Security Onion: Spooky malware analysis!

Friday, October 31, 2025

Spooky malware analysis!

It's October 31, so let's analyze some spooky malware!

Thanks to Brad Duncan for sharing this pcap from 2025-10-08 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.

We did a quick analysis of this pcap using Security Onion 2.4.190:

https://blog.securityonion.net/2025/10/security-onion-24190-now-available.html

If you'd like to follow along, you can do the following:

install Security Onion 2.4.190 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
import the pcap using the SOC Grid interface:
https://docs.securityonion.net/en/2.4/grid.html#icons-in-lower-left-corner
optionally enable the DNS lookups feature:
https://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups

The screenshots at the bottom of this post show some of the interesting alerts and their associated AI Summaries and Guided Analysis. Keep in mind that this is not some contrived demo, we simply downloaded a recent malware PCAP from Brad Duncan's site and imported it into Security Onion. Also keep in mind that this was just a PCAP and so there was no endpoint data. Had there been endpoint data, the results would have been even more in-depth.

Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net

Screenshots

Let's start with an overview of all logs generated by Security Onion:

Now let's look at just the alerts sorted by severity:

Next we'll drill into the high severity alerts and review the AI Summaries and AI Playbooks:

Here's the second high severity alert:

And the third high severity alert:

And the fourth high severity alert:

All of the above can be done with our standard free version.

Now let's look at our new Onion AI feature available for Security Onion Pro customers. First, we ask Onion AI to summarize the activity in the date range: