Analysis of an example malware pcap file

  Malware Presence Confirmation using Network Traffic Analysis of a PCAP File

Introduction

Malware is malicious software designed to infiltrate, damage, or gain unauthorized access to computer systems. Many types of malware communicate with external servers in order to receive commands or exfiltrate stolen data. Network traffic analysis is a powerful technique used to detect such malicious behavior by examining captured packet data.

 

In this assignment, a packet capture (PCAP) file containing network traffic from an infected system was analyzed using Wireshark. The objective was to identify suspicious communication patterns and confirm the presence of malware by analyzing DNS queries, HTTP requests, and FTP communication observed in the captured traffic.

Objectives

1. To analyze network traffic captured in a PCAP file using Wireshark.

2. To identify suspicious domains, protocols, and communication patterns in the captured traffic.

3. To detect evidence of malware activity such as remote server communication and data exfiltration.

Malware Download Link

https://www.malware-traffic-analysis.net/2026/02/03/2026-02-03-GuLoader-for-AgentTesla-style-infection-with-FTP-data-exfil.pcap.zip

The PCAP file used in this analysis contains network traffic generated from a system infected with AgentTesla-style malware. The captured traffic includes DNS queries, HTTP requests, and FTP communication between the infected host and external servers. The analysis of this traffic helps identify suspicious behavior and confirms the presence of malware through activities such as environment detection and data exfiltration.

 

ARCHITECTURE

 Procedure

1. The PCAP file containing malware traffic was downloaded from the Malware Traffic Analysis website.

2. The PCAP file was opened and analyzed using Wireshark.

3. DNS traffic was examined to identify suspicious domain queries.

4. HTTP traffic was analyzed to observe requests made by the infected host.

5. FTP communication was inspected to identify authentication attempts and file transfer activities.

6. Suspicious packets were captured through screenshots and analyzed to confirm malware behavior.

 

 


Inference – PCAP File Overview

Observation
 The capture file properties show the PCAP containing network traffic related to a suspected malware infection.

Explanation
 The capture includes multiple protocols such as DNS, HTTP, TCP, and FTP, indicating communication between the infected host and external servers.

Conclusion
 The presence of multiple external communications suggests possible malware activity in the captured network traffic.

 



Inference – Protocol Distribution

Observation
 The protocol hierarchy shows traffic consisting mainly of TCP, DNS, HTTP, and FTP protocols.

Explanation
 Malware often uses DNS for resolving command servers and FTP/HTTP for communication and data exfiltration.

Conclusion
 The presence of FTP and HTTP communication indicates potential malicious network activity.

 

 


Inference – External Communication

Observation
 The infected host communicates with several external IP addresses.

Explanation
 Frequent communication with external servers is often associated with malware contacting command-and-control infrastructure.

Conclusion
 This indicates possible malware-controlled network communication.

 

Inference – DNS Query Activity

Observation
 The infected host sends DNS queries for multiple domains.

Explanation
 DNS queries allow the malware to resolve domain names of command servers before initiating communication.

Conclusion
 This suggests the infected host is locating external servers for malicious communication.

Inference – Suspicious HTTP Request

Observation
 The captured HTTP traffic shows a request to the domain:

ip-api.com

Explanation
 This API is used to retrieve geolocation and hosting information about the system.

Conclusion
 Malware often performs such requests to detect whether it is running in a sandbox or analysis environment.

 

 

Inference – Environment Detection

Observation
 The HTTP request contains:

GET /line/?fields=hosting

Explanation
 This query checks if the system is running in a hosting environment.

Conclusion
 This behavior is typical of malware performing environment reconnaissance before executing malicious actions.

 

 

 

Inference – Domain Resolution

Observation
 The infected host resolves the domain:

ftp.corwineagles.com

Explanation
 This domain is later used for FTP communication with the remote server.

Conclusion
 The DNS query indicates preparation for communication with the attacker-controlled FTP server.

 

 

Inference – FTP Server Connection

Observation
 The infected host initiates a TCP connection to port 21 on a remote server.

Explanation
 Port 21 is used by the FTP protocol for file transfer.

Conclusion
 This indicates that the infected host is connecting to an FTP server.

 

Inference – FTP Authentication Initiation

Observation
 The captured traffic shows the FTP command:

USER edunis@corwineagles.com

Explanation
 This command provides the username for authentication.

Conclusion
 This indicates the malware attempting to authenticate with the remote FTP server.

 

 

Inference – Plaintext Password Transmission

Observation
 The command

PASS cCyU=91vup7

is transmitted in the network traffic.

Explanation
 FTP sends credentials in plaintext without encryption.

Conclusion
 This exposes authentication credentials and confirms active login to the FTP server.

 

 

Inference – Successful Authentication

Observation
 The FTP server responds with

230 OK

Explanation
 This response indicates successful authentication.

Conclusion
 The infected host successfully logged into the FTP server.

 

 

Inference – FTP Directory Access

Observation
 Commands such as

PWD

TYPE I

are issued by the client.

Explanation
 These commands prepare the FTP session for file transfer operations.

Conclusion
 This indicates preparation for uploading or downloading files.

Inference – Suspicious HTTP Object

Observation
 Wireshark shows an HTTP object retrieved from the server.

Explanation
 HTTP objects may contain payloads or files downloaded during the infection process.

Conclusion
 This indicates possible malware file retrieval.

Inference – Passive FTP Mode

Observation
 The command

PASV

appears in the FTP communication.

Explanation
 Passive mode allows the client to open a data connection for file transfer.

Conclusion
 This prepares the connection for uploading stolen data.

Inference – File Upload Command

Observation
 The FTP command

STOR

is issued by the client.

Explanation
 STOR uploads a file from the client to the FTP server.

Conclusion
 This indicates that the malware is uploading data to the attacker server.

Inference – Successful Data Transfer

Observation
 The server responds with:

226 File successfully transferred

Explanation
 This confirms that the file upload was completed.

Conclusion
 This is clear evidence of successful data exfiltration by the malware.

Inference – Multiple File Transfers

Observation
 Another STOR command followed by a successful transfer response is observed.

Explanation
 Multiple uploads indicate repeated data exfiltration.

Conclusion
 This confirms ongoing malicious activity.

Inference – Packet Size Distribution

Observation
 The packet length statistics show a variety of packet sizes.

Explanation
 Large packet sizes often correspond to file transfers.

Conclusion
 This supports the presence of FTP data transfer in the capture.

 

Inference – Traffic Volume

Observation
 The capture contains multiple packets exchanged between internal and external hosts.

Explanation
 The traffic pattern indicates sustained communication sessions.

Conclusion
 This suggests active malware communication.

Inference – TCP Session Establishment

Observation
 TCP packets show connection establishment between the infected host and remote server.

Explanation
 These sessions are required before FTP communication begins.

Conclusion
 This indicates the network session used by malware to communicate with its server.

Inference – Complete Malware Communication Sequence

Observation
 The captured session shows the full FTP conversation including login, file upload commands, and successful transfer responses.

Explanation
 This sequence demonstrates how the malware authenticates and uploads files to the remote server.

Conclusion
 The captured traffic clearly confirms malware presence and data exfiltration activity.

 

 

 

 

Effects of Malware

1. Unauthorized access to sensitive system information.

2. Theft and exfiltration of confidential data.

3. Degradation of system performance and stability.

4. Communication with attacker-controlled servers.

5. Compromise of network security and privacy.

New Findings from the Analysis

1. The infected system performed DNS queries to resolve external domains.

2. The malware contacted an external API to check hosting information of the system.

3. The infected host established an FTP session with a remote server.

4. Authentication credentials were transmitted to the FTP server.

5. Files were uploaded from the infected system to the remote server indicating data exfiltration.

Use of AI in this DA

Chatgpt was used to assist in understanding network traffic patterns, interpreting packet details, and organizing the analysis findings into structured documentation. AI was also used to generate explanations for observed malicious activities and to improve the clarity of the report.

Conclusion

The analysis of the PCAP file revealed clear evidence of malware activity within the captured network traffic. The infected host performed DNS queries to resolve external domains, made HTTP requests to obtain system information, and established an authenticated FTP connection with a remote server. The FTP session was used to upload files from the infected system, confirming successful data exfiltration.

 

These findings demonstrate how packet analysis tools such as Wireshark can be used to identify malicious network behavior and confirm the presence of malware within a system.

Youtube video-

https://youtu.be/wqrvDLtUP9w?si=C3JlsZgGxAWfdQSl

Github repository-

 https://github.com/jasimzulfiqar/Analysis-of-Malware-traffic-using-wireshark

References

1. Malware Traffic Analysis - https://www.malware-traffic-analysis.net/

2. Wireshark Official Documentation - https://www.wireshark.org/docs/

Acknowledgements

I would like to express my gratitude to my parents for their continuous support. I would also like to thank VIT University and VIT SCOPE for providing the opportunity to perform this digital assignment as part of the current semester coursework. I am grateful to the course instructor for guiding us through this learning experience.

 

Comments

Post a Comment

Popular posts from this blog

Measuring window sizes scaling using statistical graphs

Image
Analysis of Traffic using Wireshark - Measurement of TCP Window Size Under Different Traffic Conditions   1. Introduction Computer networks rely on efficient data transmission mechanisms to ensure reliable communication between devices. One important parameter that influences network performance is the TCP window size . The TCP window size controls how much data can be sent by a sender before waiting for an acknowledgement from the receiver. The TCP window size is part of the Transmission Control Protocol (TCP)  and plays a crucial role in flow control. It helps prevent network congestion by limiting the amount of data transmitted before receiving confirmation from the receiving host. In this experiment, the TCP window size parameter is analyzed using Wireshark  under three different traffic conditions: normal traffic, medium traffic, and heavy traffic. By observing how the TCP window size behaves under varying network loads, we can understand how TCP adapts to changing n...
Read more