pinkpixel-dev/analyzing-network-traffic-of-malware
SKILLS/analyzing-network-traffic-of-malware/SKILL.md
Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-1 analyzing-network-traffic-of-malwareInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 4:24 PM14.4s3 files scanned
SKILL.md
- name:
- analyzing-network-traffic-of-malware
- description:
- >
- domain:
- cybersecurity
- subdomain:
- malware-analysis
- tags:
- [malware, network-analysis, PCAP, Wireshark, C2-detection]
- version:
- 1.0.0
- author:
- mahipal
- license:
- Apache-2.0
Analyzing Network Traffic of Malware
When to Use
- Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
- Identifying the C2 protocol structure for writing network detection signatures
- Determining what data the malware exfiltrates and to which external infrastructure
- Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
- Creating Suricata/Snort signatures based on observed malware network patterns
Do not use for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.
Prerequisites
- Wireshark 4.x installed for interactive PCAP analysis
- tshark (Wireshark CLI) for scripted packet extraction
- Zeek installed for automated metadata generation from PCAPs
- Suricata with ET Open/ET Pro rulesets for signature matching
- NetworkMiner for file extraction and credential detection from PCAPs
- Python 3.8+ with
scapyanddpktfor programmatic packet analysis
Workflow
Step 1: Initial PCAP Overview
Get a high-level understanding of the network traffic:
# Capture statistics
capinfos malware.pcap
# Protocol hierarchy
tshark -r malware.pcap -q -z io,phs
# Endpoint statistics (top talkers)
tshark -r malware.pcap -q -z endpoints,ip
# Conversation statistics
tshark -r malware.pcap -q -z conv,tcp
# DNS query summary
tshark -r malware.pcap -q -z dns,tree
Step 2: Analyze DNS Activity
Examine DNS queries for DGA, tunneling, or C2 domain resolution:
# Extract all DNS queries
tshark -r malware.pcap -T fields -e frame.time -e dns.qry.name -e dns.a \
-Y "dns.flags.response == 1" | sort
# Detect DGA patterns (high entropy domain names)
python3 << 'PYEOF'
import math
from collections import Counter
def entropy(s):
p = [n/len(s) for n in Counter(s).values()]
return -sum(pi * math.log2(pi) for pi in p if pi > 0)
# Parse DNS queries from tshark output
import subprocess
result = subprocess.run(
["tshark", "-r", "malware.pcap", "-T", "fields", "-e", "dns.qry.name",
"-Y", "dns.flags.response == 0"],
capture_output=True, text=True
)
domains = set(result.stdout.strip().split('\n'))
print("Suspicious DNS queries (high entropy):")
for domain in domains:
if domain:
subdomain = domain.split('.')[0]
ent = entropy(subdomain)
if ent > 3.5 and len(subdomain) > 10:
print(f" {domain} (entropy: {ent:.2f})")
PYEOF
# Detect DNS tunneling (large TXT responses)
tshark -r malware.pcap -T fields -e dns.qry.name -e dns.txt \
-Y "dns.resp.type == 16 and dns.resp.len > 100"
Step 3: Analyze HTTP/HTTPS C2 Communication
Examine web-based command-and-control traffic:
# Extract HTTP requests
tshark -r malware.pcap -T fields \
-e frame.time -e ip.src -e ip.dst -e http.host \
-e http.request.method -e http.request.uri -e http.user_agent \
-Y "http.request"
# Extract HTTP response bodies (potential payload downloads)
tshark -r malware.pcap -T fields \
-e http.host -e http.request.uri -e http.content_type -e tcp.len \
-Y "http.response and tcp.len > 1000"
# Extract POST data (potential exfiltration)
tshark -r malware.pcap -T fields \
-e http.host -e http.request.uri -e http.file_data \
-Y "http.request.method == POST"
# TLS analysis (SNI, JA3 fingerprints)
tshark -r malware.pcap -T fields \
-e tls.handshake.extensions_server_name \
-e tls.handshake.ja3 \
-Y "tls.handshake.type == 1"
# Extract TLS certificate details
tshark -r malware.pcap -T fields \
-e x509ce.dNSName -e x509af.serialNumber \
-e x509sat.utf8String \
-Y "tls.handshake.type == 11"
# Export HTTP objects (downloaded files)
tshark -r malware.pcap --export-objects http,exported_files/
Step 4: Detect Beaconing Patterns
Identify regular periodic communication indicating C2 beaconing:
# Beacon detection from PCAP
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics
packets = rdpcap("malware.pcap")
# Group connections by destination IP:port
connections = defaultdict(list)
for pkt in packets:
if IP in pkt and TCP in pkt:
if pkt[TCP].flags & 0x02: # SYN flag
dst = f"{pkt[IP].dst}:{pkt[TCP].dport}"
connections[dst].append(float(pkt.time))
# Analyze timing intervals for beaconing
print("Beacon Analysis:")
for dst, times in connections.items():
if len(times) >= 5:
intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
avg = statistics.mean(intervals)
stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
jitter = (stdev / avg * 100) if avg > 0 else 0
if 10 < avg < 3600 and jitter < 30: # Regular interval with < 30% jitter
print(f" [!] {dst}: {len(times)} connections")
print(f" Interval: {avg:.1f}s ± {stdev:.1f}s (jitter: {jitter:.1f}%)")
print(f" Pattern: LIKELY BEACONING")
Step 5: Generate Network Detection Signatures
Create Suricata/Snort rules from observed traffic patterns:
# Run Suricata against the PCAP for existing signature matches
suricata -r malware.pcap -l suricata_output/ -c /etc/suricata/suricata.yaml
# Review alerts
cat suricata_output/fast.log
# Create custom Suricata rule from observed patterns
cat << 'EOF' > custom_malware.rules
# C2 beacon detection based on observed URI pattern
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE MalwareX C2 Beacon";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/gate.php?id=";
http.user_agent; content:"Mozilla/5.0 (compatible; MSIE 10.0)";
sid:9000001; rev:1;
)
# DNS query for known C2 domain
alert dns $HOME_NET any -> any any (
msg:"MALWARE MalwareX C2 DNS Query";
dns.query; content:"update.malicious.com";
sid:9000002; rev:1;
)
# JA3 hash match for malware TLS client
alert tls $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE MalwareX JA3 Match";
ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1";
sid:9000003; rev:1;
)
EOF
Step 6: Extract Files and Artifacts from Traffic
Recover transferred files and embedded data:
# Extract files using Zeek
zeek -r malware.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
ls extract_files/
# Extract files using NetworkMiner (GUI)
# Or use tshark for specific protocol exports
tshark -r malware.pcap --export-objects http,http_objects/
tshark -r malware.pcap --export-objects smb,smb_objects/
tshark -r malware.pcap --export-objects tftp,tftp_objects/
# Hash all extracted files
sha256sum http_objects/* smb_objects/* 2>/dev/null
# Generate Zeek logs for comprehensive metadata
zeek -r malware.pcap
# Output: conn.log, dns.log, http.log, ssl.log, files.log, etc.
Key Concepts
| Term | Definition | |------|------------| | Beaconing | Regular periodic connections from malware to C2 server, identifiable by consistent time intervals and packet sizes | | JA3/JA3S | TLS fingerprinting method creating a hash from ClientHello/ServerHello parameters to uniquely identify malware TLS implementations | | DGA (Domain Generation Algorithm) | Algorithm generating pseudo-random domain names that malware queries to locate C2 servers, evading static domain blocklists | | DNS Tunneling | Encoding data in DNS queries and responses to establish a C2 channel or exfiltrate data through DNS infrastructure | | Fast Flux | DNS technique rapidly rotating IP addresses for a domain to avoid takedown and distribute C2 across many compromised hosts | | SNI (Server Name Indication) | TLS extension revealing the hostname the client is connecting to; visible even in encrypted HTTPS connections | | Network Signature | Suricata/Snort rule matching specific patterns in network traffic (headers, payloads, timing) to detect malicious communications |
Tools & Systems
- Wireshark: Open-source packet analyzer for deep interactive inspection of network traffic at the protocol level
- Zeek: Network analysis framework generating structured metadata logs (conn, dns, http, ssl) from live or captured traffic
- Suricata: High-performance network IDS/IPS for signature-based detection with Lua scripting for custom detection logic
- NetworkMiner: Network forensic analysis tool for extracting files, images, and credentials from PCAP files
- Scapy: Python packet manipulation library for programmatic packet analysis, beacon detection, and protocol decoding
Common Scenarios
Scenario: Decoding a Custom Binary C2 Protocol
Context: Malware communicates with its C2 server using a custom binary protocol over TCP port 8443. Standard HTTP analysis yields no results. The protocol structure needs to be reverse engineered from the PCAP.
Approach:
- Filter the PCAP for TCP port 8443 conversations and follow the TCP stream
- Identify the message framing (length prefix, delimiter, fixed-size headers)
- Compare multiple messages to identify static header fields vs variable data fields
- Cross-reference with reverse engineering findings from Ghidra (if the binary was analyzed)
- Write a Wireshark dissector or Scapy parser for the custom protocol
- Create Suricata rules matching the static header bytes for network detection
- Document the full protocol specification for threat intelligence sharing
Pitfalls:
- Analyzing only the first few packets; some C2 protocols change behavior after initial handshake
- Not decrypting TLS traffic when the sandbox has MITM capabilities
- Confusing legitimate CDN or cloud traffic with C2 (validate destination IPs)
- Missing C2 traffic that uses DNS or ICMP instead of TCP/UDP
Output Format
MALWARE NETWORK TRAFFIC ANALYSIS
===================================
PCAP File: malware_sandbox.pcap
Duration: 300 seconds
Total Packets: 12,847
Total Bytes: 4.2 MB
DNS ACTIVITY
Total Queries: 47
DGA Detected: Yes (23 high-entropy queries to .com TLD)
Tunneling: No
Resolved C2: update.malicious[.]com -> 185.220.101[.]42
C2 COMMUNICATION
Protocol: HTTPS (TLS 1.2)
Server: 185.220.101[.]42:443
SNI: update.malicious[.]com
JA3 Hash: a0e9f5d64349fb13191bc781f81f42e1
Beacon Interval: 60.2s ± 6.8s (11.3% jitter)
Total Sessions: 237
Data Sent: 147 MB
Data Received: 2.3 MB
Certificate: CN=update.malicious[.]com (self-signed, expired)
PAYLOAD DOWNLOADS
GET /payload.dll from compromised-site[.]com
Size: 98,304 bytes
SHA-256: abc123def456...
Content-Type: application/octet-stream
EXFILTRATION
Method: HTTPS POST to /gate.php
Content-Type: application/octet-stream
Average Size: 15,432 bytes per request
Total Volume: 147 MB over 4 hours
SURICATA ALERTS
[1:2028401] ET MALWARE Generic C2 Beacon Pattern
[1:2028500] ET POLICY Self-Signed Certificate
GENERATED SIGNATURES
SID 9000001: MalwareX HTTP beacon pattern
SID 9000002: MalwareX DNS C2 domain
SID 9000003: MalwareX JA3 TLS fingerprint
Related Skills
pinkpixel-dev/aso-audit
testing
VerifiedTrustedCommunity
When the user wants a full ASO health audit, review their App Store listing quality, or diagnose why their app isn't ranking. Also use when the user mentions "ASO audit", "ASO score", "why am I not ranking", "listing review", or "optimize my app store page". For keyword-specific research, see keyword-research. For metadata writing, see metadata-optimization.
4SKILL.mdUpdated May 31, 2026
pinkpixel-dev/ask-questions-if-underspecified
testing
VerifiedTrustedCommunity
Clarify requirements before implementing. Use when serious doubts arise.
4SKILL.mdUpdated May 31, 2026
pinkpixel-dev/asi1-builder
tools
VerifiedTrustedCommunity
Complete reference and build guide for ASI:One (ASI1) — the AI platform by Fetch.ai built for agentic, Web3-native applications. Use this skill IMMEDIATELY and ALWAYS when the user mentions ASI1, ASI:One, Fetch.ai AI API, building with ASI1, integrating ASI:One, asking about ASI1 models, tool calling with ASI1, ASI1 image generation, ASI1 agentic LLM, Agentverse, uagents, Agent Chat Protocol, structured output with ASI1, or OpenAI-compatible wrappers for ASI1. Also trigger when the user says things like "use ASI1 instead of OpenAI", "build an app with ASI:One", "ASI1 API", or references docs.asi1.ai. This skill covers everything needed to build production apps - setup, all models, all API features, tool calling, image gen, agentic orchestration, structured data, session management, streaming, LangChain integration, uagents / Agent Chat Protocol, and TypeScript/Node.js patterns.
4SKILL.mdUpdated May 30, 2026
pinkpixel-dev/asc-metrics
data-ai
VerifiedTrustedCommunity
When the user wants to analyze their own app's actual performance data from App Store Connect — real downloads, revenue, IAP, subscriptions, trials, or country breakdowns synced via Appeeky Connect. Use when the user asks about "my downloads", "my revenue", "how is my app performing", "ASC data", "sales and trends", "my subscription numbers", "App Store Connect metrics", or wants to compare periods or top markets. For third-party app estimates, see app-analytics. For subscription analytics depth, see monetization-strategy.
4SKILL.mdUpdated May 30, 2026