This repository contains a packet-level malware behavior analysis using PCAPs for CryptoLocker and Word-Dropper samples. The investigation was conducted using Wireshark on a REMnux VM, with emphasis on DNS, HTTP, and TLS traffic.
-
DNS Query Analysis
Identification of suspicious or anomalous outbound DNS queries and IP resolution patterns. -
HTTP & TLS Inspection
Use of GET/POST request tracing to reveal encrypted payload behavior within unencrypted HTTP sessions. -
IP Reputation Verification
Use of open-source intelligence (e.g., IPinfo) to validate threat indicators. -
Wireshark Filters & Statistics
Filtering for DNS, HTTP, and TLS streams; object export; and resolving IP behavior by hostname.
- Multiple domains resolved to suspicious IPs hosted outside of trusted environments.
- Encrypted payloads were observed being transferred over HTTP β suggesting obfuscation.
- Analysis of GET request failures suggested attempts to probe or exploit specific file paths on targets.
- Signature behaviors matched known tactics of CryptoLocker and Word-Dropper.
- Wireshark
- REMnux (Linux forensic distribution)
- IPinfo.io
- DNS/HTTP filter expressions
Michael Twining
Cybersecurity Researcher | Network & Malware Analyst | GitHub: @usrtem
π« michael.twining@outlook.com
π LinkedIn | YouTube
This project is released under the Creative Commons Attribution 4.0 International License.