Phishing Traffic Analysis and Malware Presence Confirmation using Wireshark and Scapy
Introduction
Phishing is a common form of cyberattack where users are tricked into revealing sensitive information such as login credentials through fake websites. These attacks are often delivered via malicious emails containing deceptive links.
In this work, a real-world phishing traffic capture (PCAP file) was analyzed using Wireshark and Scapy. The goal is to identify malicious activity, reconstruct the phishing workflow, and confirm malware presence through packet-level evidence and network behavior analysis.
Objectives
- To analyze phishing traffic using Wireshark
- To extract HTTP requests and credentials using Scapy
- To confirm malware presence through packet-level evidence
- To study traffic behavior using graphs and throughput analysis
PCAP Source Link
PCAP file obtained from: https://www.malware-traffic-analysis.net/2024/08/29/index.html
PCAP Description
The PCAP file contains network traffic generated from a phishing email leading to a fake webmail login page. It includes HTTP GET and POST requests, DNS resolution, and TCP communication between the victim system and a malicious server. The capture demonstrates credential harvesting behavior.
Architecture of Work
Procedure
- The PCAP file was loaded into Wireshark for initial inspection.
- HTTP filters were applied to identify web-based traffic.
- TCP streams were analyzed to observe request-response behavior.
- The POST request was identified to extract credential submission.
- The same PCAP was processed using Scapy in Google Colab.
- HTTP GET and POST requests were programmatically extracted.
- Multiple graphs such as throughput, TCP flags, and packet distribution were generated.
- Traffic behavior was analyzed to identify phishing patterns.
Inferences (Proof of Malware Presence)
- HTTP traffic present, indicating web-based communication.
- Access to
/management.aspxconfirms phishing page interaction.
- GET requests confirm loading of phishing web page.
- POST request confirms form submission activity.
- Credentials are transmitted without encryption, so phishing confirmed.
- Domain is not legitimate, indicating a phishing server.
- Most frequent source IP = victim machine.
- Most frequent destination IP = phishing server.
- Attack uses TCP, so consistent with HTTP phishing.
- UDP mainly used for DNS, not for attack traffic.
- SYN packets confirm connection initiation.
- PSH indicates actual HTTP data transfer.
- FIN packets confirm session closure.
- Phishing is low-volume, stealthy.
- Attack lasts only a few seconds, hence typical phishing.
- Low bandwidth usage, so not data exfiltration.
- Download is more than Upload, indicates page content delivery.
- Different sizes of headers and payload — that's HTTP activity.
- No HTTPS — credentials are exposed.
- Traffic follows logical order, which is user-driven interaction.
Effects of Malware
- Credential theft
- Unauthorized access to accounts
- Identity compromise
- Data leakage
- Financial fraud
New Findings
- Phishing attack used HTTP instead of HTTPS
- Traffic is burst-based and short-lived
- Clear separation between upload and download traffic
- No persistent malware communication observed
Use of AI in this DA
AI tools were used to assist in generating Scapy scripts, analyzing packet-level data, creating graphs, and structuring interpretations of network behavior. This improved efficiency and helped in identifying patterns more effectively.
Conclusion
The analysis confirms the presence of a phishing attack involving credential submission through HTTP. Both Wireshark and Scapy provided strong evidence of malicious activity, including URL access, form submission, and traffic patterns consistent with phishing behavior.
YouTube Video Link
GitHub Repository Link
https://github.com/Git-Vaibhav323/malware_analysis
References
- Malware Traffic Analysis, "PCAP Dataset," Aug. 2024. [Online]. Available: https://www.malware-traffic-analysis.net/2024/08/29/index.html
- Wireshark Foundation, "Wireshark – Network Protocol Analyzer," 2024. [Online]. Available: https://www.wireshark.org
- P. Biondi et al., "Scapy – Packet Manipulation Tool for Python," 2024. [Online]. Available: https://scapy.net
- Google, "Google Colaboratory – Cloud Notebook Environment," 2024. [Online]. Available: https://colab.research.google.com
- IETF, "RFC 2616 – Hypertext Transfer Protocol HTTP/1.1," 1999. [Online]. Available: https://tools.ietf.org/html/rfc2616
- I would like to express my sincere gratitude to the School of Computer Science and Engineering (SCOPE), Vellore Institute of Technology Chennai, for offering the Computer Networks course during the Winter Semester 2025–2026 with an industry-standard syllabus.
- I would like to thank Dr. T. Subbulakshmi, Professor, SCOPE, VIT Chennai, for her valuable guidance, continuous support, and structured approach to learning throughout this course.
- I would like to acknowledge Gerald Combs, the founder of Wireshark and ACM Software System Award winner (2018), for providing a powerful tool that enabled detailed packet-level traffic analysis.
- I would also like to acknowledge the Malware Traffic Analysis platform for providing real-world PCAP datasets that made this practical analysis possible.
- I would like to thank the developers and community of Scapy and Google Colab for enabling efficient scripting, data extraction, and visualization of network traffic.
- I would also like to thank my peers for their suggestions, discussions, and collaborative learning which improved the overall quality of this work.
- I extend my heartfelt gratitude to my parents and family members for their constant encouragement and support.
- I also acknowledge various online resources, research blogs, and documentation that contributed to completing this analysis successfully.
Comments
Post a Comment