Malware Analysis

Capture 1 part 1 PCAP

We’re looking for the ip and port of the exploited server.

We can start looking at the conversations in the pcap.

Statistics -> Conversations

There’s a lot of things going on. A lot of 24.37.41.158 talking to a lot of IPs. There’s only 3 connections from another ip to 24.37.41.158. That’s something keeping in mind.

Next a quick look at the Protocol hierarchy. We can see that a lot of data has been transfered and something random protocol like Sinec H1, Sippy RTP proxy.

Nothing pops out. The top 3 protocol used are Data, SSL and HTTP.

HTTP

After looking quickly at some traffic the http traffic has some suspicious traffic. Starting at packet 5137. There’s a GET request for a file called upload.php. If we look at all the conversations between the two ips and the same port, the packet 168781 is a POST request in the uploads/ directory.

Using the filter

tcp.dst = 18888 && http

Allows us to clearly see the upload happening at 70339.

The exploited server is 24.37.41.154:18888