[ Response to the traffic analysis exercise: Finding the root cause ]

In this lines you will find my findings about the exercise launched by Brad Duncan (@malware_traffic).

The exercise consist in analyze a network capture (pcap) from an infected computer and give response to the following questions:

  • Date and time of the activity.
  • The infected computer’s IP address.
  • The infected computer’s MAC address.
  • The infected computer’s host name.
  • The infected computer’s operating system.
  • Domains and IP addresses of any infection traffic.
  • The root cause (what is the likely cause of the infection noted in the pcap).

The web page with the full information about this exercise is here: http://malware-traffic-analysis.net/2015/09/23/index.html

So, let me share with you my comments and findings:

Summary covering the incident.

On Tuesday 2015-09-22 at 17:32 UTC the Windows computer with the name PENDJIEK-PC was powered on. Immediately, the computer gets in contact with a malicious web server in Internet. This malicious web site has been identified as being used by cybercriminals to steal banking information, to carry out criminal tasks and it is also used to install some versions of the CryptoLocker ransomware.

The infected computer.

Host name: PENDJIEK-PC.
MAC address: 00:50:8b:01:db:2f (Hewlett-_01:db:2f).
OS: Windows 7.

Indicators of compromise. port 80 (HTTP) – classicalbitu.com – ZeuS C&C.


  • 2015-09-22 – 17:32:14 – The computer was powered on. An IP address was requested by DHCP.
  • 2015-09-22 – 17:32:17 – The DHCP assigns the IP
  • 2015-09-22 – 17:32:34 – The computer do an automatic routine to verify internet connectivity . The test was successful.
  • 2015-09-22 – 17:41:15 – The computer try to resolve the IP address of the Zeus C&C Web server. The resolucion was successful.
  • 2015-09-22 – 17:41:16 – The computer download an (.jpg) image called config.jpg with hidden instructions.
  • 2015-09-22 – 17:41:25 – The computer starts to exchange encrypted (or obfuscated) information with the malicious Web site.

Traffic review and responses.

Date and time of the activity: the activities were between the 17:32:14 hrs. and 17:57:28 hrs. on Tuesday 2015-09-22.


The IP, MAC address and host name of the infected computer.



The infected computer’s operating system (Windows 7).



Domains and IP addresses of any infection traffic. 80 HTTP classicalbitu.com









Web traffic analysis.



IP address location (made with Wireshark map function).



Image downloaded (potentially with hidden instructions).



Original image (includes metadata).

Network servers in a data center. Swallow depth of Field
Network servers in a data center. Swallow depth of Field

Image metadata analysis (extract).


Final words.

According Symantec, this kind of malware is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized.

I think this capture does not include the initial infection process and only reflects the traffic of a computer already infected. This is my opinion, what do you think?

Have a great day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s