Wednesday, August 24, 2022

Quick Malware Analysis: IcedID/Bokbot and Cobalt Strike pcap from 2022-08-10

Thanks to Brad Duncan for sharing this pcap!

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:

The screenshots below show some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:

More Samples

Find all of our Quick Malware posts at:


Click the first image to start the screenshot tour:

Unzip and import both pcap files

Review alerts and investigate EXEs

Pivot to PCAP for first EXE

Review session transcript for first EXE

Send first EXE to CyberChef and review strings

Review second EXE

Session transcript for second EXE

Send second EXE to CyberChef and review strings

Review third EXE

Session transcript for third EXE

Send EXE to CyberChef and review strings

Protocol metadata

HTTP logs

Malware Hash Registry Detection and SSL Certificate Validation failures

x509 certficates

Files transferred via HTTP and SSL

DNS lookups

Connections (including destination.geo.country_name and destination_geo.organization_name)

No comments:

Search This Blog

Featured Post

New Security Onion Online Training Class - Detection Engineering with Security Onion!

We've just added an exciting new course to our online Security Onion 2.4 training catalog! It's called "Detection Engineering w...

Popular Posts

Blog Archive