Malware Presence Confirmation using Network Traffic Analysis

Introduction

In today's interconnected digital environment, malware has evolved to use sophisticated techniques such as encrypted communication, domain obfuscation, and distributed command-and-control (C2) infrastructure to evade detection. Traditional signature-based detection methods are often insufficient to identify such threats, making network traffic analysis a critical component of modern cybersecurity.

This study focuses on confirming the presence of malware within a network by analyzing packet capture (PCAP) data using Wireshark. By examining DNS queries, TCP connections, TLS handshakes, and traffic patterns, the analysis aims to identify anomalies that indicate malicious activity. Special emphasis is placed on detecting indicators such as typosquatted domains, persistent encrypted communication, abnormal data transfer patterns, and beaconing behavior.

The objective of this investigation is not only to detect suspicious activity but also to reconstruct the behavior of the malware, understand its communication mechanisms, and provide evidence-based conclusions regarding its presence within the system.

Objectives

To analyze network traffic captured in a PCAP file using Wireshark in order to identify abnormal communication patterns.
To detect and investigate suspicious domains and IP addresses, including identifying techniques such as typosquatting and malicious domain resolution.
To examine encrypted and unencrypted network traffic (HTTP/TLS) to identify potential command-and-control (C2) communication and evasion techniques.
To analyze traffic behavior such as data transfer volume, session duration, and connection patterns in order to identify indicators of data exfiltration and malware persistence.
To reconstruct the attack flow and confirm the presence of malware based on multiple network-level indicators and evidence.

PCAP Details

The network traffic analyzed in this study was obtained from the Malware Traffic Analysis repository:

PCAP Download Link:
https://www.malware-traffic-analysis.net/2025/01/22/index.html

This packet capture file represents a real-world infection scenario in which a user downloaded a malicious file disguised as Google Authenticator software. The environment consists of a corporate LAN (10.1.17.0/24) within the domain bluemoontuesday.com, where a Windows host was compromised after interacting with a fake software distribution website.

According to the analysis, the infected host (10.1.17.215) communicated with multiple external servers, including suspicious domains and command-and-control (C2) infrastructure. The traffic includes DNS queries, HTTP and HTTPS communication, TLS handshakes, and sustained data transfer, providing strong evidence of malware activity and post-infection behavior.

Architecture

Procedure

The analysis of the PCAP file was performed using Wireshark following a structured methodology to identify indicators of compromise (IoCs) and confirm the presence of malware.

Initial Traffic Overview — The PCAP file was opened in Wireshark, and overall traffic characteristics were examined using tools such as Protocol Hierarchy and Endpoint Statistics to identify anomalies within the network.
Identification of Suspicious Host — Using Statistics → Endpoints → IPv4, internal hosts were analyzed based on traffic volume. A single host (10.1.17.215) exhibited significantly higher communication compared to others, marking it as potentially compromised.
DNS Traffic Analysis — DNS activity from the suspected host was filtered using: dns && ip.addr == 10.1.17.215. Suspicious domains were identified and examined for indicators such as typosquatting and unusual naming patterns.
Domain Resolution Analysis — The identified suspicious domain (authenticatoor.org) was traced to its resolved IP address to identify the associated external infrastructure.
Connection Establishment Analysis — TCP connections between the host and external IP addresses were analyzed using filters such as ip.addr == <external IP> to observe session initiation, duration, and communication frequency.
TLS Traffic Inspection — Encrypted traffic was examined by analyzing TLS handshakes and extracting Server Name Indication (SNI) fields to identify domains involved in encrypted communication.
Traffic Behavior Analysis — Network behavior was analyzed based on session duration, packet size distribution, data transfer volume, and bidirectional communication patterns to detect characteristics associated with C2 activity and potential data exfiltration.
Statistical and Conversation Analysis — Wireshark's Statistics → Conversations → TCP feature was used to identify long-duration sessions, repeated connections, and high-volume data exchanges with external servers.
Identification of Indicators of Compromise — Multiple anomalies were identified, including communication over non-standard ports, repeated short-duration connections (beaconing), large data transfers, and interaction with multiple external IP addresses.
Correlation and Validation — All observations were correlated to reconstruct the attack behavior and validate the presence of malware using consistent and multi-layered network evidence.

Malware Attack Narrative

The network traffic analysis reveals a structured sequence of events indicative of a malware infection within the internal network.

The investigation began with the identification of an anomalous host (10.1.17.215), which exhibited unusually high outbound communication compared to other systems. This deviation from normal traffic patterns served as the initial indicator of compromise.

Subsequent DNS analysis showed that the host queried a domain named authenticatoor.org, a clear example of typosquatting designed to mimic a legitimate service (Google Authenticator). The domain resolved to an external IP address (82.221.136.26), indicating communication with potentially malicious infrastructure.

Immediately following domain resolution, the host initiated a TLS-encrypted connection over port 443. Analysis of the TLS handshake revealed that the Server Name Indication (SNI) field contained the same suspicious domain, confirming that the encrypted communication was directed toward the identified malicious server.

Further inspection of network behavior revealed sustained and structured communication between the host and external servers. This included continuous bidirectional data exchange, consistent packet transmission patterns, and long-duration sessions, all of which are characteristic of command-and-control (C2) activity.

In addition, the host was observed communicating with multiple external IP addresses (including 5.252.153.241 and 45.125.66.32) using both encrypted (HTTPS) and unencrypted (HTTP) protocols, as well as a non-standard port (2917). This indicates the use of a distributed C2 infrastructure designed for persistence and resilience.

The presence of high-volume data transfers suggests potential data exfiltration, while repeated short-duration connections indicate beaconing behavior used to maintain contact with attacker-controlled servers.

Based on the correlation of these indicators — including DNS activity, connection patterns, encryption usage, and traffic behavior — it can be conclusively determined that the host is compromised and actively engaged in malicious communication with command-and-control infrastructure.

Inferences

PHASE 1: Initial Detection

1. Identification of Suspicious Host

Method: Statistics → Endpoints → IPv4

Observation: Analysis of network endpoints revealed that the internal host 10.1.17.215 generated significantly higher traffic compared to other hosts within the network. The number of packets and total data volume associated with this host was disproportionately high.

Reasoning: In a normal network environment, traffic distribution across hosts is relatively balanced. A single host exhibiting unusually high outbound traffic often indicates automated or abnormal behavior such as malware communication, background data exfiltration, or persistent external connections.

Conclusion: The host 10.1.17.215 is identified as suspicious and is likely compromised.

2. High External Communication Ratio

Observation: The majority of traffic from the host is directed toward external IP addresses rather than internal systems.

Reasoning: Compromised systems often communicate heavily with external attacker-controlled infrastructure rather than internal services.

Conclusion: This behavior is indicative of external C2 communication.

PHASE 2: DNS & Domain Activity

3. High-Frequency DNS Query Behavior

Observation: The host generated multiple DNS queries within short time intervals, targeting external domains repeatedly.

Reasoning: High-frequency DNS activity is indicative of automated processes attempting to resolve domains dynamically, often used by malware to locate active C2 servers or fallback infrastructure.

Conclusion: The DNS behavior suggests automated domain resolution consistent with malware activity.

4. Detection of Suspicious Domain (Typosquatting)

Image 4 - DNS query showing authenticatoor.org typosquatting

Observation: DNS analysis revealed that the suspected host queried the domain authenticatoor.org, which resembles the legitimate service "Google Authenticator" but contains a spelling variation.

Reasoning: This technique is known as typosquatting, where attackers create domains that closely mimic legitimate ones to deceive users into downloading malicious content. Such domains are commonly used in phishing and malware distribution campaigns.

Conclusion: The domain authenticatoor.org is identified as a malicious or deceptive domain used for malware delivery.

5. Malicious Domain Resolution to External Infrastructure

Image 5 - DNS resolution of authenticatoor.org to 82.221.136.26

Observation: The suspicious domain authenticatoor.org resolved to the external IP address 82.221.136.26.

Reasoning: Resolution of a suspicious domain to an external IP indicates that the infected host is attempting to communicate with infrastructure outside the local network. Such infrastructure is often used by attackers to host malicious payloads or act as C2 servers.

Conclusion: The external IP 82.221.136.26 is likely part of the attacker-controlled infrastructure.

6. DNS Query-Response Timing Correlation

Observation: DNS queries for suspicious domains (e.g., authenticatoor.org) are immediately followed by corresponding DNS responses and subsequent connection attempts to the resolved IP addresses.

Reasoning: This tight coupling between DNS resolution and immediate outbound connection indicates automated behavior. In malware infections, domain resolution is often directly followed by communication with the resolved server, forming part of the C2 initiation process.

Conclusion: The rapid query-response-connection sequence confirms automated malicious communication behavior linked to domain resolution.

PHASE 3: Connection Establishment

7. TCP Connection Initiation Patterns

Image 7 - TCP SYN packets initiated by 10.1.17.215

Observation: Multiple TCP SYN packets were initiated by the host toward external IP addresses.

Reasoning: Frequent session initiation attempts indicate active efforts to establish communication with remote servers, typical of malware attempting to connect to C2 infrastructure.

Conclusion: This indicates persistent external communication attempts.

8. Establishment of Encrypted Communication (TLS)

Image 8 - TLS connection establishment with 82.221.136.26 on port 443

Observation: The host 10.1.17.215 established a TCP connection with the external IP 82.221.136.26 over port 443.

Reasoning: Port 443 is used for HTTPS communication, which encrypts data using TLS. Malware frequently uses encrypted channels to evade detection mechanisms such as Deep Packet Inspection (DPI), as the payload content cannot be easily inspected.

Conclusion: The host initiated encrypted communication with a potentially malicious external server.

9. TLS SNI-Based Domain Confirmation

Image 9 - TLS handshake SNI field showing authenticatoor.org

Observation: During the TLS handshake, the Server Name Indication (SNI) field revealed the domain authenticatoor.org.

Reasoning: Although TLS encrypts payload data, metadata such as the SNI field remains visible. This allows analysts to identify the intended destination domain even in encrypted traffic, making it a critical indicator in malware detection.

Conclusion: Encrypted communication is confirmed to be associated with the malicious domain authenticatoor.org.

PHASE 4: Command-and-Control Communication

10. Sustained Encrypted C2 Communication

Image 10a - Sustained traffic with 82.221.136.26

Image 10b - TLS application data exchange with 82.221.136.26

Observation: A large number of TLS application data packets were exchanged continuously between the infected host and the external server.

Reasoning: Sustained bidirectional encrypted communication is not typical of normal browsing behavior. Instead, it indicates an active session, often associated with C2 communication where the infected system continuously exchanges data with the attacker's server.

Conclusion: The traffic pattern strongly indicates ongoing C2 communication.

11. Regular Packet Timing Patterns (Beaconing Support)

Image 11 - Regular packet timing intervals beaconing pattern

Observation: Packets were transmitted at relatively consistent intervals between the host and external server.

Reasoning: Regular timing intervals are a hallmark of beaconing behavior, where malware periodically checks in with a command server.

Conclusion: This reinforces the presence of beaconing-based C2 communication.

12. Repeated Targeting of Specific External IP

Image 12 - Repeated packets directed toward 82.221.136.26

Observation: A large number of packets were consistently directed toward a specific external IP address.

Reasoning: Repeated targeting of a single external IP indicates a dedicated communication channel, typical of C2 servers.

Conclusion: The IP acts as a primary C2 endpoint.

PHASE 5: Data Transfer & Interaction

13. Bidirectional Data Flow and Large Packet Transmission

Image 13a - Large packet sizes in transmission

Image 13b - Bidirectional data flow with 82.221.136.26

Observation: Traffic analysis revealed bidirectional communication with multiple packets of large sizes (approximately 1400 bytes) exchanged between the host and external server.

Reasoning: Large packet sizes and bidirectional flow indicate that the host is both sending and receiving substantial amounts of data, suggesting possible command execution or data transfer.

Conclusion: The host is actively exchanging significant data with the external server, indicating potential malicious activity.

14. High Volume Data Transfer (Potential Data Exfiltration)

Method: Statistics → Conversations → TCP

Image 14 - TCP Conversations showing 5MB exchange with 5.252.153.241

Observation: The host exchanged a large volume of data (approximately 5 MB) with the external IP address 5.252.153.241 over HTTP.

Reasoning: Such high-volume data transfer is unusual for normal user activity and may indicate data exfiltration or payload download. The use of HTTP instead of HTTPS further suggests reduced security and potential malicious intent.

Conclusion: This behavior indicates possible data exfiltration or transfer of malicious payloads.

15. Suspicious HTTP-Based Communication

Image 15 - HTTP communication from 10.1.17.215

Observation: The host communicated with external servers over HTTP, including requests involving significant data exchange.

Reasoning: Malware often uses unencrypted HTTP channels for command exchange or payload transfer due to simplicity and reduced overhead.

Conclusion: The HTTP traffic supports the presence of malicious communication channels.

16. Server Response Behavior Analysis (Active Remote Interaction)

Image 16a - Server responses from 82.221.136.26

Image 16b - Server responses from 5.252.153.241

Observation: External servers actively responded to the host with multiple packets, including TLS application data and HTTP responses, indicating two-way communication.

Reasoning: Malicious infrastructure actively sends instructions or data back to the infected host. Bidirectional communication confirms the server is engaging in active interaction, characteristic of C2 behavior.

Conclusion: The external servers are actively interacting with the host, confirming their role as C2 servers.

PHASE 6: Persistence & Communication Strategy

17. Beaconing and Persistent Communication Behavior

Method: Statistics → Conversations → TCP

Image 17a - Short-duration connections with 45.125.66.32 beaconing

Image 17b - Multiple TCP connections with 5.252.153.241

Observation: Repeated short-duration connections were observed between the host and 45.125.66.32, and multiple TCP connections were observed with 5.252.153.241.

Reasoning: Short, periodic connections are characteristic of beaconing behavior, where malware regularly contacts a C2 server to receive instructions or maintain persistence.

Conclusion: The host exhibits beaconing behavior consistent with malware infection.

18. Multi-Protocol Communication Strategy

Image 18a - Multi-protocol traffic with 82.221.136.26

Image 18b - Multi-protocol traffic with 5.252.153.241

Image 18c - Multi-protocol traffic with 45.125.66.32

Observation: The host utilized DNS, HTTP, and TLS protocols during its communication.

Reasoning: Malware often uses multiple protocols for different stages of operation, including domain resolution, payload delivery, and encrypted command exchange.

Conclusion: This indicates a structured multi-stage malware communication strategy.

19. Encryption as an Evasion Technique

Image 19 - TLS encrypted traffic showing evasion of DPI

Observation: All major communications with external infrastructure were conducted using TLS encryption.

Reasoning: TLS encryption prevents Deep Packet Inspection (DPI), allowing malware to conceal payload data and evade traditional detection systems.

Conclusion: Encryption is being actively used to hide malicious communication.

PHASE 7: Infrastructure Analysis

20. Multi-Server C2 Infrastructure and Anomalous Port Usage

Method: Statistics → Conversations → TCP

Image 20a - Anomalous port usage port 2917

Image 20b - Non-standard port communication

Image 20c - Multiple TCP connections to different C2 servers

Image 20d - Conversation statistics showing distributed C2 infrastructure

Observation: The host communicated with multiple external IP addresses (82.221.136.26, 5.252.153.241, and 45.125.66.32), including communication over a non-standard port (2917).

Reasoning:

Port	Protocol	Usage
80	HTTP	Standard web traffic (unencrypted).
443	HTTPS	Secure web traffic (encrypted via SSL/TLS).

Use of multiple servers indicates a distributed C2 infrastructure designed for redundancy and resilience. Communication over non-standard ports is often used by malware to bypass firewall rules and avoid detection.

Conclusion: The malware utilizes multiple C2 servers and non-standard communication channels, confirming advanced malicious behavior.

Effects of Malware

Data Exfiltration — The analysis revealed high-volume data transfer (~5 MB) between the infected host and external servers. This suggests that sensitive information may have been extracted from the system and transmitted to attacker-controlled infrastructure.
Unauthorized Command Execution (C2 Control) — Sustained encrypted communication and beaconing behavior indicate that the host was receiving instructions from C2 servers. This allows attackers to remotely control the system and execute arbitrary actions.
Persistence Mechanism — Repeated short-duration connections and periodic communication patterns suggest that the malware maintains persistent access by continuously checking in with external servers.
Evasion of Security Mechanisms — The use of TLS encryption and standard ports (80 and 443) indicates that the malware is designed to evade detection by traditional security tools such as firewalls and DPI systems.
Use of Distributed Infrastructure — Communication with multiple external IP addresses and non-standard ports demonstrates that the malware relies on a distributed C2 infrastructure, making it more resilient to takedown attempts.

New Findings

The analysis identified a typosquatted domain, authenticatoor.org, being used for malware delivery, along with multiple command-and-control (C2) servers that suggest a distributed attack infrastructure. The malware communicates over both encrypted (TLS) and unencrypted (HTTP) channels, leveraging non-standard ports such as 2917 to evade detection. Network traffic reveals consistent beaconing behavior through short, periodic connections, as well as high-volume data transfers indicative of potential data exfiltration. Additionally, the close correlation between DNS resolution and immediate outbound connections points to automated execution, while sustained bidirectional communication confirms active interaction with remote servers.

AI Usage

Artificial Intelligence tools were used to enhance the efficiency and depth of the analysis. AI-assisted guidance helped in structuring the investigation, identifying relevant Wireshark filters, and interpreting network traffic patterns.

AI was also used to refine technical explanations, ensuring that each observation was supported by appropriate reasoning and aligned with cybersecurity concepts such as C2 communication, beaconing behavior, and data exfiltration.

Additionally, AI contributed to improving the clarity and organization of the report by helping structure the attack narrative, categorize inferences logically, and eliminate redundancy. This enabled a more systematic and professional presentation of the findings.

Overall, AI acted as a supportive analytical tool, assisting in both technical interpretation and documentation, while the final conclusions and validation were performed based on the observed network evidence.

Conclusion

The analysis of the PCAP file successfully confirmed the presence of malware within the network through multiple layers of evidence. By systematically examining DNS activity, TCP connections, TLS handshakes, and traffic behavior, a clear pattern of malicious activity was identified.

The infected host (10.1.17.215) was observed communicating with a typosquatted domain (authenticatoor.org), which resolved to external C2 servers. The presence of sustained encrypted communication, beaconing behavior, high-volume data transfer, and interaction with multiple external IP addresses strongly indicates an active malware infection.

The use of encryption, standard ports, and distributed infrastructure highlights the sophistication of modern malware in evading detection. Additionally, the correlation of multiple indicators allowed reconstruction of the complete attack lifecycle.

This investigation demonstrates the effectiveness of network traffic analysis in identifying and confirming malware presence, even in the absence of payload visibility. The findings emphasize the importance of behavioral analysis and multi-layered detection techniques in modern cybersecurity environments.

GitHub Repository

The complete files related to this Digital Assignment, including the PCAP file, analysis screenshots, and supporting materials, are available below:

🔗 View Project on GitHub

References

Malware Traffic Analysis Exercise (PCAP Source):
https://www.malware-traffic-analysis.net/2025/01/22/index.html
Original Malware Analysis Blog:
https://www.malware-traffic-analysis.net/2025/01/22/index.html
Additional Reference (Threat Intelligence - Unit 42):
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel
Wireshark Documentation:
https://www.wireshark.org/docs/

Acknowledgement

I would like to express my sincere gratitude to the following individuals and organizations for their support and contributions in the successful completion of this Digital Assignment:

I would like to thank the School of Computer Science and Engineering (SCOPE), Vellore Institute of Technology, Chennai for offering the Computer Networks course during the Winter Semester 2025–2026 with an industry-relevant and comprehensive syllabus.
I extend my sincere gratitude to Dr. T. Subbulakshmi, Professor, SCOPE, VIT Chennai, for her guidance and support throughout the course.
I would like to acknowledge Gerald Combs, the founder of Wireshark and recipient of the ACM Software System Award (2018), for developing an exceptional tool that enables effective and detailed network traffic analysis.
I would like to thank Bradley Duncan for creating insightful malware analysis blogs that provide practical understanding of malware behavior without requiring direct execution. These resources also enabled deeper exploration and extended analysis.
I would like to acknowledge my peers, Mr. Shivaan Bopanna, Mr. Soumyodeep Mallick and Mr. Daksh Bhatnagar, II year B.Tech. CSE students, School of Computer Science and Engineering, VIT Chennai, for their valuable suggestions and discussions.

Author

Harshit Bisht
II year B.Tech. CSE student
School of Computer Science and Engineering
VIT Chennai

Cybersecurity & Network Traffic Analysis

Comments

Shivaan BopannaApril 13, 2026 at 11:40 PM
Great write-up! I especially appreciated the way you broke down the PCAP analysis to bridge the gap between initial alerts and definitive confirmation.

The methodology for correlating specific TCP stream anomalies with known C2 patterns was particularly sharp. It’s a solid reminder that while automated tools are great, there's no substitute for a deep dive into the packets to eliminate false positives.

Keep up the high-quality forensic breakdowns!
Soumyodeep MallickApril 13, 2026 at 11:44 PM
Great analysis! I really liked how you used Wireshark to investigate the PCAP and identify suspicious communication patterns. The breakdown of DNS activity, HTTP/TLS traffic, and C2 indicators was clear and well-structured. The reconstruction of the attack flow made it easy to understand how the malware operated within the network. Looking forward for future blogs from you!!
DakshApril 13, 2026 at 11:46 PM
Solid technical analysis, Harshit. You did a great job illustrating how to pivot from a high-volume traffic alert to a confirmed indicator of compromise. The identification of persistent bidirectional data exchange as a marker for exfiltration was a key catch. It’s a great reminder of why packet-level visibility remains the gold standard for incident response. Keep the reports coming!
Md. Hanan SajidApril 14, 2026 at 12:34 AM
Amazing work Harshit! Really liked how the analysus doesn’t just explain concepts but also dives into the tools used it makes the whole analysis much more practical and relevant to real world scenarios.
HariApril 14, 2026 at 9:25 AM
Great work, Harshit—really liked how you connected the typosquatted domain with the automated connection behavior. The way you tied together beaconing, unusual ports, and steady two-way traffic makes a strong case for active C2 and possible data exfiltration.

Search This Blog

Malware Traffic Analysis Report