethernet II where you will be seeing SRC: and Dst: 

Screen 16 : DST:  will show you the MAC address of the the infected computer

Finally, we have found out the major IOC elements with the help of wireshark. For further learning, I have uploaded the file here itself so that you can perform operations in this saved pcap file.

PCAP File Download Link: https://gofile.io/?c=YCLTnQ

For more such samples you can prefer going to: https://wiki.wireshark.org/SampleCaptures