Scenario
During this Warzone: Malware Investigation scenario, I worked through a real-world IDS/IPS alert triage process involving suspicious Malware Command and Control traffic detected inside a PCAP capture.
The investigation had to be completed quickly because, in a real SOC environment, alerts continue to queue while analysts work cases. This meant I needed to move fast while still validating every indicator properly.
For this investigation, I used:
- Brim
- Wireshark
- NetworkMiner
- VirusTotal
This walkthrough documents my full SOC Analyst malware investigation process, including the challenges I encountered while performing Wireshark PCAP Analysis and tracing the Malware Command and Control activity associated with the MirrorBlast malware family.
Initial IDS/IPS Alert Triage in Brim - Malware Investigation Begins
I started the investigation by opening the PCAP file in Brim because Brim makes SOC triage significantly faster by parsing Zeek logs automatically.
The first thing I needed to identify was:
- the IDS alert signature
- the source IP address
- the destination IP address
I navigated to the alert logs and quickly identified the triggered signature:
ET MALWARE MirrorBlast CnC Activity M3
At this stage, the alert already strongly suggested a true positive because the signature specifically referenced Malware Command and Control activity linked to MirrorBlast.
The source IP address involved in the communication was:
1xx.1xx.1xx.1x
The destination IP address was: 1xx[.]xxx[.]xx8[.]1x
One thing I appreciated during this SOC Analyst malware investigation was how quickly Brim allowed me to pivot between logs. Instead of manually inspecting packets immediately, I could first build a high-level understanding of the traffic flow before diving deeper with Wireshark PCAP Analysis.
Investigating the Destination IP Address
After identifying the suspicious destination IP, I pivoted into VirusTotal to enrich the indicator.
This is a critical part of Malware Command and Control investigations because analysts need to understand:
- threat attribution
- malware family associations
- previous malicious activity
- community intelligence
The VirusTotal results revealed that the threat group associated with the IP address was:
TA505
The malware family associated with the activity was: MxxxxxBlast
At this point, the alert was already looking highly suspicious. Seeing both a known malware family and a recognized threat group significantly increased confidence that this was a legitimate compromise attempt rather than benign traffic.
I also investigated the communicating domain connected to the alert. Under the "Communicating Files" section in VirusTotal, the majority file type was identified as: Windows Installer
That immediately raised another red flag because MSI installers are commonly abused for malware delivery and staged payload execution.
Inspecting HTTP Traffic in Brim
Next, I moved back into Brim to inspect the HTTP traffic associated with the malicious destination IP.
The filter I used was: _path=="http" id.resp_h==1xx.xxx.128.xx
This helped narrow the investigation to only the HTTP activity involving the suspicious external IP address.
During the HTTP traffic analysis, I identified the following user-agent: RXXXXL View 2.x.8.x.1
At this point, the Malware Command and Control activity became even more suspicious because unusual or outdated user-agents are commonly seen in malware communications.
One thing I enjoyed during this stage was how quickly Brim allowed me to pivot through logs while still maintaining visibility into the overall network activity. This made the early phase of the Wireshark PCAP Analysis much more manageable.
Retracing the Malware Command and Control Activity
The next phase of the investigation involved retracing the attack chain to identify additional infrastructure associated with the malware delivery process.
I reviewed the surrounding network connections and identified two additional suspicious IP addresses:
xxx[.]xx[.]xx[.]235, 192[.]xx[.]xx[.]xx
At this point, the investigation became more interesting because it was clear the malware delivery process involved multiple stages rather than a single malicious connection.
This is a common pattern during Malware Command and Control investigations:
- an initial callback
- redirect traffic
- payload hosting infrastructure
- secondary payload downloads
I then identified two downloaded MSI files associated with those IP addresses: fxxxxr.msi, 10xxx3r_lxxx.msi
Initial Challenges During the Investigation
One of the biggest lessons during this Warzone: Malware Investigation was understanding when to pivot between tools during IDS/IPS alert triage
Initially, I switched to NetworkMiner because I expected it to immediately reveal the exact file paths and dropped artifacts associated with the MSI payloads.
NetworkMiner successfully reconstructed the downloaded files, but the paths it displayed were only the local extraction paths generated by the tool itself, such as:
/Desktop/Tools/NetworkMiner_2-7-1/AssembledFiles/...
At first, this confused me because the challenge required the actual Windows file paths created on the victim machine, not the reconstruction directories generated by NetworkMiner.
This was an important lesson during the SOC Analyst malware investigation:
reconstructed files alone are not always enough to fully understand malware behavior.
I realized I needed to inspect the raw traffic streams directly.
Still In The Warzone Using Wireshark PCAP Analysis During IDS/IPS Alert Triage
At this point, I switched fully into Wireshark PCAP Analysis mode. I filtered the traffic for the suspicious IP addresses and inspected the HTTP conversations more closely.
Here, I accidentally followed a redirect stream instead of the actual MSI payload stream. Initially, the TCP stream appeared very small and only contained a redirect URL pointing to another MSI file.
This forced me to slow down and carefully identify the actual MSI download requests before following the correct TCP stream.
Once I selected the proper stream, I used:
- Follow TCP Stream
- stream searching
- keyword searches such as:
C:\.exe.bin
This was the turning point of the investigation.
Extracting Malware Artifacts from the MSI Streams
While reviewing the MSI stream associated with filter.msi, I identified two dropped files saved into the following directory:
C:\ProgramData\xx1\xxxb.exe, C:\ProgramData\xx1\xxxb.bin
The MSI stream itself initially looked extremely difficult to read because the installer metadata was packed together into long strings containing registry actions, installer instructions, and component data.
However, once I focused on identifying Windows file paths directly, the relevant artifacts became easier to isolate.
For the second MSI payload, 10xxx3r_xxxd.msi, I initially struggled because the TCP stream appeared almost empty. Eventually, I realized I had inspected the redirect traffic instead of the actual MSI payload stream.
After correcting the stream selection, I successfully identified two additional dropped files:
C:\ProgramData\Local\Google\xxxx-view-xxx-3-x.exe, C:\ProgramData\Local\xxxxxx\xxxxxxx.rb
At this stage, the Malware Command and Control investigation was fully confirmed as a true positive.
Ends Malware Investigation: Why These Findings Matter
During real SOC operations, identifying dropped files and filesystem artifacts is extremely important because they become valuable Indicators of Compromise (IOCs) for:
- EDR searches
- threat hunting
- containment validation
- IOC sweeps across the environment
- persistence investigations
This investigation also reinforced an important lesson:
different tools solve different problems.
- Brim accelerated triage and IOC discovery
- NetworkMiner helped reconstruct files
- Wireshark provided the detailed packet-level visibility needed for deep analysis
Knowing when to pivot between tools is a major part of effective SOC Analyst malware investigation work.
What My Escalation Notes Would Look Like:
TRUE POSITIVE — Malware Command and Control Activity
Alert Signature:
ET MALWARE MirrorBlast CnC Activity M3
Source Host:
xxx[.]xx[.]1[.]xxx
Primary Destination:
169[.]xxx[.]xxx[.]xx
Associated Threat Group:
TA505
Malware Family:
MirrorBlast
Observed Activity:
- HTTP-based Command and Control communication observed
- Multiple suspicious external IP connections identified
- MSI payload downloads detected
- Malicious files written to ProgramData directories
- Suspicious REBOL user-agent identified during traffic analysis
Additional Associated IPs:
xxx[.]xx[.]68[.]xxx
xxx[.]xx[.]27[.]xx
Downloaded Files:
- fxxxxr.msi
- 10xxx3r_lxxxd.msi
Dropped Artifacts:
- C:\ProgramData\001\arab.exe
- C:\ProgramData\001\arab.bin
- C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
- C:\ProgramData\Local\Google\example.rb
Observed User-Agent:
RxxxL View 2.7.8.3.1
Recommendation:
Recommend endpoint isolation, EDR review, IOC sweep across the environment, and containment validation.
My Final Thoughts
This Warzone 1: Malware Investigation demonstrated how effective IDS/IPS alert triage and Wireshark PCAP Analysis can uncover hidden Malware Command and Control activity inside network traffic. it required much more than simply identifying malicious IP addresses.
The investigation involved:
- Malware Command and Control analysis
- Wireshark PCAP Analysis
- MSI payload tracing
- IOC enrichment
- HTTP traffic investigation
- dropped file identification
- escalation documentation
More importantly, it reinforced the importance of investigative thinking during SOC operations.
Sometimes the first tool will not immediately provide the answer. Sometimes the first TCP stream selected will be the wrong one. Sometimes malware installers will appear unreadable at first glance.
But learning how to pivot, troubleshoot, and continue tracing the attack chain is what makes SOC investigations effective.
You may be asking, what happens next after the findings? Well, another day, another alert. View Warzone 2 write-up: Warzone 2 Malware Traffic Analysis
Visit my everyday playground here