/Malware-Network-Analysis

PCAP-based analysis of CryptoLocker and Word-Dropper malware samples using Wireshark and REMnux. Focus on DNS, HTTP, and TLS artifacts to identify adversary behavior and exfiltration attempts.

Creative Commons Zero v1.0 UniversalCC0-1.0

📡 Malware Network Traffic & Packet Analysis

Network Traffic Analysis

This repository contains a packet-level malware behavior analysis using PCAPs for CryptoLocker and Word-Dropper samples. The investigation was conducted using Wireshark on a REMnux VM, with emphasis on DNS, HTTP, and TLS traffic.

📄 Contents

🔍 Techniques Covered

  • DNS Query Analysis
    Identification of suspicious or anomalous outbound DNS queries and IP resolution patterns.

  • HTTP & TLS Inspection
    Use of GET/POST request tracing to reveal encrypted payload behavior within unencrypted HTTP sessions.

  • IP Reputation Verification
    Use of open-source intelligence (e.g., IPinfo) to validate threat indicators.

  • Wireshark Filters & Statistics
    Filtering for DNS, HTTP, and TLS streams; object export; and resolving IP behavior by hostname.

🚩 Findings Summary

  • Multiple domains resolved to suspicious IPs hosted outside of trusted environments.
  • Encrypted payloads were observed being transferred over HTTP — suggesting obfuscation.
  • Analysis of GET request failures suggested attempts to probe or exploit specific file paths on targets.
  • Signature behaviors matched known tactics of CryptoLocker and Word-Dropper.

🔧 Tools Used

  • Wireshark
  • REMnux (Linux forensic distribution)
  • IPinfo.io
  • DNS/HTTP filter expressions

👤 Author

Michael Twining
Cybersecurity Researcher | Network & Malware Analyst | GitHub: @usrtem
📫 michael.twining@outlook.com
🌐 LinkedIn | YouTube

🔐 License

This project is released under the Creative Commons Attribution 4.0 International License.