Activity 10.1 Analyze a Network Capture File

In this excercise, I will analyze network capture data. The tool I will use for analyzing the data will be wireshark.

Part 1: Select a packet capture

Malware Traffic Analysis as the name suggests, provides samples of malware traffic for analysis and training purposes.

I will be analyzing the traffic in this excercise:

Also, I highly reccommend setting up your columns in Wireshark properly:

Part 2: Analyze the Traffic


The alert provided in this task is as follows: alert

LAN Data: LAN segment range: ( through Domain: Domain controller: - AscoLimited-DC LAN segment gateway: LAN segment broadcast address:


  • 2021-02-08 15:59 UTC
    • communicates with over 443. The external IP appears to be using a Lets Encrypt Free SSL Certificate
  • 2021-02-08 16:00 UTC
    • Tordal/Hancitor/Chanitor Checkin: This is a known malware downloader utility
    • src_ip:
    • dest_ip:
    • URL retrieved:
    • This activity can be observed with the following wireshark filter by destination: alert
  • 2021-02-08 16:00 UTC
    • Shellcode is detected from
  • 2021-02-08 16:00 UTC
    • connects via a reverse shell to
  • 2021-02-08 16:00 UTC
    • initiates Cobalt Strike
    • Cobalt strike deploys the ‘Beacon’ agent
    • Cobalt strike allows for: command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement, etc.
    • Cobalt Strike is a paid malware package
  • 2021-02-08 16:00 UTC
    • Cobalt Strike initiates a DLL or EXE download from
  • 2021-02-08 16:00 UTC
    • “Flicker Stealer” is activated. Flicker stealer is a “an MaaS (Malware as a Service) stealer that is sold on hacking forums. Its main goal is to steal sensitive information cached by the user - specifically browser passwords - and send it back to the virus’ owner.”
  • 2021-02-08 16:01 UTC
    • Flicker Stealer sends sensitive info back to
  • 2021-02-08 16:01 UTC
    • Compromised system begins communicating with the domain controller
    • Files sent to server over SMB2
  • 2021-02-08 16:01 UTC


Executive Summary: From 17:59 UTC, the host at IP address was infected with Hancitor, Cobalt Strike and Flicker Stealer Malware. After being infected with Flicker Stealer, the attacker also attempted to compromise the domain controller.

Details: IP Address: Host name: DESKTOP-MGVG60Z Windows Account: bill.cook

Indicators of Commpromise:

Tordal/Hancitor/Chanitor Checkin:

  • intiates download of Malware at 15:59 UTC
  • sends beaconing signals after download.

Cobalt Strike:

  • port 8080 installs Cobalt strike at 16:00 UTC

Flicker Stealer:

  • port 80 intiates a download of Flicker Strike DLL / EXE at 16:01 UTC

Activity 10.2 Analyze a Phishing Email

For this activity, I will analyze a phishing email I pulled from my spam inbox. Phishing

Part 1: Manually Analyze an email header

First I will manually analyze the email header of the phishing email. Note I have replaced my actual email with Here is the full header information:

Received: by 2002:a5e:8909:0:0:0:0:0 with SMTP id k9csp859350ioj;
        Wed, 31 Mar 2021 13:19:37 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwLcyjVC5HJ1WGEuysDkoz5/zl1HJsd7Ly+Gpe6ZxDkaXRxdJkR7ivoJA2MXu6IUv9byxmt
X-Received: by 2002:a5d:58fc:: with SMTP id f28mr5422737wrd.180.1617221977399;
        Wed, 31 Mar 2021 13:19:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617221977; cv=none;; s=arc-20160816;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-20160816;
ARC-Authentication-Results: i=1;;
       spf=pass ( domain of designates 2602:fed2:7300:548:7e3:f3e2:0:1 as permitted sender)
Return-Path: <>
Received: from ( [2602:fed2:7300:548:7e3:f3e2:0:1])
        by with ESMTPS id r5si3160359wrz.349.2021.
        for <>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 31 Mar 2021 13:19:37 -0700 (PDT)
Received-SPF: pass ( domain of designates 2602:fed2:7300:548:7e3:f3e2:0:1 as permitted sender) client-ip=2602:fed2:7300:548:7e3:f3e2:0:1;
       spf=pass ( domain of designates 2602:fed2:7300:548:7e3:f3e2:0:1 as permitted sender)
Date: Wed, 31 Mar 2021 19:49:15 GMT
Message-Id: <>
From: "'SmileDirectClub Publisher'" <>
Subject: Clear Aligners are All the Rage - Get Your At-Home Kit Today
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

There are two main aspects which point to a phishing email inside the header.

  1. Email originates from a suspicious sender domain name which does not match the display name of ‘SmileDirectClub Publisher’

  2. The email passes the SPF check, but it desgingates an IPV6 address as the return address. Looking up this address, provides… nothing. Received-SPF: pass ( domain of designates 2602:fed2:7300:548:7e3:f3e2:0:1 as permitted sender)

Part 2: Analyze the email content

Checking over the email content is the next step. Note: I am not responsible if you visit one of these links… and get rolled. The content for this email is as follows:

<!DOCTYPE html>
  <body style=3D=22 padding: 0;margin: 0; background-color:#ffffff; =
font-size: 14px;=22>
    <table cellpadding=3D=220=22 cellspacing=3D=220=22 style=3D=22width: =
620px; background-color:#5701ff;font-size: 14px; font-family: sans-serif; =
margin:0 auto; border: 1px solid #000;=22>
            <table border=3D=220=22 cellpadding=3D=220=22 =
cellspacing=3D=220=22 style=3D=22padding: 22px;=22>
                <tr style=3D=22background-color: #ffffff;  =22>
                  <td style=3D=22border-radius:10px 10px 0  0 ;=22>
                          <td style=3D=22 padding-left: 30px; padding-top: =
50px; padding-right: 50px;=22><a href=3D=22http://hgak7fvtf158dp.w7e3-f3e2[.]= style=3D=22 text-decoration:none; =
display: inline-block; color: #5901ff;font-size: 4em;line-height:1; =
font-weight: bold; =22>free 30-second smile assessment </a>
                          <td style=3D=22 padding-left: 30px; padding-top: =
25px; color: #5600ff; font-size: 1.9em;line-height:1;letter-spacing: =
                            <p style=3D=22 padding: 0; margin: 0;=22>get =
started on the smile you&#39;ll
                            <p style=3D=22 padding: 0; margin: 0; =
padding-top: 10px;letter-spacing: 1px;=22>love in just three easy steps.
                          <td style=3D=22padding-left: 30px; padding-top: =
50px; padding-bottom: 40px;=22><a href=3D=22http://hgak7fvtf158dp[.]w7e3-f3e2= style=3D=22 text-decoration:none; =
display: inline-block; background-color: #6400ff; color: #ffffff;font-size:=
 1.4em;line-height:1; font-weight: bold; border-radius: 5px; padding: 12px =
15px;=22>ORDER YOUR IMPRESSION KIT &gt;&gt; </a>
                  <td style=3D=22background-color: #d9d9d7; border-radius:0=
  0 10px 10px  ;=22>
                          <td style=3D=22padding-left: 30px;=22>
                            <p style=3D=22 padding-top: 30px; font-size: 1.=
2em;line-height:1;color: #3a3a3a;letter-spacing: 1px;=22>which one best =
describes your teeth crowding=3F
                            </p><a href=3D=22http://hgak7fvtf158dp[.]= style=3D=22 =
text-decoration:none; display: inline-block;=22><img alt=3D=22=22 =
3UFeA/tooth1.jpg=22 width=3D=22519=22 height=3D=22106=22 =
style=3D=22display:block;=22 /></a>
                          <td style=3D=22padding-left: 30px; =
padding-bottom: 50px;=22>
                            <p style=3D=22 padding-top: 30px; font-size: 1.=
2em;line-height:1;color: #3a3a3a;letter-spacing: 1px;=22>which one best =
describes your teeth spacing=3F
                            </p><a href=3D=22http://hgak7fvtf158dp[.]= style=3D=22 =
text-decoration:none; display: inline-block; =22><img alt=3D=22=22 =
3UFeA/tooth2.jpg=22 width=3D=22520=22 height=3D=22107=22 =
style=3D=22display:block;=22 /> </a>
                  <td style=3D=22color: #ffffff; padding-left: 30px; =
font-size: 2em;line-height:1;=22>
                    <p style=3D=22 padding: 0; margin: 0;padding-top: 30px;=
 =22>use code <span style=3D=22font-weight: bold;=22> <a =
eA/=22 style=3D=22 text-decoration:none; font-weight: bold;color: =
#ffffff;=22>SDCAFF50</a> </span> for <span style=3D=22font-weight: =
bold;=22> 50% off</span>
                    <p style=3D=22padding: 0; margin: 0;padding-top: 10px; =
=22>impression kit
                  <td style=3D=22padding: 50px 0 50px 30px;=22><a =
eA/=22 style=3D=22 text-decoration:none; display: inline-block;=22><img =
alt=3D=22=22 src=3D=22http://hgak7fvtf158dp[.]w7e3-f3e2.rwhtilbp.=
ga/img-cMGUAAKTDAAC2neMSx3UFeA/logosmlt.gif=22 width=3D=22122=22 =
height=3D=2291=22 style=3D=22display:block;=22 /></a>
    <p align=3D=22center=22>=F0=9D=98=9B=F0=9D=98=A9=F0=9D=98=AA=
=F0=9D=98=B4 =F0=9D=98=AA=F0=9D=98=B4 =F0=9D=98=A2=F0=9D=98=AF =
=F0=9D=98=B5. =F0=9D=98=9B=F0=9D=98=A9=F0=9D=98=AA=F0=9D=98=B4 =
=F0=9D=98=A6=F0=9D=98=AE=F0=9D=98=A2=F0=9D=98=AA=F0=9D=98=AD =
=F0=9D=98=B8=F0=9D=98=A2=F0=9D=98=B4 =F0=9D=98=B4=F0=9D=98=A6=F0=9D=98=AF=
=F0=9D=98=B5 =F0=9D=98=A3=F0=9D=98=BA =F0=9D=98=A2 3=F0=9D=98=B3=
=F0=9D=98=A5 =F0=9D=98=B1=F0=9D=98=A2=F0=9D=98=B3=F0=9D=98=B5=F0=9D=98=BA =
=F0=9D=98=AA=F0=9D=98=AF=F0=9D=98=A8 =F0=9D=98=B1=F0=9D=98=A2=F0=9D=98=B3=
      <br />=F0=9D=98=90=F0=9D=98=AF =F0=9D=98=B0=F0=9D=98=B3=F0=9D=98=A5=
=F0=9D=98=A6=F0=9D=98=B3 =F0=9D=98=B5=F0=9D=98=B0 =F0=9D=98=B3=
=F0=9D=98=A6=F0=9D=98=AE=F0=9D=98=B0=F0=9D=98=B7=F0=9D=98=A6 =
=F0=9D=98=AD=F0=9D=98=A7 =F0=9D=98=A7=F0=9D=98=B3=F0=9D=98=B0=F0=9D=98=AE =
=F0=9D=98=A7=F0=9D=98=B6=F0=9D=98=B5=F0=9D=98=B6=F0=9D=98=B3=F0=9D=98=A6 =
=F0=9D=98=A6=F0=9D=98=AE=F0=9D=98=A2=F0=9D=98=AA=F0=9D=98=AD=F0=9D=98=B4, =
<a href=3D=22http://hgak7fvtf158dp[.]w7e3-f3e2.rwhtilbp.=
=F0=9D=98=A2=F0=9D=98=B4=F0=9D=98=A6 =F0=9D=98=A8=F0=9D=98=B0 =
      <br />=F0=9D=98=96=F0=9D=98=B3 =F0=9D=98=B8=F0=9D=98=B3=F0=9D=98=AA=
=F0=9D=98=B5=F0=9D=98=A6 =F0=9D=98=B5=F0=9D=98=B0: 2803 =
=F0=9D=98=A6=F0=9D=98=AD=F0=9D=98=B1=F0=9D=98=A9=F0=9D=98=AA=F0=9D=98=A2 =
=F0=9D=98=97=F0=9D=98=AA=F0=9D=98=AC=F0=9D=98=A6, =F0=9D=98=9A=
=F0=9D=98=B6=F0=9D=98=AA=F0=9D=98=B5=F0=9D=98=A6 =F0=9D=98=89 #258, =
=F0=9D=98=AF=F0=9D=98=B5, =F0=9D=98=8B=F0=9D=98=8C 19703
    <div style=3D=22min-height:179px;height:199px;margin-bottom:59px;=22>
    <p>&nbsp; <img alt=3D=22=22 border=3D=220=22 class=3D=22ComingLike=22 =
A/t.gif=22 style=3D=22height:1px;width:1px;=22 /> <a =
eA/optt=22><img alt=3D=22=22 src=3D=22http://hgak7fvtf158dp.w7e3-f3e2.= width=3D=22314=22 =
height=3D=2226=22 /></a>

The mail indicator that something is very wrong with this email is the same dodgey malicious link sprayed in the body, images and footer. If the email was even close to legitimate, different sections in the email would link to different parts of a website, right?

Another strange aspect of this email is the disclaimer is encoded. The html text below which clearly appears in the above screenshot:

𝘛𝘩𝘪𝘴 𝘪𝘴 𝘢𝘯 𝘢𝘥𝘷𝘦𝘳𝘵𝘪𝘴𝘦𝘮𝘦𝘯𝘵. 𝘛𝘩𝘪𝘴 𝘦𝘮𝘢𝘪𝘭 𝘸𝘢𝘴 𝘴𝘦𝘯𝘵 𝘣𝘺 𝘢 3𝘳𝘥 𝘱𝘢𝘳𝘵𝘺 𝘮𝘢𝘳𝘬𝘦𝘵𝘪𝘯𝘨 𝘱𝘢𝘳𝘵𝘯𝘦𝘳.
𝘐𝘯 𝘰𝘳𝘥𝘦𝘳 𝘵𝘰 𝘳𝘦𝘮𝘰𝘷𝘦 𝘺𝘰𝘶𝘳𝘴𝘦𝘭𝘧 𝘧𝘳𝘰𝘮 𝘧𝘶𝘵𝘶𝘳𝘦 𝘦𝘮𝘢𝘪𝘭𝘴, 𝘱𝘭𝘦𝘢𝘴𝘦 𝘨𝘰 𝘩𝘦𝘳𝘦.
𝘖𝘳 𝘸𝘳𝘪𝘵𝘦 𝘵𝘰: 2803 𝘗𝘩𝘪𝘭𝘢𝘥𝘦𝘭𝘱𝘩𝘪𝘢 𝘗𝘪𝘬𝘦, 𝘚𝘶𝘪𝘵𝘦 𝘉 #258, 𝘊𝘭𝘢𝘺𝘮𝘰𝘯𝘵, 𝘋𝘌 19703 Is fully encoded with several lines similar to: =F0=9D=98=9B=F0=9D=98=A9=F0=9D=98=AA=[…]```

This is presumably to avoid detectiond by Google’s automated spam detection tools. Note the URL in the above message is again the same dodgey one as before.

Part 3: Use an automated tool

There are several automated tools which can also be used to analyze email headers.

Here are a few:

A tool such as the mxtoolbox analyzer will output a clearly organized table with all the headers displayed. The tool can also check the email for DMARC compliance.



A glossary of all the terms, acronyms and slang I run across for this chapter.

organizational impact the magnitude of harm to an organization as a result of a security incident
localized impact the immediate impact of an event as a result of a security incident
log sources firewall, WAF, Proxy, IDS, IPS
SOAR Security Orchestration Automation and Response
SOAR Components Threat and Vulnerability Management, Security Incident Response, Security Operations Automation
Disassemblers Convert machine code into assembly language
Decompiler Convert machine code into a high level language
Packing Techniques used to obfuscate malware code in order to resist analysis
UEBA User Entity and Behavior Analytics - tools used to analyze user behavior and detect anomolaus behavior
DMARC Email authentication method which relies on SPF and DKIM.
SPF Sender Policy Framework. Email authentication method designed to detect forged addresses.
DKIM Domain Keys Identified Mail, form of email authentication designed to prevents spamming, phishing and spoofing.