Parker Benitez · Follow
6 min read · Sep 19, 2023
In this lab I will be investigating and playing around with Wireshark featured to get more familiar with the tool. A the end of the lab we will be doing a PCAP traffic analysis of a potential malware incident. Here, we will investigate when the malware was downloaded, what the malware is and what computer was infected. I hope you have as much fun following along as I did going through this lab!
Typically Wireshark is used to analyze captured traffic store in the form of PCAP(Packet Capture) files. These file will be analyzed and threats can be identified.
Wireshark can be used to identify when a packet was sent, the source and destination IP and the type of protocol.
This information is useful for identifying malicious activity by pinpointing the time of attack, type of attack, the IP addresses that were target, or the IP of the attacker.
Also known as a network frame, a packet is a piece of data sent over a network.
Packets can contain various headers that are used to specific the type of packet, the source and destination IP as well ass the protocol.
- Live Traffic/packet capture
- Packet dissection
- Ability to import/export captures traffic( PCAP)
- Robust capture and display filters
- Ability to search for packets
- Customize and color code packets based on our requirements
Typically Wireshark has a default look, but we can customize this an make it more our preference
Default:
Simple preference changes:
You can use capture filter to filter out specific instances. You can also use the filters to display packet based on layers on the OSI model.
For example you can search for a specific IP source, IP destination and port:
ip.src == 10.0.0.33 and ip.dst == 34.107.221.82 && tcp.port == 80
You can customize the filter and search for certain ranges with something like:
ip.addr >= 10.0.0.1 && ip.addr <= 10.0.0.33
You can get specific with search if for example you know a host name you are searching for you could use:
http.host
If you are working in the data-link layer and you are searching for a specific MAC address this would be handy:
eth.addr == 08:00:27:1C:46:2C
You can filter DNS with :
dns
or
the DNS record repsonse with:
dns.a
You can filter FTP on a windows server with:
ftp
along with the unsecure telnet:
telnet
for the successor of telnet, unlike telnet it will show up as encrypted. You can search ssh with:
ssh
We can create our own filter color like this one so that when we examine any PCAP file it will show up:
In this exercise we will be analyzing malicious HTTPs traffic. We will be be decrypting it and identifying the type of malware detected on the system. We will be getting this PCAP file from GitHub.
The malware being use is called Dridex malware. This malware affects financial institutions, and typically is found through spreadsheets with custom macros. It downloads tools or utilizes to download the malware.
We will start of this investigation by looking for successful TLS handshakes. We can do this by using:
tls.handshake.type eq 1
Since this traffic is encrypted we will be decrypting with the decryption key we were provided with on GitHub.
Now we will want to filter the HTTP traffic and the TLS handshake, along with excluding SSDP:
(http.request or tls.handshake.type eq 1) and !(ssdp)
We now see a interesting GET request where it looks like it was reaching for a .dll file.
If we follow this through a HTTP stream, we can see that it has already been downloaded. The running in DOS mode means the rest of the content is the dll.
We can save this file, and use a website like virus total to see what kind of malware it is.
Here we can get a very detailed breakdown of the file:
Potential method of infection:
We can also find an very weird POST request for this .php file:
It looks like after the system has been infected it tries to connect to a control server. Following with TLS stream we can see it does indeed try and connect to the control server.
We also have a good idea of what system was infected, which we can pass along to someone else. (Desktop-U54AJ8K)
nbns
This is the end of the Wireshark traffic analysis lab. Throughout this lab I have learned so much more about Wireshark and it’s features. Some of these features range from simple interface customizable features to specific filters for specific searches. At the end we got to exam a malicious PCAP file and conclude that it has indeed been infected. With our investigation we concluded that it was the Dridex malware and it infected one of our Desktop devices.
I would like to give a big thank you to HackerSploit on Youtube. He has provided a lot of deep knowledge and breakdown of industry tools.