Malware Traffic Analysis with Wireshark - 2

LetsDefend

2 Nov 202213:19

Summary

TLDRIn this instructional video script, the presenter guides viewers through the process of analyzing network traffic using Wireshark to identify a compromised machine's MAC address, the IP address of a malicious website, and the domains involved in C2 traffic. They also demonstrate how to download and use 'Hash My Files' to generate an MD5 hash for a suspected malware file, verify its malicious nature on VirusTotal, and emphasize the importance of conducting such analysis in a safe environment like a virtual machine.

Takeaways

😀 The speaker is guiding through a process of analyzing network traffic to identify a victim's machine MAC address using a packet analyzer like Wireshark.
🔍 To find the MAC address, one should look at the Ethernet II section of a packet and identify the source to match with the source MAC.
💻 The script explains how to determine the IP address of a compromised website by examining HTTP requests in the network traffic.
📚 It's important to use filters in Wireshark to narrow down the analysis to relevant packets, such as applying a host filter to identify the domain name.
🚫 The speaker warns against downloading malware on a real computer and emphasizes the use of a virtual machine for such tasks.
🛑 After downloading a file, the speaker uses 'hash my files' to generate an MD5 hash to identify the file, which is crucial for confirming its nature as malware.
🔒 The MD5 hash is then used to check the file on VirusTotal, a service that scans files for malicious content and provides information from multiple antivirus engines.
🔎 In the investigation, the speaker identifies domains requested in C2 (Command and Control) traffic, which is indicative of a computer infected with malware trying to communicate with its command center.
🌐 The script mentions the use of DNS to match IP addresses with domain names and the importance of identifying failed connection attempts which could be related to C2 servers.
📈 The speaker discusses the process of extracting files from a pcap and analyzing them to understand the behavior of malware post-infection.
🔄 The video script is educational, aiming to help beginners understand network traffic analysis and the process of identifying malware and its associated C2 traffic.

Q & A

How can one find the MAC address of a victim machine in Wireshark?
-To find the MAC address in Wireshark, you select a packet of interest, go to the Ethernet II section, ensure the focus is on the 'Source' field, and then expand it to reveal the MAC address.
What is the purpose of identifying the IP address of a compromised website?
-Identifying the IP address of a compromised website helps in understanding the source of malware delivery, which is crucial for security investigations and preventing further infections.
How can you determine the FQDN of a compromised website from a pcap file?
-You can determine the FQDN by applying a host filter in Wireshark to focus on the HTTP requests and responses, which will reveal the domain names associated with the IP addresses.
What does the term 'C2' stand for in the context of malware?
-C2 stands for 'Command and Control', which refers to the server or infrastructure that the malware communicates with for receiving instructions or uploading stolen data.
How can one identify malicious files downloaded from a website using Wireshark?
-By examining the HTTP layer in Wireshark, one can identify files being downloaded by looking at the 'Export Objects' section, which lists files transferred during the communication.
What is the significance of calculating the hash value of a file in malware analysis?
-The hash value of a file is a unique identifier that can be used to verify the integrity of the file and check against known malicious hashes in databases like VirusTotal.
Why is it important to use a virtual machine when analyzing potentially malicious files?
-Using a virtual machine isolates the analysis environment from the main system, preventing any damage or infection that could occur from executing or analyzing malicious files.
How can one check if a file is malicious without downloading it?
-One can use online services like VirusTotal, which allow you to enter a file hash or upload the file to check against multiple antivirus engines for any indications of malware.
What does the color coding of packets in Wireshark indicate?
-In Wireshark, color coding helps in quickly identifying the status of packets. For example, brown and black packets indicate failed attempts to connect to a server or complete a request.
How can one find the domains requested in C2 traffic using Wireshark?
-By applying a filter to show only DNS requests or by examining the packets where the infected machine communicates with the C2 server, one can identify the domains associated with the C2 traffic.
What is an alternative method to calculate the hash value of a file if 'Hash My Files' is not available?
-An alternative method is to use online hash calculators, such as those found on GitHub, where you can upload a file and calculate its hash value directly through a web interface.