Project 10: PacketTotal (15 Points)

What You Need for This Project


This project uses traffic captured from a real malware attack. It may set off virus scanners and possibly even infect old, unpatched Windows machines.

Don't do this project on a real Windows machine in normal use. Use your Windows virtual machine instead.


To practice these skills, which are essential for a security analyst:

Choosing a Machine to Use

When working with malware, use a virtual machine with no antivirus software, and one that isn't used for other tasks such as shopping or emailing.

In this case we are using a fairly old Windows malware sample, so it's OK to use a Mac or Linux machine.

Don't use a regular Windows machine for this project, especially one used for other work, such as company machine at a workplace. However, using Windows as the host for a virtual machine is fine.

Downloading the Malware Traffic Sample

On your analysis machine, in a Web browser, go to:

On this page, click the link.

Unzipping the Sample

Double-click the file. It is a password-protected Zip file. Use this password, which is standard in the malware analysis community:


Using PacketTotal

In a Web browser, go to

On the File tab, click the "Choose file" button, as shown below.

Navigate to the 2017-12-23-traffic-analysis-exercise.pcap file you unzipped and double-click it.

A "Begin PCAP Analysis" box pops up, as shown below, warning that the packet capture file will be made public after analysis.

That's a problem for real network data, but not for us, so check the box and click Analyze.

Malicious Activity

The "Malicious Activity" tab appears, as shown below, with two types of alerts: "SURICATA DNS malformed request data" and "ET POLICY DNS Query to .onion proxy Domain".

The first one may be malware traffic, but there's no further detail available here.

The second one indicates use of Tor, which is probably malicious activity also.

Suspicious Activity

Click the "Suspicious Activity" tab.

There are two alerts here too. The first one looks serious: a known malware hash value.

Highlight the VirusTotal URL from the alert, highlighted in the image below, copy it, and open that page.

The file is detected as a Trojan, as shown below.

In VirusTotal, click the Behavior tab.

At the top left, click the round button and select the "Tencent HABO" sandbox, as shown below.

Scroll down to see "Registry Actions", as shown below. These are useful Indicators of Compromise.

Analyzing an EXE

In PacketTotal, click the "Extracted Executable Files" tab. There are two executables, as shown below.

In the "File ID" column, click the little down-arrow on the right side of the second blue button to download the Windows XP executable.

Check the box to verify that you are a human.

Click Verify.

Click "Download Potentially Malicious File".

A file downloads, named "extract-1513991782.382514-HTTP-FOSLGGC6wGdwbGkB3.raw".

Upload that file to VirusTotal.

Examine its behavior in the VirusTotal Sandbox, as shown below.

Scroll down to find the files written by this malware. Find the filename of the BMP file written to the root of C:, covered by a green box in the image below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:

Posted 9-17-18
Filename fixed 10-29-18