Overview
This writeup documents the methodology, tools, and concepts applied when analyzing a malicious PCAP file during the TryHackMe Carnage room. The objective is a repeatable process for investigating network captures using Wireshark, from initial triage through threat intelligence correlation.
Phase 1: Get the Big Picture First
Before writing any display filters, use Wireshark's built-in statistics menus to build a high-level picture of the capture. Jumping straight into filters without context wastes time.
Statistics Menu
Protocol Hierarchy (Statistics > Protocol Hierarchy) shows every protocol present in the capture as a percentage of total traffic. This is the fastest way to spot anomalous protocols or unexpected traffic volume.
Conversations (Statistics > Conversations) lists all TCP, UDP, and IP conversations between hosts. Sort by bytes transferred to identify the most active communication pairs.
Endpoints (Statistics > Endpoints) lists every IP, TCP, and UDP endpoint observed. Useful for identifying external IPs that a compromised host communicated with.
Analyze Menu
Expert Information (Analyze > Expert Information) aggregates all warnings, errors, notes, and chat-level events from the entire capture into a single view. It surfaces anomalies that would take hours to find manually.
Tools Menu
Credentials (Tools > Credentials) extracts plaintext credentials transmitted over unencrypted protocols including HTTP Basic Auth, FTP, and Telnet.
Phase 2: Display Filters Reference
HTTP and Web Traffic
http.request.method == "POST"
http.request.method == "GET"
http.response.code == 200
http.response.code == 404
http && frame.len > 1000
http.request.uri contains ".exe"
http.request.uri contains ".zip"
DNS
dns
dns.flags.response == 0
dns && frame.time >= "2021-09-24 00:00:00" && frame.time <= "2021-09-24 23:59:59"
dns.qry.name contains "suspicious-domain"
TLS and HTTPS
tls
tls.handshake.extensions_server_name contains "domain"
x509sat.uTF8String contains "issuer-name"
tls.handshake.type == 1
SMTP
smtp
smtp.command == "MAIL"
smtp.command == "RCPT"
smtp.command == "DATA"
smtp && data
File Downloads via Magic Bytes
tcp contains "MZ"
tcp contains "PK"
tcp contains "%PDF"
Phase 3: Extracting and Analyzing Files
Export Objects
Navigate to File > Export Objects > HTTP to list every file transferred over HTTP in the capture. Files can be saved directly from this dialog. Prioritize reviewing executables, scripts, and archive formats: .exe, .dll, .zip, .ps1, .bat, .docm.
The same export feature is available for SMB, DICOM, IMF, and TFTP traffic.
Follow Stream
Right-click any packet and select Follow > HTTP Stream or Follow > TCP Stream to reconstruct the full client and server conversation in readable form. Use HTTP Stream for web traffic to get cleaner output. Use TCP Stream for raw binary sessions or non-HTTP protocols.
Phase 4: The Phil Katz ZIP Trick
Because of how Phil Katz designed the ZIP file format, filenames are stored in plaintext within the raw data stream. You do not need to extract a ZIP archive to know what files it contains.
When you identify a ZIP file being transferred, follow the TCP stream and scroll through the raw data. The embedded filenames are readable in plaintext near the PK magic bytes header at the start of the stream. This is useful when a ZIP has been renamed with a benign extension to evade content inspection.
Phase 5: Cobalt Strike and C2 Detection
Cobalt Strike is a legitimate penetration testing framework that threat actors routinely abuse as a Command and Control framework.
How attackers disguise Cobalt Strike traffic:
Cobalt Strike uses malleable C2 profiles to make beacon traffic resemble legitimate HTTP or HTTPS requests, mimicking known services like Google Analytics or jQuery CDN endpoints. Beacons communicate at regular heartbeat intervals, which creates a distinctive pattern of periodic, time-spaced connections to the same external IP. TLS certificates used by Cobalt Strike are often self-signed with suspicious issuer names or unusually short validity periods.
Detection approach:
Check Statistics > Conversations for any host that repeatedly connects to an external IP on port 443 or 80 at consistent intervals. Inspect TLS certificates using the filter tls.handshake.type == 11 and examine the Subject and Issuer fields for unusual certificate authority names. Run any suspicious IPs through VirusTotal.
Phase 6: Threat Intelligence with VirusTotal
VirusTotal (virustotal.com) allows you to cross-reference artifacts extracted from a PCAP against known malware intelligence.
Submit IP addresses, domains, file hashes, and URLs. After submitting an IP, check the Relations tab to discover associated domains, related files, and other IPs tied to the same threat actor infrastructure.
Workflow:
Note all suspicious IPs from Statistics > Endpoints and the Conversations view. Cross-reference each one on VirusTotal and document any detections before moving on to stream analysis.
Phase 7: Email Analysis via SMTP
smtp
Key SMTP commands and their meaning:
| Command | Meaning |
|---|---|
EHLO / HELO | Client greeting, identifies the sending server |
MAIL FROM | Sender email address |
RCPT TO | Recipient email address |
DATA | Start of the email body |
AUTH | Authentication attempt |
Follow the TCP stream on any DATA packet to read the full email body, headers, and any Base64-encoded attachments in plaintext.
Key Concepts
| Term | Definition |
|---|---|
| PCAP | Packet capture file, a recording of raw network traffic |
| Protocol Hierarchy | Wireshark breakdown of all protocols in a capture |
| Expert Information | Wireshark built-in anomaly and warning aggregator |
| Cobalt Strike | Legitimate C2 framework frequently abused by threat actors |
| Malleable C2 | Cobalt Strike feature that disguises beacon traffic as normal HTTP |
| SNI | Server Name Indication, the hostname sent during a TLS handshake |
| Phil Katz ZIP Trick | Filenames are readable in raw ZIP stream without extraction |
| VirusTotal | Threat intelligence platform for IPs, domains, hashes, and URLs |
| DGA | Domain Generation Algorithm used by malware to rotate C2 domains |
| Beacon | Periodic check-in signal from a compromised host to its C2 server |
Methodology Checklist
Statistics > Protocol Hierarchy: What protocols are present?Statistics > Conversations: Which hosts are communicating most actively?Statistics > Endpoints: Any unusual external IPs or unexpected ports?Analyze > Expert Information: Any warnings or errors worth investigating?Tools > Credentials: Any plaintext credentials captured?- Filter
dnswith a time range: Any suspicious domain lookups? - Filter
http.request.method == "POST": Any outbound data exfiltration? File > Export Objects > HTTP: Any files downloaded during the session?- Follow HTTP and TCP streams on interesting packets
- Check ZIP TCP streams for embedded filenames via the Phil Katz trick
- Filter
tls.handshake.type == 11: Inspect certificate issuer fields - Check for periodic connections to the same external IP at consistent intervals
- Run all suspicious IPs and domains through VirusTotal
- Filter
smtp: Were any emails sent or received?