Tanmay-KS/Malware-Traffic-Forensics

# 🛡️ Malware-Traffic-Forensics **Repository Description:** > Passive Network Traffic Analysis for Malware Detection using Wireshark & Scapy. A behavioral study on beaconing, port scanning, and anomalous protocol patterns in infected Windows environments. ## 🛡️ Malware Traffic Analysis: A Behavioral Approach This project focuses on identifying malware activity through **passive network traffic analysis**. By examining PCAP files from infected Windows hosts, we identify compromised systems and command-and-control (C2) communication without ever executing malicious code. ## 🚀 Overview The analysis adopts a layered approach, combining **protocol-level inspection** (DNS, HTTP, TCP) with **behavioral metrics** like throughput, packet rate, and burstiness to correlate indicators of compromise (IoCs). ## 🛠️ Tools Used * **Wireshark:** Deep packet inspection and protocol analysis. * **Scapy (Python):** Statistical modeling and custom graph generation for traffic parameters. * **Network Statistics:** I/O Graphs, Conversations, and Expert Information logs. ## 🔍 Key Investigative Findings ### 1. The Digital Heartbeat (Beaconing) Detected rhythmic, low-volume HTTP requests sent at fixed intervals (e.g., every 60s). This automated "phoning home" behavior is a classic hallmark of a C2 implant. ### 2. Reconnaissance & Lateral Movement * **Port Scanning:** Identified high-speed TCP SYN floods targeting thousands of ports in seconds. * **SMB/NTLM Brute Force:** Observed a massive spike in `STATUS_LOGON_FAILURE` errors, indicating an attempt to move laterally within the network. ### 3. Payload Staging Caught unencrypted HTTP file transfers of executable files (`.exe`) on Port 80, signaling the "staging" phase where the primary malware payload is delivered to the host. ### 4. Traffic Flow Anomalies * **Asymmetric Data Flow:** Significant imbalance where external servers pushed high volumes of data to internal hosts (Payload Delivery). * **Sleep/Wake Cycles:** Extended periods of inactivity followed by sudden bursts of outbound traffic—an evasion tactic used by advanced threats. ## 📊 Statistical Analysis Using Scapy, we visualized the "vitals" of the infection: * **Throughput Spikes:** Identifying bulk data transfers. * **Packet Size Distribution:** Differentiating between control "chatter" and data "cargo." * **Burstiness:** Proving automated communication patterns versus human interaction. ## 📂 Project Structure ``` ├── analysis_report.md # Full humanized analysis report ├── pcap_evidence/ # Screenshots of Wireshark observations ├── scapy_scripts/ # Python scripts for throughput/packet rate graphs └── README.md # You are here! ```

标签：Beaconing, C2通信检测, DNS分析, HTTP工具, HTTP流量分析, IoC指标, IP 地址批量处理, NTLM暴力破解, Payload交付, PCAP分析, PE 加载器, Scapy流量分析, SMB协议, TCP协议分析, Windows恶意软件, Wireshark分析, 包速率分析, 协议层级检测, 后渗透, 吞吐量监测, 命令与控制流量, 异常协议模式, 恶意流量分析, 数据包深度解析, 数据统计, 文件传输分析, 无线安全, 横向移动检测, 流量可视化, 突发性检测, 端口扫描, 网络安全审计, 网络流量取证, 网络统计, 被动流量分析, 逆向工具, 防御绕过