VaishuSidhu/Malware-PCAP-Investigation

GitHub: VaishuSidhu/Malware-PCAP-Investigation

Stars: 0 | Forks: 0

# Malware PCAP Investigation – AgentTesla Credential Exfiltration **#30DaysOfSOC – Day 17 to 20** | Hands-On Practice | Beginner SOC Learning ## Overview This is one of my hands-on practice projects as part of my #30DaysOfSOC learning journey. I'm currently working towards becoming a SOC analyst, and I'm building my skills through practical exercises like this one. I came across a publicly available malware training PCAP and decided to analyze it from scratch — treating it like a real investigation — to practice the skills a SOC analyst uses every day. ## Investigation Scenario As part of my #30DaysOfSOC challenge, I analyzed a publicly available AgentTesla-style malware PCAP from a real-world-inspired training scenario. The scenario: a workstation is generating unusual outbound FTP traffic. A packet capture has been taken and needs to be investigated. Pretending I was the SOC analyst on this case, I tried to answer: - Is this malicious or just unusual? - Was anything actually stolen? - Who or what received the data? - What indicators can we use to detect this in the future? ## Learning Objectives These are the skills I was trying to build with this project: - [ ] Loading and exploring a PCAP in Wireshark - [ ] Reading Protocol Hierarchy Statistics - [ ] Filtering FTP traffic and understanding what I see - [ ] Following TCP streams to read conversations in plain text - [ ] Extracting files transferred over FTP directly from the packet capture - [ ] Analyzing a stolen credential dump - [ ] Doing basic threat intelligence lookups (VirusTotal, AbuseIPDB) - [ ] Understanding MITRE ATT&CK technique IDs - [ ] Writing simple detection rules ## Tools Used - **Wireshark** – I used this as my main tool to open and analyze the packet capture - **VirusTotal** – To check if the attacker's IP address had been flagged before - **AbuseIPDB** – To look up the IP's abuse history and hosting information - **Kali Linux** – My analysis environment inside VirtualBox ## Investigation Workflow ![Investigation Workflow](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/f0d9fd6f79141334.png) ## Key Findings After going through the PCAP, here's what I found: ### The Victim | What | Value | |------|-------| | Internal IP Address | 10.1.31.101 | | Username | david.miller | | Computer Name | DESKTOP-WE9H2FM | | Operating System | Windows 11 Pro | ### The Attacker's Server | What | Value | |------|-------| | FTP Server IP | 93.89.225.40 | | FTP Username | pgizemM6 | | FTP Password | [REDACTED] | | Location | Istanbul, Turkey | ### What Was Stolen The malware collected and uploaded a file called: PW_david.miller-DESKTOP-WE9H2FM_2025_01_31_20_24_25.html This file contained: - Saved passwords from Chrome and Edge (websites like Amazon, LinkedIn, Facebook) - Email credentials from Thunderbird - System info like the computer specs and IP address ## What I Did – Investigation Highlights ✅ Identified that FTP traffic was coming from a workstation (that's a red flag) ✅ Reconstructed the full FTP session from the packets ✅ Recovered the actual file that was stolen using Wireshark's Export Objects feature ✅ Opened and read the stolen credential dump ✅ Looked up the attacker's IP on VirusTotal and AbuseIPDB ✅ Extracted all Indicators of Compromise (IOCs) ✅ Mapped what happened to MITRE ATT&CK techniques ✅ Wrote basic detection rules for network and endpoint monitoring ## Investigation Phases ### Phase 1 – Protocol Analysis The first thing I did was open the PCAP and go to **Statistics → Protocol Hierarchy**. This gives you a quick overview of all the protocols in the capture. I immediately noticed FTP traffic, which was unusual. ![Protocol Hierarchy](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/e2e23d29b6141338.png) ### Phase 2 – FTP Session Analysis I filtered for FTP traffic using the filter `ftp` in Wireshark. This showed me the full conversation — the login, the commands, and the file upload. ![FTP Conversation](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/27e93f25c9141345.png) ### Phase 3 – Reading the TCP Stream I right-clicked on a packet and followed the TCP stream. This let me read the entire FTP session like a conversation — in plain text, including the filename being uploaded. ![TCP Stream](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/e897c044a6141355.png) Then I used **File → Export Objects → FTP-DATA** to extract the actual file that was uploaded. ![FTP Object Export](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/aa337753fe141401.png) ### Phase 4 – Credential Recovery I opened the extracted HTML file and found all the stolen credentials. Seeing it laid out like that really made it real — this is what AgentTesla sends to the attacker. ![Credential Dump](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/c575a4c0cb141407.png) ### Phase 5 – Threat Intelligence I searched the attacker's IP address on VirusTotal and AbuseIPDB to see what was known about it. ![VirusTotal](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/b7294ff39c141413.png) ![AbuseIPDB](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/2aadd4f6a7141419.png) ## MITRE ATT&CK Techniques | What Happened | Technique | ID | |---------------|-----------|-----| | Stole browser passwords | Credentials from Web Browsers | T1555.003 | | Stole email passwords | Credentials from Mail Clients | T1555.004 | | Collected system info | System Information Discovery | T1082 | | Collected IP info | System Network Configuration Discovery | T1016 | | Created the HTML dump file | Data from Local System | T1005 | | Uploaded it over FTP | Exfiltration Over Alternative Protocol | T1048.003 | ## Skills Demonstrated - Network Traffic Analysis with Wireshark - Malware Behavior Investigation - Incident Documentation - Threat Intelligence Lookups (VirusTotal, AbuseIPDB) - IOC Extraction - MITRE ATT&CK Framework Mapping - Basic Detection Engineering - Security Operations Center (SOC) Workflow - Technical Writeup and Reporting ## Repository Structure Malware-PCAP-Investigation/ │ ├── README.md ← You are here │ ├── PCAP/ │ └── 2025-01-31-AgentTesla-style-data-exfil-over-FTP.pcap │ ├── Evidence/ │ ├── 01_Protocol_Hierarchy.png │ ├── 02_FTP_Conversation.png │ ├── 03_TCP_Stream.png │ ├── 04_FTP_File_Upload.png │ ├── 05_Credential_Dump.png │ ├── 06_VirusTotal_Analysis.png │ ├── 07_AbuseIPDB_Analysis.png │ └── 08_Investigation_Workflow.png │ └── Reports/ ├── Investigation_Report.md ← My full step-by-step walkthrough ├── IOC_Report.md ← All the indicators I found ├── Incident_Timeline.md ← Timeline of what happened └── Detection_Recommendations.md ← Detection rules and recommendations ## References - [Malware Traffic Analysis – where I got the PCAP](https://www.malware-traffic-analysis.net/) - [MITRE ATT&CK – AgentTesla](https://attack.mitre.org/software/S0331/) - [VirusTotal](https://www.virustotal.com/) - [AbuseIPDB](https://www.abuseipdb.com/) ## Reports | Report | What's Inside | |--------|--------------| | [Investigation_Report.md](Reports/Investigation_Report.md) | My full walkthrough of the investigation | | [IOC_Report.md](Reports/IOC_Report.md) | All indicators of compromise I extracted | | [Incident_Timeline.md](Reports/Incident_Timeline.md) | Timeline of events from the packet capture | | [Detection_Recommendations.md](Reports/Detection_Recommendations.md) | Detection rules and response steps | *This is part of my #30DaysOfSOC hands-on learning series where I work through real-world cybersecurity scenarios to build practical skills.*