| name | analyzing-network-traffic-of-malware |
| description | Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.
|
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | ["malware","network-analysis","PCAP","Wireshark","C2-detection"] |
| version | 1.0.0 |
| author | mahipal |
| license | MIT |
Analyzing Network Traffic of Malware
When to Use
- Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
- Identifying the C2 protocol structure for writing network detection signatures
- Determining what data the malware exfiltrates and to which external infrastructure
- Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
- Creating Suricata/Snort signatures based on observed malware network patterns
Do not use for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.
Prerequisites
- Wireshark 4.x installed for interactive PCAP analysis
- tshark (Wireshark CLI) for scripted packet extraction
- Zeek installed for automated metadata generation from PCAPs
- Suricata with ET Open/ET Pro rulesets for signature matching
- NetworkMiner for file extraction and credential detection from PCAPs
- Python 3.8+ with
scapy and dpkt for programmatic packet analysis
Workflow
Step 1: Initial PCAP Overview
Get a high-level understanding of the network traffic:
capinfos malware.pcap
tshark -r malware.pcap -q -z io,phs
tshark -r malware.pcap -q -z endpoints,ip
tshark -r malware.pcap -q -z conv,tcp
tshark -r malware.pcap -q -z dns,tree
Step 2: Analyze DNS Activity
Examine DNS queries for DGA, tunneling, or C2 domain resolution:
tshark -r malware.pcap -T fields -e frame.time -e dns.qry.name -e dns.a \
-Y "dns.flags.response == 1" | sort
python3 << 'PYEOF'
import math
from collections import Counter
def entropy(s):
p = [n/len(s) for n in Counter(s).values()]
return -sum(pi * math.log2(pi) for pi in p if pi > 0)
import subprocess
result = subprocess.run(
["tshark", "-r", "malware.pcap", "-T", "fields", "-e", "dns.qry.name",
"-Y", "dns.flags.response == 0"],
capture_output=True, text=True
)
domains = set(result.stdout.strip().split('\n'))
print("Suspicious DNS queries (high entropy):")
for domain in domains:
if domain:
subdomain = domain.split('.')[0]
ent = entropy(subdomain)
if ent > 3.5 and len(subdomain) > 10:
print(f" {domain} (entropy: {ent:.2f})")
PYEOF
tshark -r malware.pcap -T fields -e dns.qry.name -e dns.txt \
-Y "dns.resp.type == 16 and dns.resp.len > 100"
Step 3: Analyze HTTP/HTTPS C2 Communication
Examine web-based command-and-control traffic:
tshark -r malware.pcap -T fields \
-e frame.time -e ip.src -e ip.dst -e http.host \
-e http.request.method -e http.request.uri -e http.user_agent \
-Y "http.request"
tshark -r malware.pcap -T fields \
-e http.host -e http.request.uri -e http.content_type -e tcp.len \
-Y "http.response and tcp.len > 1000"
tshark -r malware.pcap -T fields \
-e http.host -e http.request.uri -e http.file_data \
-Y "http.request.method == POST"
tshark -r malware.pcap -T fields \
-e tls.handshake.extensions_server_name \
-e tls.handshake.ja3 \
-Y "tls.handshake.type == 1"
tshark -r malware.pcap -T fields \
-e x509ce.dNSName -e x509af.serialNumber \
-e x509sat.utf8String \
-Y "tls.handshake.type == 11"
tshark -r malware.pcap --export-objects http,exported_files/
Step 4: Detect Beaconing Patterns
Identify regular periodic communication indicating C2 beaconing:
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics
packets = rdpcap("malware.pcap")
connections = defaultdict(list)
for pkt in packets:
if IP in pkt and TCP in pkt:
if pkt[TCP].flags & 0x02:
dst = f"{pkt[IP].dst}:{pkt[TCP].dport}"
connections[dst].append(float(pkt.time))
print("Beacon Analysis:")
for dst, times in connections.items():
if len(times) >= 5:
intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
avg = statistics.mean(intervals)
stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
jitter = (stdev / avg * 100) if avg > 0 else 0
if 10 < avg < 3600 and jitter < 30:
print(f" [!] {dst}: {len(times)} connections")
print(f" Interval: {avg:.1f}s ± {stdev:.1f}s (jitter: {jitter:.1f}%)")
print(f" Pattern: LIKELY BEACONING")
Step 5: Generate Network Detection Signatures
Create Suricata/Snort rules from observed traffic patterns:
suricata -r malware.pcap -l suricata_output/ -c /etc/suricata/suricata.yaml
cat suricata_output/fast.log
cat << 'EOF' > custom_malware.rules
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE MalwareX C2 Beacon";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/gate.php?id=";
http.user_agent; content:"Mozilla/5.0 (compatible; MSIE 10.0)";
sid:9000001; rev:1;
)
alert dns $HOME_NET any -> any any (
msg:"MALWARE MalwareX C2 DNS Query";
dns.query; content:"update.malicious.com";
sid:9000002; rev:1;
)
alert tls $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE MalwareX JA3 Match";
ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1";
sid:9000003; rev:1;
)
EOF
Step 6: Extract Files and Artifacts from Traffic
Recover transferred files and embedded data:
zeek -r malware.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
ls extract_files/
tshark -r malware.pcap --export-objects http,http_objects/
tshark -r malware.pcap --export-objects smb,smb_objects/
tshark -r malware.pcap --export-objects tftp,tftp_objects/
sha256sum http_objects/* smb_objects/* 2>/dev/null
zeek -r malware.pcap
Key Concepts
| Term | Definition |
|---|
| Beaconing | Regular periodic connections from malware to C2 server, identifiable by consistent time intervals and packet sizes |
| JA3/JA3S | TLS fingerprinting method creating a hash from ClientHello/ServerHello parameters to uniquely identify malware TLS implementations |
| DGA (Domain Generation Algorithm) | Algorithm generating pseudo-random domain names that malware queries to locate C2 servers, evading static domain blocklists |
| DNS Tunneling | Encoding data in DNS queries and responses to establish a C2 channel or exfiltrate data through DNS infrastructure |
| Fast Flux | DNS technique rapidly rotating IP addresses for a domain to avoid takedown and distribute C2 across many compromised hosts |
| SNI (Server Name Indication) | TLS extension revealing the hostname the client is connecting to; visible even in encrypted HTTPS connections |
| Network Signature | Suricata/Snort rule matching specific patterns in network traffic (headers, payloads, timing) to detect malicious communications |
Tools & Systems
- Wireshark: Open-source packet analyzer for deep interactive inspection of network traffic at the protocol level
- Zeek: Network analysis framework generating structured metadata logs (conn, dns, http, ssl) from live or captured traffic
- Suricata: High-performance network IDS/IPS for signature-based detection with Lua scripting for custom detection logic
- NetworkMiner: Network forensic analysis tool for extracting files, images, and credentials from PCAP files
- Scapy: Python packet manipulation library for programmatic packet analysis, beacon detection, and protocol decoding
Common Scenarios
Scenario: Decoding a Custom Binary C2 Protocol
Context: Malware communicates with its C2 server using a custom binary protocol over TCP port 8443. Standard HTTP analysis yields no results. The protocol structure needs to be reverse engineered from the PCAP.
Approach:
- Filter the PCAP for TCP port 8443 conversations and follow the TCP stream
- Identify the message framing (length prefix, delimiter, fixed-size headers)
- Compare multiple messages to identify static header fields vs variable data fields
- Cross-reference with reverse engineering findings from Ghidra (if the binary was analyzed)
- Write a Wireshark dissector or Scapy parser for the custom protocol
- Create Suricata rules matching the static header bytes for network detection
- Document the full protocol specification for threat intelligence sharing
Pitfalls:
- Analyzing only the first few packets; some C2 protocols change behavior after initial handshake
- Not decrypting TLS traffic when the sandbox has MITM capabilities
- Confusing legitimate CDN or cloud traffic with C2 (validate destination IPs)
- Missing C2 traffic that uses DNS or ICMP instead of TCP/UDP
Output Format
MALWARE NETWORK TRAFFIC ANALYSIS
===================================
PCAP File: malware_sandbox.pcap
Duration: 300 seconds
Total Packets: 12,847
Total Bytes: 4.2 MB
DNS ACTIVITY
Total Queries: 47
DGA Detected: Yes (23 high-entropy queries to .com TLD)
Tunneling: No
Resolved C2: update.malicious[.]com -> 185.220.101[.]42
C2 COMMUNICATION
Protocol: HTTPS (TLS 1.2)
Server: 185.220.101[.]42:443
SNI: update.malicious[.]com
JA3 Hash: a0e9f5d64349fb13191bc781f81f42e1
Beacon Interval: 60.2s ± 6.8s (11.3% jitter)
Total Sessions: 237
Data Sent: 147 MB
Data Received: 2.3 MB
Certificate: CN=update.malicious[.]com (self-signed, expired)
PAYLOAD DOWNLOADS
GET /payload.dll from compromised-site[.]com
Size: 98,304 bytes
SHA-256: abc123def456...
Content-Type: application/octet-stream
EXFILTRATION
Method: HTTPS POST to /gate.php
Content-Type: application/octet-stream
Average Size: 15,432 bytes per request
Total Volume: 147 MB over 4 hours
SURICATA ALERTS
[1:2028401] ET MALWARE Generic C2 Beacon Pattern
[1:2028500] ET POLICY Self-Signed Certificate
GENERATED SIGNATURES
SID 9000001: MalwareX HTTP beacon pattern
SID 9000002: MalwareX DNS C2 domain
SID 9000003: MalwareX JA3 TLS fingerprint
