Quick Malware Analysis: Kongtuke Web Inject pcap from 2025-04-04

Thanks to Brad Duncan for sharing this pcap from 2025-04-04 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.141:

https://blog.securityonion.net/2025/03/security-onion-24141-now-available.html

If you'd like to follow along, you can do the following:

• install Security Onion 2.4.141 in a VM:
  https://docs.securityonion.net/en/2.4/first-time-users.html
• import the pcap using the SOC Grid interface:
  https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
• optionally enable the DNS lookups feature:
  https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

First, we start with the overview of all alerts and logs:

Next, let's focus on just the alerts and we'll start with the CnC Checkin alert:

If we correlate this alert, then we see other alerts and logs that are associated:

Let's also pivot to PCAP to review the full TCP stream as a transcript:

Going back to the alerts, let's look at the Powershell User-Agent alerts:

For each of these four alerts, we'll correlate and then pivot to pcap. Starting with the first alert:

Pivoting to PCAP for the first Powershell alert:

Correlating the second Powershell alert:

Pivoting to PCAP for the second Powershell alert:

As we scroll down the PCAP transcript, we see the server responding with a powershell command:

We can send that Base64 string to CyberChef and decode it:

Correlating the third Powershell alert:

Pivoting to PCAP for the third Powershell alert:

Correlating the fourth Powershell alert:

Pivoting to PCAP for the fourth Powershell alert:

Now let's go back to alerts and look at the RAT SSL Cert alert:

Correlating we see the additional logs:

Pivoting to PCAP we can see some of the SSL Cert details:

Now let's review the Zeek network metadata:

We'll start with the software detected via user agent strings:

Next, we'll look at Zeek notices:

We'll then look at x509 logs related to SSL/TLS traffic:

Next, let's review HTTP logs:

Here are the files transferred via the network:

Here are the SSL/TLS connections:

Next, let's review the DNS lookups:

Finally, here are all of the network connections: