C2 Carnage — Investigating Malicious Traffic with Wireshark

Whenever I heard the words “traffic analysis” with tools like Wireshark, Brim, or NetworkMiner, it honestly felt intimidating. Especially Wireshark.

Wireshark always felt like being locked in a dark room, with thousands of packets moving around at once. It felt like I was running in circles trying to understand what mattered and what did not, while constantly worrying that I might miss one tiny but crucial detail hidden somewhere in the traffic.

That fear used to make me rush.

It made traffic analysis feel overwhelming.

But this challenge changed something for me.

Not because I suddenly became perfect at Wireshark, but because I finally understood what analysis really means.

For me, analysis means calm.

Instead of panicking inside the packets, I learned to slow down, observe patterns, filter carefully, and follow the evidence one step at a time. Wireshark no longer feels like a dark room; I am trapped inside. It now feels more like a neighbour’s house I visit frequently. Familiar. Still complex, but no longer terrifying.

This challenge took me 98 minutes instead of the 60 minutes expected by TryHackMe, but honestly, I am proud of that. I was not trying to rush through it. I was trying to understand what I was seeing.

And that made all the difference.

Scenario

Eric Fischer from the Purchasing Department at Bartell Ltd received an email containing a malicious Word document attachment from a known contact. After opening the document and enabling content, suspicious outbound traffic was immediately detected by the endpoint monitoring agent.

The SOC team retrieved the PCAP from the network sensor and handed it over for investigation.

My task was to analyze the packet capture, identify the malicious activity, trace the attacker infrastructure, and uncover the indicators of compromise involved in the infection chain.

Tools Used

• Wireshark
• VirusTotal

Initial Investigation Approach

I approached this investigation the same way I would handle an alert inside a SOC environment.

Instead of randomly clicking through packets, I tried to build a timeline of the infection.

My process looked like this:

1. Identify the initial suspicious outbound communication
2. Trace file downloads
3. Investigate domains and infrastructure
4. Analyze encrypted TLS traffic
5. Identify possible C2 communications
6. Investigate post-infection activity
7. Review DNS behavior
8. Inspect SMTP traffic for malspam activity
9. Validate infrastructure with VirusTotal

This structure made the investigation feel much more manageable.

Investigating the Initial HTTP Traffic

I began by filtering HTTP traffic inside Wireshark.

http

From there, I inspected outbound requests and quickly identified suspicious communication involving a malicious ZIP download.

The first malicious HTTP connection occurred at: 2021-09-24 16:44:38

That became my initial infection timeline marker.

Malicious ZIP File Discovery

By reviewing HTTP GET requests and exported HTTP objects, I discovered a suspicious ZIP file download.

The downloaded ZIP file was: documents.zip

The hosting domain was: atxxxxxxxpal.com

At this point, the infection chain became much clearer. Instead of blindly scanning packets, I was now following the attacker’s activity step-by-step.

Inspecting the ZIP Contents Safely

One thing I appreciated during this challenge was learning how analysts safely inspect malicious archives without executing them.

Without downloading or running the payload, I identified the file hidden inside the archive: chart-xxxxxxx.xls

This reinforced an important blue-team lesson: You do not always need to execute malware to understand what it is doing.

Identifying the Malicious Web Server

I then inspected the HTTP response headers to gather infrastructure details about the malicious server.

The webserver identified was: LxxeSxxxd

Version: PHP/7.2.34

This type of infrastructure profiling is extremely valuable during investigations because it helps analysts understand the environment attackers are operating from.

TLS Analysis and My Biggest Challenge

The hardest part of this challenge for me was definitely the TLS analysis section.

At first, I could not find the SNI values inside the TLS Client Hello packets. I kept expanding packet details repeatedly and still felt lost.

That moment reminded me exactly why Wireshark used to feel overwhelming.

But instead of panicking, I slowed down and worked through it carefully.

I filtered for TLS traffic within the suspicious timeframe: 16:45:11 → 16:45:30

Then I focused on: tls.handshake.extensions_server_name

That single filter changed everything.

Eventually, I identified the malicious domains involved in additional payload delivery:

finxxxxxxs.com.au
thxxxxxgt.com
nxx.axxxxxold.com

This was probably the moment where I felt my confidence improve the most during the challenge.

SSL Certificate Investigation

After identifying the suspicious domains, I reviewed the TLS certificates.

The certificate authority for the first malicious domain was: GoDaddy

This type of information is useful for:

• IOC enrichment
• threat intelligence correlation
• infrastructure tracking

Cobalt Strike Infrastructure Discovery

This was one of the most interesting parts of the investigation.

Using Wireshark Conversations alongside VirusTotal Community analysis, I identified two suspicious IP addresses associated with Cobalt Strike activity.

The C2 servers were:

185.1xx.9x.1xx
1xx.1x5.2xx.xxx

I validated the infrastructure using VirusTotal Community reports, where both IPs were associated with malicious Cobalt Strike behavior.

The first C2 domain resolved to: suxxxxer.live

The second C2 domain resolved to: securityxxxxxxxxf.com

One interesting observation was the Host header value: ocsp.vxxxxxxx.com

This demonstrated how attackers attempt to disguise malicious communication as legitimate traffic.

I believe that was a very important real-world lesson.

Post-Infection Traffic Analysis

After identifying the Cobalt Strike infrastructure, I investigated the post-infection HTTP POST traffic.

The malicious post-infection domain was: mxxxxxxhost.net

Following the HTTP stream revealed the first eleven characters transmitted by the victim host: xxxxxxxxxZI9

I also identified that the first packet sent to the C2 server had a length of: 281

The malicious server response header was: Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4

At this point, the traffic investigation genuinely started feeling less chaotic and more structured.

I was no longer just “looking at packets.” I was understanding attacker behavior.

DNS Analysis

While reviewing DNS activity, I discovered that the malware queried an external API service to determine the victim’s public IP address.

The DNS query occurred at: 2021-09-24 17:00:04 UTC

The queried domain was: axxi.ixxx.org

This was another important behavioral indicator showing that the malware was actively profiling the infected machine.

SMTP and Malspam Activity

Finally, I investigated SMTP traffic to identify possible spam-related activity.

The first observed MAIL FROM address was: faxxxin@xxxxxx.com

This section showed how attackers often combine:

• phishing
• malicious attachments
• outbound malware communication
• spam activity

inside a single intrusion chain.

Lessons Learned

This challenge taught me far more than just how to answer questions inside a PCAP.

It taught me:

• how to stay calm during traffic analysis
• how to investigate methodically
• how to follow attacker behavior through evidence
• how to correlate DNS, HTTP, TLS, and SMTP traffic together
• how analysts build timelines during investigations
• how Cobalt Strike infrastructure appears in network traffic
• how important filtering is inside Wireshark

Most importantly, it taught me that confidence in traffic analysis comes from repetition, patience, and structured thinking.

Not speed.

What My Escalation Notes Would Look Like:

Incident Summary

A malicious document attachment triggered outbound suspicious network communication from the victim workstation after macro execution. Multiple malicious domains and Cobalt Strike infrastructure were identified within the PCAP.

Key Findings

Initial Malicious HTTP Activity

• Timestamp: 2021-09-24 16:44:38
• Malicious Domain: axxxxxxal.com
• Downloaded File: documents.zip
• Embedded File: chart-xxxxxxx.xls

Additional Malicious Infrastructure

• fxxxxxxxxls.com.au
• txxxxxxgt.com
• nxx.axxxxcold.com

Cobalt Strike Infrastructure

• 185.1xx.xx.1xx
• 1xx.1xx.204.xxx
• Associated Domains:
  • suxxxxter.live
  • securityxxxxxxf.com

Post-Infection Activity

• Domain: maxxxxxost.net
• Observed HTTP POST communications
• Beacon-like outbound traffic observed

Additional Malware Behavior

• External IP discovery via api.ixxx.org
• SMTP traffic consistent with malicious spam activity

Recommended Actions

• Isolate affected host immediately
• Block identified domains and IP addresses
• Reset affected credentials
• Scan environment for lateral movement indicators
• Hunt for additional hosts communicating with identified infrastructure
• Review email gateway logs for related phishing attempts
• Submit indicators to threat intelligence platform

My Final Thoughts

This challenge reminded me that becoming a SOC analyst is not about memorizing filters or rushing through packets. It is about learning how to stay calm in uncertainty and stick it out.

The packets will always look overwhelming at first. But with enough repetition, structure, and patience, the chaos slowly starts turning into a story.

And this time, for the first time in a while, I felt like I could actually read the story.

View similar write-ups: Network Traffic Analysis: Packets don't lie, Analyzing Network Attacks, Building a SOC Detection Lab

Visit my everyday Cyber Playground