This TShark Malware Investigation combined phishing analysis, malicious infrastructure investigation, malware delivery tracking, HTTP object extraction, and IOC hunting through command-line packet analysis. Instead of approaching the PCAPs like challenge questions, I treated them like active incident cases assigned to a Tier 1 SOC analyst.
The two investigations covered:
- phishing credential harvesting
- malicious domain investigations
- suspicious directory indexing
- malware downloads
- HTTP and DNS traffic analysis
- IOC extraction
- malware hash analysis
- VirusTotal enrichment
By the end of both investigations, I realized how much faster and more structured my Network Traffic Analysis workflow had become. The estimated completion time for one of the rooms was 60 minutes, but after building a proper investigation process, I completed it in roughly 30 minutes.
Initial SOC Analyst Mindset
Before touching any command, I approached the alerts like a real analyst would.
The first alert stated:
“The threat research team discovered a suspicious domain that could be a potential threat to the organisation.”
The second alert stated:
“A user came across a poor file index, and their curiosity led to problems.”
Immediately, my goal was not to “find the flag.” My objective became:
- identify suspicious infrastructure
- validate whether the alert was legitimate
- determine whether user interaction occurred
- identify malware delivery
- collect evidence for escalation
And this became a strong mindset that changed the entire workflow.
Starting the TShark Malware Investigation
The first thing I learned during this TShark Malware Investigation was that jumping straight into VirusTotal is not the best approach. I needed to understand the traffic first.
I started with protocol hierarchy statistics:
tshark -r teamwork.pcap -q -z io,phsThis helped me quickly identify:
- DNS traffic
- HTTP communications
- TCP activity
- potential web-based interactions
At this stage, I knew I was likely dealing with phishing or malware delivery over HTTP.
Investigating DNS Queries
The next step in my Network Traffic Analysis workflow was extracting DNS requests from the PCAP.
tshark -r teamwork.pcap -Y dns -T fields -e dns.qry.nameThen I cleaned and sorted the results:
tshark -r teamwork.pcap -Y dns -T fields -e dns.qry.name | sort | uniq -c | sort -nrThis immediately revealed suspicious-looking domains. One domain stood out because of its structure and branding impersonation attempt.
After pivoting into VirusTotal, I confirmed that the domain had already been flagged as malicious/suspicious.
The phishing domain was:
hxxp[://]www[.]xxxxx[.]com4uswebapxxxxxxntrecovery[.]timxxxays[.]com/This was a classic phishing pattern:
- trusted brand impersonation
- long deceptive subdomain
- fake account recovery naming convention
At this point, the alert already looked like a true positive.
Validating Threat Intelligence with VirusTotal
Using VirusTotal during this TShark Malware Investigation helped enrich the indicators I already extracted from the PCAP.
I confirmed:
- the domain was malicious/suspicious
- the first submission date
- the impersonated service
- associated IP infrastructure
The phishing page was impersonating:
- PayPal
The malicious IP was:
184[.]xx4[.]xxx[.]xxxThis stage felt much more realistic than simple PCAP analysis because I was correlating traffic evidence with external threat intelligence.
The First Real Challenge
One of the biggest challenges I faced was recovering the victim email address from the PCAP.
At first, I made syntax mistakes while trying to search HTTP traffic:
tshark -r teamwork.pcap -Y htt contains "@"That failed because:
- I typed
httinstead ofhttp - the filter syntax was incorrect
This forced me to slow down and troubleshoot the investigation instead of blindly repeating commands.
Eventually, I pivoted into:
- HTTP POST requests
- full packet verbosity
- TCP stream inspection
What finally worked was:
tshark -r teamwork.pcap -Y "frame contains login.php" -VThat exposed the HTTP form data directly inside the packet contents.
I recovered:
- the victim email
- the submitted password
- the phishing POST request
The compromised email was:
jxxxxx5alive[at]gmail[.]comAt that moment, the investigation became a confirmed credential-harvesting case rather than just suspicious traffic.
Moving Into Malware Delivery Analysis
The second investigation focused heavily on malware delivery and poor directory indexing exposure.
The suspicious domain identified was: jx2-xxxxx[.]com
I validated it through VirusTotal and confirmed malicious activity.
Then I counted the HTTP requests sent to the malicious infrastructure:
tshark -r directory-curiosity.pcap \
-Y 'http.host contains "jx2-xxxxx.com"' \
-T fields -e http.request.full_uri | wc -lThe infected host communicated with the malicious domain 14 times.
This indicated:
- repeated interactions
- possible malware retrieval
- active browsing of the malicious file index
Investigating the Malicious Server
The server stack immediately caught my attention:
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9As a SOC Analyst, seeing:
- Apache 2.2
- PHP 5.2
- outdated OpenSSL
already raises concerns because legacy infrastructure is commonly abused for malware hosting and phishing operations.
Following TCP Streams
One of the most useful parts of this TShark Malware Investigation was following TCP streams in ASCII mode.
tshark -r directory-curiosity.pcap -z follow,tcp,ascii,0 -qInside the stream output, I discovered:
- open directory indexing
- exposed downloadable files
- suspicious executable hosting
There were three listed files, and the first file was: xxx[.]php
This perfectly matched the original alert:
“A user came across a poor file index…”
The exposed index directly enabled malware discovery and download.
Exporting HTTP Objects
This part felt the closest to real malware analysis.
I exported all HTTP objects from the PCAP:
tshark --export-objects http,/tmp/exported \
-r directory-curiosity.pcapAfter checking the exported files, I identified the downloaded executable: vxxxxo[.]exe
At this point, the investigation escalated from suspicious browsing activity to confirmed malware delivery.
Malware Hash Analysis
Next, I generated the SHA256 hash of the executable:
sha256sum vxxxxo.exeSHA256: b4851xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaed20de
Searching the hash on VirusTotal revealed:
- PEiD packer:
.NET executable - Lastline Sandbox verdict:
MALWARE TROJAN
That final confirmation tied the entire investigation together:
- malicious domain
- suspicious HTTP activity
- malware hosting
- executable delivery
- malware classification
What I Learned During This Network Traffic Analysis
The biggest lesson from this TShark Malware Investigation was learning how investigations naturally evolve through pivots.
One artifact leads to another:
- DNS query
- domain
- IP address
- HTTP requests
- TCP streams
- downloaded files
- malware hashes
- threat intelligence
Instead of memorizing commands, I started thinking in terms of:
“What evidence do I need next?”
That shift dramatically improved my investigation speed and confidence.
Proper SOC Escalation Notes
If this investigation happened inside a real SOC environment, these are the notes I would escalate to the incident response or Tier 2 team.
Incident Title: Suspicious Domain and Malware Delivery Investigation
Alert Summary:
Investigated suspicious DNS and HTTP activity associated with phishing infrastructure and malicious file hosting. Analysis confirmed credential harvesting activity and malware delivery through exposed directory indexing.
Investigation Summary:
- Identified malicious phishing domain impersonating PayPal
- Confirmed credential submission through HTTP POST request
- Recovered victim email address from packet payload
- Investigated malicious directory indexing exposure
- Exported downloaded executable from HTTP traffic
- Generated SHA256 hash of malware sample
- Validated malware classification using VirusTotal
Key Indicators of Compromise (IOCs):
- paypal[.]coxxxxxxxxxxxxxxxxxxxxxtrecovery[.]timxxxays[.]com
- jx2-xxxxx[.]com
- 184[.]xx4[.]1xx[.]xxx
- 141[.]1xx[.]41[.]174
- vxxxo[.]exe
- SHA256: b4851xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx164aed20de
Observed Activity:
- Credential harvesting through phishing infrastructure
- HTTP POST credential submission observed
- Open directory indexing exposed downloadable payloads
- Malware executable successfully downloaded by client host
Threat Classification:
- MALWARE TROJAN
- Credential Phishing
- Malicious File Hosting
Recommended Actions:
- Block malicious domains and IPs
- Reset potentially exposed credentials
- Investigate affected endpoint for execution activity
- Perform IOC sweep across proxy, DNS, and SIEM logs
- Isolate affected host if malware execution is confirmed
My Final Thoughts
This TShark Malware Investigation pushed me beyond basic packet filtering and into real investigative thinking. Combining phishing analysis, malware delivery tracking, IOC extraction, and Network Traffic Analysis into one workflow made the experience feel much closer to an actual SOC environment.
The most valuable part was not simply getting the correct answers. It was learning how to:
- investigate logically
- pivot between indicators
- validate findings with threat intelligence
- recover evidence from traffic
- and document incidents clearly for escalation
- Also gaining the little "Packet Master Badge", you know that dopamine!
Because it feels like that process is what transforms packet analysis into real investigation work.
View similar write-ups: Investigating Malicious Network Traffic with Wireshark
Visit my everyday Cyber Playground