Skip to main content
ClaudeWave
Skill15.5k repo starsupdated 12d ago

analyzing-network-traffic-of-malware

This Claude Code skill analyzes network traffic captured from malware sandbox execution by extracting protocol structures, identifying command-and-control communications, detecting DNS tunneling and domain generation algorithms, and generating signatures for network-based malware detection. Use it when PCAP files from sandbox execution require detailed analysis of exfiltration targets, C2 infrastructure patterns, and malware network behavior to create Suricata or Snort detection rules.

View sourceRepository: Anthropic-Cybersecurity-Skills
Install in Claude Code
Copy
git clone --depth 1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills /tmp/analyzing-network-traffic-of-malware && cp -r /tmp/analyzing-network-traffic-of-malware/skills/analyzing-network-traffic-of-malware ~/.claude/skills/analyzing-network-traffic-of-malware
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Analyzing Network Traffic of Malware

## When to Use

- Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
- Identifying the C2 protocol structure for writing network detection signatures
- Determining what data the malware exfiltrates and to which external infrastructure
- Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
- Creating Suricata/Snort signatures based on observed malware network patterns

**Do not use** for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.

## Prerequisites

- Wireshark 4.x installed for interactive PCAP analysis
- tshark (Wireshark CLI) for scripted packet extraction
- Zeek installed for automated metadata generation from PCAPs
- Suricata with ET Open/ET Pro rulesets for signature matching
- NetworkMiner for file extraction and credential detection from PCAPs
- Python 3.8+ with `scapy` and `dpkt` for programmatic packet analysis

## Workflow

### Step 1: Initial PCAP Overview

Get a high-level understanding of the network traffic:

```bash
# Capture statistics
capinfos malware.pcap

# Protocol hierarchy
tshark -r malware.pcap -q -z io,phs

# Endpoint statistics (top talkers)
tshark -r malware.pcap -q -z endpoints,ip

# Conversation statistics
tshark -r malware.pcap -q -z conv,tcp

# DNS query summary
tshark -r malware.pcap -q -z dns,tree
```

### Step 2: Analyze DNS Activity

Examine DNS queries for DGA, tunneling, or C2 domain resolution:

```bash
# Extract all DNS queries
tshark -r malware.pcap -T fields -e frame.time -e dns.qry.name -e dns.a \
  -Y "dns.flags.response == 1" | sort

# Detect DGA patterns (high entropy domain names)
python3 << 'PYEOF'
import math
from collections import Counter

def entropy(s):
    p = [n/len(s) for n in Counter(s).values()]
    return -sum(pi * math.log2(pi) for pi in p if pi > 0)

# Parse DNS queries from tshark output
import subprocess
result = subprocess.run(
    ["tshark", "-r", "malware.pcap", "-T", "fields", "-e", "dns.qry.name",
     "-Y", "dns.flags.response == 0"],
    capture_output=True, text=True
)

domains = set(result.stdout.strip().split('\n'))
print("Suspicious DNS queries (high entropy):")
for domain in domains:
    if domain:
        subdomain = domain.split('.')[0]
        ent = entropy(subdomain)
        if ent > 3.5 and len(subdomain) > 10:
            print(f"  {domain} (entropy: {ent:.2f})")
PYEOF

# Detect DNS tunneling (large TXT responses)
tshark -r malware.pcap -T fields -e dns.qry.name -e dns.txt \
  -Y "dns.resp.type == 16 and dns.resp.len > 100"
```

### Step 3: Analyze HTTP/HTTPS C2 Communication

Examine web-based command-and-control traffic:

```bash
# Extract HTTP requests
tshark -r malware.pcap -T fields \
  -e frame.time -e ip.src -e ip.dst -e http.host \
  -e http.request.method -e http.request.uri -e http.user_agent \
  -Y "http.request"

# Extract HTTP response bodies (potential payload downloads)
tshark -r malware.pcap -T fields \
  -e http.host -e http.request.uri -e http.content_type -e tcp.len \
  -Y "http.response and tcp.len > 1000"

# Extract POST data (potential exfiltration)
tshark -r malware.pcap -T fields \
  -e http.host -e http.request.uri -e http.file_data \
  -Y "http.request.method == POST"

# TLS analysis (SNI, JA3 fingerprints)
tshark -r malware.pcap -T fields \
  -e tls.handshake.extensions_server_name \
  -e tls.handshake.ja3 \
  -Y "tls.handshake.type == 1"

# Extract TLS certificate details
tshark -r malware.pcap -T fields \
  -e x509ce.dNSName -e x509af.serialNumber \
  -e x509sat.utf8String \
  -Y "tls.handshake.type == 11"

# Export HTTP objects (downloaded files)
tshark -r malware.pcap --export-objects http,exported_files/
```

### Step 4: Detect Beaconing Patterns

Identify regular periodic communication indicating C2 beaconing:

```python
# Beacon detection from PCAP
from scapy.all import rdpcap, IP, TCP
from collections import defaultdict
import statistics

packets = rdpcap("malware.pcap")

# Group connections by destination IP:port
connections = defaultdict(list)
for pkt in packets:
    if IP in pkt and TCP in pkt:
        if pkt[TCP].flags & 0x02:  # SYN flag
            dst = f"{pkt[IP].dst}:{pkt[TCP].dport}"
            connections[dst].append(float(pkt.time))

# Analyze timing intervals for beaconing
print("Beacon Analysis:")
for dst, times in connections.items():
    if len(times) >= 5:
        intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
        avg = statistics.mean(intervals)
        stdev = statistics.stdev(intervals) if len(intervals) > 1 else 0
        jitter = (stdev / avg * 100) if avg > 0 else 0

        if 10 < avg < 3600 and jitter < 30:  # Regular interval with < 30% jitter
            print(f"  [!] {dst}: {len(times)} connections")
            print(f"      Interval: {avg:.1f}s ± {stdev:.1f}s (jitter: {jitter:.1f}%)")
            print(f"      Pattern: LIKELY BEACONING")
```

### Step 5: Generate Network Detection Signatures

Create Suricata/Snort rules from observed traffic patterns:

```bash
# Run Suricata against the PCAP for existing signature matches
suricata -r malware.pcap -l suricata_output/ -c /etc/suricata/suricata.yaml

# Review alerts
cat suricata_output/fast.log

# Create custom Suricata rule from observed patterns
cat << 'EOF' > custom_malware.rules
# C2 beacon detection based on observed URI pattern
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"MALWARE MalwareX C2 Beacon";
    flow:established,to_server;
    http.method; content:"POST";
    http.uri; content:"/gate.php?id=";
    http.user_agent; content:"Mozilla/5.0 (compatible; MSIE 10.0)";
    sid:9000001; rev:1;
)

# DNS query for known C2 domain
alert dns $HOME_NET any -> any any (
    msg:"MALWARE MalwareX C2 DNS Query";
    dns.query; content:"update.malicious.com";
    sid:9000002; rev:1;
)

# JA3 hash match for malware TLS client
alert tls $HOME_NET any -> $EXTERNAL_NET any (
    ms
More from this repository
Improve existing skillSkill
Add new skillSkill
acquiring-disk-image-with-dd-and-dcflddSkill

Create forensically sound bit-for-bit disk images using dd and dcfldd

analyzing-active-directory-acl-abuseSkill

Detect dangerous ACL misconfigurations in Active Directory using ldap3

analyzing-android-malware-with-apktoolSkill

Perform static analysis of Android APK malware samples using apktool

analyzing-api-gateway-access-logsSkill

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect

analyzing-apt-group-with-mitre-navigatorSkill

Analyze advanced persistent threat (APT) group techniques using MITRE

analyzing-azure-activity-logs-for-threatsSkill

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query