Skip to content

Examining Pcaps Emails Malware Infection

Malware Traffic Analysis

Link to the original Challenge : https://www.malware-traffic-analysis.net/2017/12/15/index.html

  • You have 2 PCAPs + 2 Emails. Each PCAP represents a different attack or compromise on a Windows machine. The emails contain malicious attachments that caused the infection.

  • You are required to create an Incident Report for each PCAP separately.

  • For each PCAP and its corresponding email, include:

  • Determine the time of malicious activity (start/end time – UTC).

  • IP and MAC Address of the affected host.

  • Hostname of the affected host.

  • Identify the type of attack / malware type.

  • Indicators of Compromise (IOCs): IPs, Domains, File Hashes

  • Summary of what happened.

We won’t follow a standardized lab procedure; instead, we’ll proceed in the most straightforward order.

I have already downloaded the files and extracted them. Don’t forget, the password was infected_20171215. You now have three extracted folders.

Next, we want to match each PCAP with its corresponding email:

  • In other words, determine which PCAP belongs to which email.

  • This can be done by matching details, such as checking who the email was sent to, and so on.

The First Email and Determining Which PCAP It Belongs To:

I took the first email I have, which is:

ls -lh 2017-12-14-malicious-email-1814-UTC.eml 
-rw-r--r-- 1 sansforensics sansforensics 310K Oct 27  2024 2017-12-14-malicious-email-1814-UTC.eml

This is how it appeared when I opened it on https://www.encryptomatic.com, a site that allows you to view emails online in EML, MSG, and winmail.dat (TNEF) formats and also access the email attachments.

In short, I want to open the email without accidentally executing any malware, since our machines are valuable…

Message Overview:

IOCs:

  • This shows that Chris Lyons is the target in this scenario.

  • The sender (Le Huong-accounts) is likely an attacker or a spoofed email.

  • The file with extension .rar.zip certainly contains malware.

  • The attachment is designed to convince the recipient to open it.

Extracting the Attachment:

  • The website provides a way to download attachments, but there is another method we can use that I found while searching:

  • The ripMIME tool is a command-line utility used to extract attachments from emails encoded in MIME format.

sansforensics@as: ~/Downloads/Mail-1
$ ls
2017-12-14-malicious-email-1814-UTC.eml
Proforma+Invoice+P101092292891+TT+slip+pdf.rar.zip

sansforensics@as: ~/Downloads/Mail-1
$ ripmime --name-by-type -i 2017-12-14-malicious-email-1814-UTC.eml -d output_folder

sansforensics@as: ~/Downloads/Mail-1
$ ls
2017-12-14-malicious-email-1814-UTC.eml
output_folder
Proforma+Invoice+P101092292891+TT+slip+pdf.rar.zip

sansforensics@as: ~/Downloads/Mail-1
$ cd output_folder/
sansforensics@as: ~/Downloads/Mail-1/output_folder
$ ls
 multipart-mixed0                                      text-plain1
'Proforma Invoice P101092292891 TT slip pdf.rar.zip'

Both methods achieve the same result: they extract the file.

I won’t look at the attachments for now; first, I’ll identify the corresponding PCAP file.

Now we need to determine which PCAP belongs to which email:

We know the target is Chris Lyons,

  • So if a PCAP contains SMTP or POP3 traffic related to Chris Lyons, it corresponds to the same scenario.

To filter for the required traffic, we can look at the protocols: smtp, pop, and imap.\ I opened the first PCAP:

sansforensics@as: ~/Downloads
$ sudo wireshark 2017-12-15-traffic-analysis-exercise-1-of-2.pcap
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'

When I opened the PCAP, I immediately saw the person’s name

But let’s perform a simple search :

Now we know that the email 2017-12-14-malicious-email-1814-UTC.eml corresponds to the PCAP file 2017-12-15-traffic-analysis-exercise-1-of-2.pcap.

Let’s check it on VirusTotal:

  • Since the email already contains attachments, we can first analyze the main file and then decide what to do next.

  • We’ll start by checking the original email on VirusTotal and then look at the attachments.

The email:

  • Was confirmed to be malicious.

  • It is associated with the file Proforma Invoice P101092292891 TT slip pdf.rar.zip.

  • This is the same file we extracted from the email earlier :

Let’s check the hash for confirmation:

sansforensics@as: ~/Downloads/Mail-1
$ sha256sum Proforma+Invoice+P101092292891+TT+slip+pdf.rar.zip 
435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28  Proforma+Invoice+P101092292891+TT+slip+pdf.rar.zip

Let’s look at some details. The ANY.RUN Sandbox already reported the following on VirusTotal:

  • ANY.RUN Sandbox Analysis:

  • Verdict: Malicious activity

  • Tags: attachments, attc-arch, arch-exec, formbook, xloader, stealer

  • C2: www.ellentscm.info/ob/

  • HTML Report: Link

  • Full analysis: Link

We’ve already seen how the email looks, and checking the ANY.RUN report, there are some important points to note:

  • The malware itself:

  • Verdict: Malicious Activity

  • Threats: FormBook (Data Stealer / Malware-as-a-Service)

MITRE ATT\&CK :
Tactic Technique Description
Initial Access User Execution – Malicious File The user opens a malicious file received via email.
Execution Command & Scripting Interpreter – Windows Command Shell Executes commands or scripts after infection.
Persistence / Discovery Query Registry Searches the registry for system information or settings.
Command & Control (C2) Application Layer Protocol Attacker communicates with the server to control the system and steal data.
  • From this, we can determine how the attacker actually operates.

Now let’s examine the attachments themselves:

  • Findings from the analysis:

  • The file is not actually a PDF: it’s a compressed file (.rar.zip) containing an EXE disguised as a PDF.

  • The EXE executes FormBook (Stealer / Trojan).

  • It modifies the registry to achieve automatic execution (Persistence).

  • It establishes a C2 connection to: www.ellentscm.info/ob/

    • It injects itself into processes like Explorer.EXE, wuauclt.exe, and Firefox.exe.

  • FormBook presence confirmed in Memory Dumps.

  • Regarding MITRE ATT\&CK (in summary):

Tactic Technique Simplified Description
Initial Access User Execution – Malicious File The user opened the malicious file.
Execution Command & Scripting Interpreter Execution of the hidden EXE.
Persistence Registry Run Keys/Autorun Modifies the registry to run at startup.
Credential Access / Collection Input Capture / Data Stealing Steals user data from browser and other sources.
Command & Control Application Layer Protocol (HTTP) Communicates with the C2 server.

IOCs identified so far:

Email-related:

File-related:

  • File Name: Proforma Invoice P101092292891 TT slip pdf.rar.zip

  • Type: .exe hidden inside a PDF

  • SHA256: 435BFC4C3A3C887FD39C058E8C11863D5DD1F05E0C7A86E232C93D0E979FDB28

  • Malware Family: FormBook (Stealer / Trojan)

Network-related:

Behavior / Actions:

  • Disguises itself as a PDF while executing FormBook.

  • Injects itself into processes like Explorer.EXE, wuauclt.exe, Firefox.exe.

  • Modifies the registry to run automatically (Persistence).

We need to open the PCAP to answer some of the remaining questions:

  • Since the traffic volume is high, it’s better to use Wireshark Statistics to get an overview.

  • In particular, check Protocol Hierarchy to focus on relevant protocols such as HTTP and NetBIOS.

This helps isolate the traffic that might be associated with malware activity or C2 communication without manually sifting through all packets.

  • In Conversations, we can see that the highest traffic from all external IPs is directed to the private IP 10.1.1.97 .

  • This indicates that 10.1.1.97 is the infected host communicating with multiple external endpoints, likely for C2 (Command & Control) or data exfiltration :

  • Endpoints: The highest traffic was observed from 10.1.1.97 :

Now we can examine the machine that received the email by:

  • As we did above:

Almost all data is ready to answer the questions:

🔹 1. Identify the internal IP (infected host)

  • As we investigated before by checking the person who received the email and also looking at the highest traffic from Statistics > Conversations > IPv4,

  • The answer is: 10.1.1.97

🔹 2. Determine Start Time and End Time

  • UTC time:

  • View > Time Display Format > UTC Date and Time

  • Apply a filter for all traffic from the host: ip.addr == 10.1.1.97

  • Start: 23:01:01.786763

  • End: 23:17:14.566716

  • For malicious traffic only: (ip.addr == 10.1.1.97) && http

  • First malicious packet: 23:01:08.927284

  • Last malicious packet: 23:17:14.454769

🔹 3. Extract the MAC Address
  • Apply filter: ip.addr == 10.1.1.97 && dhcp

  • MAC Address: 00:22:15:d4:9a:e7
🔹 4. Extract the Hostname:
  • Apply filter: ip.addr == 10.1.1.97 && dhcp

  • Hostname : Chris-Lyons-PC
🔹 5. What type(s) of malicious activity were observed?

  • Phishing / Malicious Email:\ A malicious email was sent to the employee (Chris Lyons) containing a compressed attachment.

  • Malware Execution – FormBook Stealer/Trojan:\ The attachment was a compressed file containing an EXE disguised as a PDF that downloads/executes FormBook (stealer/trojan).

  • Command & Control Traffic (C2):\ After execution, the infected host contacted an external C2 server at www.ellentscm.info/ob/ via HTTP.

  • Persistence + Credential Theft:\ The malware modified the registry to run at startup and began stealing data from applications and browsers.

🔹 6. Indicators of Compromise (IOCs)
Category Details
Email Info From: LeHuong-accounts@gmail.com → To: chris.lyons@supercarcenterdetroit.com
Subject: Fw: Re: PI no. SO-P101092262891
Attachment: Proforma Invoice P101092292891 TT slip pdf.rar.zip
File IOCs SHA256: 435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28
Malware Family: FormBook Stealer / Trojan
Internal Host IP: 10.1.1.97
MAC: 00:22:15:d4:9a:e7
Hostname: Chris-Lyons-PC
C2 www.ellentscm.info/ob/ (HTTP)
Timestamps (UTC) Malicious activity start: 2017-12-14 23:01:08
Malicious activity end: 2017-12-14 23:17:14
🔹 7. Summary

On December 14, 2017, around 23:03 UTC, the user Chris Lyons received a malicious email from LeHuong-accounts@gmail.com with the subject “Fw: Re: PI no. SO-P101092262891” containing a compressed attachment named “Proforma Invoice P101092292891 TT slip pdf.rar.zip.

After opening the attachment and executing the hidden executable, FormBook Stealer/Trojan was downloaded and executed on the Windows host (IP: 10.1.1.97 – Hostname: Chris-Lyons-PC), initially running under Explorer.EXE.

The malware modified the registry for persistence, injected itself into system processes, and started communicating with an external C2 server at www.ellentscm.info/ob/.

Between 23:01:08 UTC and 23:17:14 UTC, C2 traffic and potential data exfiltration were observed.

Let’s start with the second PCAP :

First, check the email and extract its attachments, then analyze them on VirusTotal.

sansforensics@as: ~/Downloads/Mail-2
$ ls
 2017-12-14-malicious-email-2134-UTC.eml           
 2017-12-15-traffic-analysis-exercise-2-of-2.pcap

  • I’ve already looked at it; here’s how it appears directly :

  • There’s indeed a file inside :

sansforensics@as: ~/Downloads/Mail-2
$ ls
2017-12-14-malicious-email-2134-UTC.eml  2017-12-15-traffic-analysis-exercise-2-of-2.pcap  Black+Friday.zip

  • I uploaded the file to VirusTotal :

  • Consequently :

  • I will extract the compressed file and upload it again :

  • After a bit of research, I found that VirusTotal doesn’t provide much information, so I went to filescan.io, a free platform specialized in online malware analysis.

  • I discovered that it does the following:

  • Performs static + dynamic analysis.

  • Checks the file’s metadata.

  • Extracts IOCs (hashes, domains, IPs, mutexes, etc.).

  • From the research, I found some important details:

  • The file Black Friday.docx contains a VBA macro (a small program inside the Word document).

    • The macro runs automatically when the document is opened (if macros are enabled).

  • The macro code uses ADODB.Stream and WScript → a known method to download and execute files from the internet.

  • Executing the malicious file:

    • After downloading, the macro immediately runs sys.exe.

    • The malware executes and runs in the background.

  • Persistence (self-installation):

    • Ensures the malware survives device reboots or shutdowns.

    • Uses schtasks.exe to create a Scheduled Task that runs sys.exe automatically at startup.

The Black+Friday.zip is just a wrapper → inside is a Word document with a macro → the macro downloads and runs sys.exesys.exe installs itself and runs as malware.

Starting with the PCAP:

  • Based on the email data we know:

  • From: Black Friday Shopping Voucher admin367847@airmail.cc

  • To: darnell@castillomotorsports.com

  • Sent time: 14 Dec, 2017 9:34:24 PM

  • Note: I already performed the general analyses as in the previous case, so we can start directly with answering the questions.

  • From analysis, the network used SMB and HTTP protocols.

  • The highest private IP interaction was 10.1.1.213, which communicated with several external IPs.

  • The largest traffic was between 10.1.1.213 and external IPs: 185.92.222.9 and 108.61.179.223.

🔹 1.Identifying the victim machine:

  • Since the target’s name is darnell, I searched using HTTP traffic:

  • Initially tried find but it failed.

  • So used Wireshark filter: http contains "darnell" to locate the device.

  • Therefore, the IP address of the Windows host in the PCAP:

  • IP: 10.1.1.213

🔹 2.The MAC address of the Windows host in the PCAP:

  • Can be found from any packet involving the infected host 10.1.1.213

  • MAC: 00:08:7c:39:da:12

🔹 3.The hostname of the Windows host in the PCAP:

  • Can be obtained from DHCP packets or NetBIOS/SMB name queries in the capture :

  • Hostname: Darnell-PC

🔹4. Malicious activity timestamps (UTC):

  • Start: 00:35:07.870952

  • End: 00:50:27.064062

🔹5. Types of Malicious Activity Observed

  • Malware infection via email attachment: The user received an email containing a Word file (Black Friday.docx) with a malicious VBA macro.

  • Malware download & execution: The macro downloaded the file sys.exe from the internet (https://forum.cryptopia.gdn/sys.exe) and placed it in %APPDATA%\Roaming\sys.exe, then executed it.

  • Persistence mechanism: The malware established persistence using schtasks.exe to create a Scheduled Task that runs automatically at each system startup.

  • Network communication / C2 activity: The infected host communicated with multiple external IPs (185.92.222.9 and 108.61.179.223) over HTTP, and possibly SMB, to exfiltrate data or receive commands.

🔹6. Indicators of the Malicious Activity (IOCs)

  • Victim IP address: 10.1.1.213

  • MAC address: 00:08:7c:39:da:12

  • Hostname: Darnell-PC

  • Malicious attachment: Black Friday.docx

  • Downloaded malware: sys.exe

  • Download URL / Domain: https://forum.cryptopia.gdn/sys.exe

  • External IPs contacted: 185.92.222.9, 108.61.179.223

  • Scheduled Task persistence: Present in schtasks.exe

  • Hashes (from extracted files):

  • Black Friday.docx → SHA256: a7447db99ba60c2f7bfd9e9bcfadfb05a4fc0ea214450b76ea85d386db1f727b

🔹7. Summary of What Happened

  1. The user Darnell received an email from: Black Friday Shopping Voucher <admin367847@airmail.cc> on 14 Dec 2017 21:34:24 UTC.

  2. The email contained a compressed Word file (Black+Friday.zipBlack Friday.docx) with a malicious macro.

  3. Upon opening the file, the macro downloaded the malicious file sys.exe from the Internet and saved it to %APPDATA%\Roaming\.

  4. The macro immediately executed the malware, which began running commands in the background on the system.

  5. The malware established persistence via a Scheduled Task to run automatically at each system startup, with remote control via TeamViewer.

  6. The infected host (10.1.1.213 / Darnell-PC) communicated with several suspicious external IPs (185.92.222.9, 108.61.179.223) over HTTP and possibly SMB for data transfer or to receive commands from the attacker.

  7. The malicious activity was observed between 00:35:07 UTC and 00:50:27 UTC in the PCAP.

💬 "Control the code, and you control the world." 🔐 From wiping metadata to gaining root access — every step is documented and my goal is to deeply understand the system, not just hack!

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber “)).

11-09-2025