Malware Traffic Analysis with Wireshark - 2

LetsDefend
2 Nov 202213:19

Summary

TLDRIn this instructional video script, the presenter guides viewers through the process of analyzing network traffic using Wireshark to identify a compromised machine's MAC address, the IP address of a malicious website, and the domains involved in C2 traffic. They also demonstrate how to download and use 'Hash My Files' to generate an MD5 hash for a suspected malware file, verify its malicious nature on VirusTotal, and emphasize the importance of conducting such analysis in a safe environment like a virtual machine.

Takeaways

  • 😀 The speaker is guiding through a process of analyzing network traffic to identify a victim's machine MAC address using a packet analyzer like Wireshark.
  • 🔍 To find the MAC address, one should look at the Ethernet II section of a packet and identify the source to match with the source MAC.
  • 💻 The script explains how to determine the IP address of a compromised website by examining HTTP requests in the network traffic.
  • 📚 It's important to use filters in Wireshark to narrow down the analysis to relevant packets, such as applying a host filter to identify the domain name.
  • 🚫 The speaker warns against downloading malware on a real computer and emphasizes the use of a virtual machine for such tasks.
  • 🛑 After downloading a file, the speaker uses 'hash my files' to generate an MD5 hash to identify the file, which is crucial for confirming its nature as malware.
  • 🔒 The MD5 hash is then used to check the file on VirusTotal, a service that scans files for malicious content and provides information from multiple antivirus engines.
  • 🔎 In the investigation, the speaker identifies domains requested in C2 (Command and Control) traffic, which is indicative of a computer infected with malware trying to communicate with its command center.
  • 🌐 The script mentions the use of DNS to match IP addresses with domain names and the importance of identifying failed connection attempts which could be related to C2 servers.
  • 📈 The speaker discusses the process of extracting files from a pcap and analyzing them to understand the behavior of malware post-infection.
  • 🔄 The video script is educational, aiming to help beginners understand network traffic analysis and the process of identifying malware and its associated C2 traffic.

Q & A

  • How can one find the MAC address of a victim machine in Wireshark?

    -To find the MAC address in Wireshark, you select a packet of interest, go to the Ethernet II section, ensure the focus is on the 'Source' field, and then expand it to reveal the MAC address.

  • What is the purpose of identifying the IP address of a compromised website?

    -Identifying the IP address of a compromised website helps in understanding the source of malware delivery, which is crucial for security investigations and preventing further infections.

  • How can you determine the FQDN of a compromised website from a pcap file?

    -You can determine the FQDN by applying a host filter in Wireshark to focus on the HTTP requests and responses, which will reveal the domain names associated with the IP addresses.

  • What does the term 'C2' stand for in the context of malware?

    -C2 stands for 'Command and Control', which refers to the server or infrastructure that the malware communicates with for receiving instructions or uploading stolen data.

  • How can one identify malicious files downloaded from a website using Wireshark?

    -By examining the HTTP layer in Wireshark, one can identify files being downloaded by looking at the 'Export Objects' section, which lists files transferred during the communication.

  • What is the significance of calculating the hash value of a file in malware analysis?

    -The hash value of a file is a unique identifier that can be used to verify the integrity of the file and check against known malicious hashes in databases like VirusTotal.

  • Why is it important to use a virtual machine when analyzing potentially malicious files?

    -Using a virtual machine isolates the analysis environment from the main system, preventing any damage or infection that could occur from executing or analyzing malicious files.

  • How can one check if a file is malicious without downloading it?

    -One can use online services like VirusTotal, which allow you to enter a file hash or upload the file to check against multiple antivirus engines for any indications of malware.

  • What does the color coding of packets in Wireshark indicate?

    -In Wireshark, color coding helps in quickly identifying the status of packets. For example, brown and black packets indicate failed attempts to connect to a server or complete a request.

  • How can one find the domains requested in C2 traffic using Wireshark?

    -By applying a filter to show only DNS requests or by examining the packets where the infected machine communicates with the C2 server, one can identify the domains associated with the C2 traffic.

  • What is an alternative method to calculate the hash value of a file if 'Hash My Files' is not available?

    -An alternative method is to use online hash calculators, such as those found on GitHub, where you can upload a file and calculate its hash value directly through a web interface.

Outlines

plate

このセクションは有料ユーザー限定です。 アクセスするには、アップグレードをお願いします。

今すぐアップグレード

Mindmap

plate

このセクションは有料ユーザー限定です。 アクセスするには、アップグレードをお願いします。

今すぐアップグレード

Keywords

plate

このセクションは有料ユーザー限定です。 アクセスするには、アップグレードをお願いします。

今すぐアップグレード

Highlights

plate

このセクションは有料ユーザー限定です。 アクセスするには、アップグレードをお願いします。

今すぐアップグレード

Transcripts

plate

このセクションは有料ユーザー限定です。 アクセスするには、アップグレードをお願いします。

今すぐアップグレード
Rate This

5.0 / 5 (0 votes)

関連タグ
Wireshark AnalysisMalware DetectionC2 TrafficVirtual MachineNetwork SecurityCyber InvestigationHash ValueVirusTotalOnline TutorialEducational Content
英語で要約が必要ですか?