analyzing-network-traffic-of-malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

analyzing-network-traffic-of-malware is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using analyzing-network-traffic-of-malware should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-network-traffic-of-malware/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/analyzing-network-traffic-of-malware/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/analyzing-network-traffic-of-malware/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How analyzing-network-traffic-of-malware Compares

Feature / Agent	analyzing-network-traffic-of-malware	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Analyzing Network Traffic of Malware

## When to Use

- Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
- Identifying the C2 protocol structure for writing network detection signatures
- Determining what data the malware exfiltrates and to which external infrastructure
- Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
- Creating Suricata/Snort signatures based on observed malware network patterns

**Do not use** for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.

## Prerequisites

- Wireshark 4.x installed for interactive PCAP analysis
- tshark (Wireshark CLI) for scripted packet extraction
- Zeek installed for automated metadata generation from PCAPs
- Suricata with ET Open/ET Pro rulesets for signature matching
- NetworkMiner for file extraction and credential detection from PCAPs
- Python 3.8+ with `scapy` and `dpkt` for programmatic packet analysis

## Workflow

### Step 1: Initial PCAP Overview

Get a high-level understanding of the network traffic:

```bash
# Capture statistics
capinfos malware.pcap

# Protocol hierarchy
tshark -r malware.pcap -q -z io,phs

# Endpoint statistics (top talkers)
tshark -r malware.pcap -q -z endpoints,ip

# Conversation statistics
tshark -r malware.pcap -q -z conv,tcp

# DNS query summary
tshark -r malware.pcap -q -z dns,tree
```

### Step 2: Analyze DNS Activity

Examine DNS queries for DGA, tunneling, or C2 domain resolution:

```bash
# Extract all DNS queries
tshark -r malware.pcap -T fields -e frame.time -e dns.qry.name -e dns.a \
  -Y "dns.flags.response == 1" | sort

# Detect DGA patterns (high entropy domain names)
python3 << 'PYEOF'
import math
from collections import Counter

def entropy(s):
    p = [n/len(s) for n in Counter(s).values()]
    return -sum(pi * math.log2(pi) for pi in p if pi > 0)

# Parse DNS queries from tshark output
import subprocess
result = subprocess.run(
    ["tshark", "-r", "malware.pcap", "-T", "fields", "-e", "dns.qry.name",
     "-Y", "dns.flags.response == 0"],
    capture_output=True, text=True
)

domains = set(result.stdout.strip().split('\n'))
print("Suspicious DNS queries (high entropy):")
for domain in domains:
    if domain:
        subdomain = domain.split('.')[0]
        ent = entropy(subdomain)
        if ent > 3.5 and len(subdomain) > 10:
            print(f"  {domain} (entropy: {ent:.2f})")
PYEOF

# Detect DNS tunneling (large TXT responses)
tshark -r malware.pcap -T fields -e dns.qry.name -e dns.txt \
  -Y "dns.resp.type == 16 and dns.resp.len > 100"
```

### Step 3: Analyze HTTP/HTTPS C2 Communication

Examine web-based command-and-control traffic:

```bash
# Extract HTTP requests
tshark -r malware.pcap -T fields \
  -e frame.time -e ip.src -e ip.dst -e http.host \
  -e http.request.method -e http.request.uri -e http.user_agent \
  -Y "http.request"

# Extract HTTP response bodies (potential payload downloads)
tshark -r malware.pcap -T fields \
  -e http.host -e http.request.uri -e http.content_type -e tcp.len \
  -Y "http.response and tcp.len > 1000"

# Extract POST data (potential exfiltration)
tshark -r malware.pcap -T fields \
  -e http.host -e http.request.uri -e http.file_data \
  -Y "http.request.method == POST"

# TLS analysis (SNI, JA3 fingerprints)
tshark -r malware.pcap -T fields \
  -e tls.handshake.extensions_server_name \
  -e tls.handshake.ja3 \
  -Y "tls.handshake.type == 1"

# Extract TLS certificate details
tshark -r malware.pcap -T fields \
  -e x509ce.dNSName -e x509af.serialNumber \
  -e x509sat.utf8String \
  -Y "tls.handshake.type == 11"

# Export HTTP objects (downloaded files)
tshark -r malware.pcap --export-objects http,exported_files/
```

### Step 4: Detect Beaconing Patterns

Identify regular periodic communication indicating C2 beaconing:

```python
# Beacon detection from PCAP
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics

packets = rdpcap("malware.pcap")

# Group connections by destination IP:port
connections = defaultdict(list)
for pkt in packets:
    if IP in pkt and TCP in pkt:
        if pkt[TCP].flags & 0x02:  # SYN flag
            dst = f"{pkt[IP].dst}:{pkt[TCP].dport}"
            connections[dst].append(float(pkt.time))

# Analyze timing intervals for beaconing
print("Beacon Analysis:")
for dst, times in connections.items():
    if len(times) >= 5:
        intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
        avg = statistics.mean(intervals)
        stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
        jitter = (stdev / avg * 100) if avg > 0 else 0

        if 10 < avg < 3600 and jitter < 30:  # Regular interval with < 30% jitter
            print(f"  [!] {dst}: {len(times)} connections")
            print(f"      Interval: {avg:.1f}s ± {stdev:.1f}s (jitter: {jitter:.1f}%)")
            print(f"      Pattern: LIKELY BEACONING")
```

### Step 5: Generate Network Detection Signatures

Create Suricata/Snort rules from observed traffic patterns:

```bash
# Run Suricata against the PCAP for existing signature matches
suricata -r malware.pcap -l suricata_output/ -c /etc/suricata/suricata.yaml

# Review alerts
cat suricata_output/fast.log

# Create custom Suricata rule from observed patterns
cat << 'EOF' > custom_malware.rules
# C2 beacon detection based on observed URI pattern
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"MALWARE MalwareX C2 Beacon";
    flow:established,to_server;
    http.method; content:"POST";
    http.uri; content:"/gate.php?id=";
    http.user_agent; content:"Mozilla/5.0 (compatible; MSIE 10.0)";
    sid:9000001; rev:1;
)

# DNS query for known C2 domain
alert dns $HOME_NET any -> any any (
    msg:"MALWARE MalwareX C2 DNS Query";
    dns.query; content:"update.malicious.com";
    sid:9000002; rev:1;
)

# JA3 hash match for malware TLS client
alert tls $HOME_NET any -> $EXTERNAL_NET any (
    msg:"MALWARE MalwareX JA3 Match";
    ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1";
    sid:9000003; rev:1;
)
EOF
```

### Step 6: Extract Files and Artifacts from Traffic

Recover transferred files and embedded data:

```bash
# Extract files using Zeek
zeek -r malware.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
ls extract_files/

# Extract files using NetworkMiner (GUI)
# Or use tshark for specific protocol exports
tshark -r malware.pcap --export-objects http,http_objects/
tshark -r malware.pcap --export-objects smb,smb_objects/
tshark -r malware.pcap --export-objects tftp,tftp_objects/

# Hash all extracted files
sha256sum http_objects/* smb_objects/* 2>/dev/null

# Generate Zeek logs for comprehensive metadata
zeek -r malware.pcap
# Output: conn.log, dns.log, http.log, ssl.log, files.log, etc.
```

## Key Concepts

| Term | Definition |
|------|------------|
| **Beaconing** | Regular periodic connections from malware to C2 server, identifiable by consistent time intervals and packet sizes |
| **JA3/JA3S** | TLS fingerprinting method creating a hash from ClientHello/ServerHello parameters to uniquely identify malware TLS implementations |
| **DGA (Domain Generation Algorithm)** | Algorithm generating pseudo-random domain names that malware queries to locate C2 servers, evading static domain blocklists |
| **DNS Tunneling** | Encoding data in DNS queries and responses to establish a C2 channel or exfiltrate data through DNS infrastructure |
| **Fast Flux** | DNS technique rapidly rotating IP addresses for a domain to avoid takedown and distribute C2 across many compromised hosts |
| **SNI (Server Name Indication)** | TLS extension revealing the hostname the client is connecting to; visible even in encrypted HTTPS connections |
| **Network Signature** | Suricata/Snort rule matching specific patterns in network traffic (headers, payloads, timing) to detect malicious communications |

## Tools & Systems

- **Wireshark**: Open-source packet analyzer for deep interactive inspection of network traffic at the protocol level
- **Zeek**: Network analysis framework generating structured metadata logs (conn, dns, http, ssl) from live or captured traffic
- **Suricata**: High-performance network IDS/IPS for signature-based detection with Lua scripting for custom detection logic
- **NetworkMiner**: Network forensic analysis tool for extracting files, images, and credentials from PCAP files
- **Scapy**: Python packet manipulation library for programmatic packet analysis, beacon detection, and protocol decoding

## Common Scenarios

### Scenario: Decoding a Custom Binary C2 Protocol

**Context**: Malware communicates with its C2 server using a custom binary protocol over TCP port 8443. Standard HTTP analysis yields no results. The protocol structure needs to be reverse engineered from the PCAP.

**Approach**:
1. Filter the PCAP for TCP port 8443 conversations and follow the TCP stream
2. Identify the message framing (length prefix, delimiter, fixed-size headers)
3. Compare multiple messages to identify static header fields vs variable data fields
4. Cross-reference with reverse engineering findings from Ghidra (if the binary was analyzed)
5. Write a Wireshark dissector or Scapy parser for the custom protocol
6. Create Suricata rules matching the static header bytes for network detection
7. Document the full protocol specification for threat intelligence sharing

**Pitfalls**:
- Analyzing only the first few packets; some C2 protocols change behavior after initial handshake
- Not decrypting TLS traffic when the sandbox has MITM capabilities
- Confusing legitimate CDN or cloud traffic with C2 (validate destination IPs)
- Missing C2 traffic that uses DNS or ICMP instead of TCP/UDP

## Output Format

```
MALWARE NETWORK TRAFFIC ANALYSIS
===================================
PCAP File:        malware_sandbox.pcap
Duration:         300 seconds
Total Packets:    12,847
Total Bytes:      4.2 MB

DNS ACTIVITY
Total Queries:    47
DGA Detected:     Yes (23 high-entropy queries to .com TLD)
Tunneling:        No
Resolved C2:      update.malicious[.]com -> 185.220.101[.]42

C2 COMMUNICATION
Protocol:         HTTPS (TLS 1.2)
Server:           185.220.101[.]42:443
SNI:              update.malicious[.]com
JA3 Hash:         a0e9f5d64349fb13191bc781f81f42e1
Beacon Interval:  60.2s ± 6.8s (11.3% jitter)
Total Sessions:   237
Data Sent:        147 MB
Data Received:    2.3 MB
Certificate:      CN=update.malicious[.]com (self-signed, expired)

PAYLOAD DOWNLOADS
GET /payload.dll from compromised-site[.]com
  Size: 98,304 bytes
  SHA-256: abc123def456...
  Content-Type: application/octet-stream

EXFILTRATION
Method:           HTTPS POST to /gate.php
Content-Type:     application/octet-stream
Average Size:     15,432 bytes per request
Total Volume:     147 MB over 4 hours

SURICATA ALERTS
[1:2028401] ET MALWARE Generic C2 Beacon Pattern
[1:2028500] ET POLICY Self-Signed Certificate

GENERATED SIGNATURES
SID 9000001: MalwareX HTTP beacon pattern
SID 9000002: MalwareX DNS C2 domain
SID 9000003: MalwareX JA3 TLS fingerprint
```

Related Skills

scanning-network-with-nmap-advanced

from plurigrid/asi

Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.

reverse-engineering-rust-malware

from plurigrid/asi

Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.

reverse-engineering-malware-with-ghidra

from plurigrid/asi

Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.

reverse-engineering-dotnet-malware-with-dnspy

from plurigrid/asi

Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.

reverse-engineering-android-malware-with-jadx

from plurigrid/asi

Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.

performing-wireless-network-penetration-test

from plurigrid/asi

Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.

performing-static-malware-analysis-with-pe-studio

from plurigrid/asi

Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage.

performing-ot-network-security-assessment

from plurigrid/asi

This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure.

performing-network-traffic-analysis-with-zeek

from plurigrid/asi

Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.

performing-network-traffic-analysis-with-tshark

from plurigrid/asi

Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction from PCAP files

performing-network-packet-capture-analysis

from plurigrid/asi

Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration or command-and-control activity.

performing-network-forensics-with-wireshark

from plurigrid/asi

Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, and identify malicious communications.