PCAP file: malicious or not — finding in five minutes

What this article is about:

A quick analysis of a PCAP file to

a) locate the domain names

b) if that particular web-site is malicious

c) if the file being downloaded from this web-site is malicious.

Analyzing the PCAP file:

Files with .pcap extension contain network packet data. Wireshark, the popular network analyzing program can be used to analyze a PCAP file. The Windows7 VM that I used came with Wireshark.

After the PCAP file was opened with Wireshark, the simple filter ‘dns’ shows all communications related to DNS queries (Fig.1). In this query we see the IP addresses and the domain names involved. As a rough filtering, sometimes just a visual check on the name of the web-sites involved can give a preliminary idea.

Fig.1: ‘dns’ filtering in Wireshark

The filter ‘http’ will show all packets related to HTTP protocol (Fig.2). It will also show the GET requests and the name of files involved.

Fig.2: ‘http’ filtering in Wireshark

Entering the IP address or the Domain name in VirusTotal, immediately gives you a community score on the malicious nature of that domain (Fig.3). Should the rating given in VirusTotal indicate some maliciousness we can proceed further. This community score can be very qualitative and should be treated as such.

Fig.3: Scanning URL’s in VirusTotal

Back in Wireshark, within the HTTP request we can further filter just the GET/POST requests using the filter, ‘http.request’, allowing us narrow down names of files transacted (Fig.4).

Fig.4: ‘http.request’ filtering in Wireshark

Any suspicious looking file could be downloaded for further analysis. Wireshark allows extracting these files with a couple of clicks (Fig.5).

Fig.5: saving files from HTTP GET in Wireshark

Once extracted, we can use CertUtil to create a MD5 hash file (Fig.6) [C:> certutil -hashfile filename.exe MD5, Note: Win7 will require the parameter MD5 specified in upper-case, while Win10 is case-insensitive]. To find if this file is malicious we can go back to VirusTotal. Entering the hash value in VirusTotal will give us the score on its malicious nature as rated by the community.

Fig.6: Using CertUtil to create MD5 hash of a file

Summary

In summary (Fig.7) we see with just a few clicks we can use Wireshark to filter out DNS queries & HTTP requests. We can use a web-site like VirusTotal to check the malicious score of a web-site or that of a file based on its MD5 hash created by CertUtil.

Fig.7: Summary

Final Words:

A quick but powerful analysis can be done in less than five minutes if the pcap file is small. If the file has hundreds and thousands of DNS queries or HTTP requests — a quick visual check may not be sufficient. Also if the domain or file involved is of zero-day nature (developed and released in the wild for the first time) VirusTotal will neither give a malicious rating nor recognize the MD5 hash value.

Acknowledgment:

I would like to thank MalTrak for the Malware sample and preliminary instructions in Malware analysis. I would also like to thank Amr Thabet for his encouragement and initial review of the article.

References:

1) ‘Use Certutil to Get File Hash’, https://www.mcbsys.com/blog/2017/03/use-certutil-to-get-file-hash/