Packet analyzers, often called “packet sniffers,” are tools that capture and inspect packets as they move across the network. <\/p>\n\n\n\n
This allows you to view all incoming and outgoing data from an infected system, giving you an understanding of how malware communicates with command-and-control servers, exfiltrates data, or spreads within a network.<\/p>\n\n\n\n
For instance, tracking outgoing packets can help identify stolen data, including credentials, cookies, and other private information.<\/p>\n\n\n\n
In ANY.RUN\u2019s sandbox<\/a><\/strong>, the Network Stream window<\/strong> provides a detailed look at data exchanges for each connection, allowing you to analyze traffic patterns and packet contents. <\/p>\n\n\n\n Simply select a specific connection to access raw network stream data, where received packets are highlighted in blue and sent packets in green, making it easy to trace communication flows and understand the malware\u2019s network behavior.<\/p>\n\n\n\n Suricata is an open-source intrusion detection system<\/a> (IDS) that monitors network traffic and includes capabilities for intrusion prevention, network security monitoring, and packet capture. <\/p>\n\n\n\n Suricata analyzes network traffic for known attack patterns and flags suspicious activity, helping to identify potential malware behaviors in real time.<\/p>\n\n\n\n Within services like ANY.RUN<\/strong><\/a>, Suricata flags potential threats by analyzing packet and flow data against a rule set, helping you spot suspicious activity quickly. <\/p>\n\n\n\n This tool provides valuable alerts about unusual connections or payloads during malware execution.<\/p>\n\n\n\n For malware analysts, uncovering encrypted traffic is critical to exposing an attacker\u2019s methods and data exfiltration routes. This is where the MITM (Man-in-the-Middle) Proxy comes out. <\/p>\n\n\n\n The MITM Proxy tool works by inserting itself as an intermediary, allowing analysts to capture and decrypt HTTPS traffic between the malware and its command-and-control <\/a>(C2) servers.<\/p>\n\n\n\n By intercepting HTTPS requests, the tool secures the decryption keys needed to monitor real-time traffic. This process makes encrypted information fully readable, allowing analysts to examine the specific data collected or transmitted by the malware, such as IPs, URLs, or stolen credentials.<\/p>\n\n\n\n For example, in ANY.RUN\u2019s sandbox, the MITM Proxy feature allows users to view decrypted HTTPS traffic within an organized interface. Analysts can click on packets to see details of communication flows and review SSL keys for deeper analysis.<\/p>\n\n\n\n Here’s an analysis of the XWorm malware sample<\/strong><\/a>, which connects to a Telegram bot to exfiltrate data from infected systems.<\/p>\n\n\n\n With MITM Proxy, the traffic between the host and the Telegram bot gets decrypted.<\/p>\n\n\n\n Examining the GET request header from XWorm reveals a Telegram bot token and the chat ID used by attackers to receive stolen data. With these components, we can intercept other data exfiltrated<\/strong><\/a> by the sample from all infected machines.<\/p>\n\n\n\n The PCAP Extractor is a tool for capturing and preserving network traffic data during malware analysis. PCAP files (Packet Capture files) store raw network data, including every packet transmitted between the infected system and its external connections. <\/p>\n\n\n\n By saving this data in PCAP format, the tool allows analysts to revisit and examine packet-level details offline or with additional software.<\/p>\n\n\n\n In ANY.RUN, the integrated PCAP Extractor collects all network traffic from a malware session, including HTTP requests, DNS queries, and communication with C2 servers.<\/p>\n\n\n\nAnalyze Unlimited Phishing & Malware with ANY.RUN For Free -14 Days Free Trial<\/a><\/code><\/strong><\/strong><\/p>\n\n\n\n2. Suricata IDS<\/strong><\/h2>\n\n\n\n
3. MITM Proxy<\/strong><\/h2>\n\n\n\n
4. PCAP Extractor<\/strong><\/h2>\n\n\n\n
![\"PCAP](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcJ2CzNF1rxU58WvYvkaG3OQA93rtKWGzZvqawdiIYLjv6925hWPigBTnobY5tyPBZttMuHwshn7z6GZQQs1--uqVvqwNlRd3AJGn6ipxTHSwxKrpm4ygvkFGcrrvtFYb2ZNnVwOw?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
![\"Network](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXehW9s1J53-SoPZDX3TtwqGvIJY8zpXszdoAh_j8WQGHZqAFaQ4y_wHTzPiBGH3IGl-XB1_dOUBDq9UEm6y8fFmciI0OkVcgLpZ20Olst2yRGwb9X5_yMnWo_0loEj21i5rYkM8?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
![\"Suricata](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXehADXs_IlXoIqrXud_S8EsxDyFclYFcTdIqCF56kx80eJwaaXKi4vgAinisWDQ3pN92bz9my1aTG8zPQxjG8FcRYjCAbxtINVv4oJh9LVwplE2nkivX59tGf-9uBmFXRCPUBwb?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
![\"You](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdQEqw66FOyv-nhV7CANz92Cu54nHqT0BRYmnZVn4Vtylob6FjTO45VAAzgyZaCR-iOGO1aOADjoPMRERV4mTy1BW3mHj65pFS-I99rtVhJk2s7i4NpZnRbECkFfmy3yLd4ZJ8ZYg?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
![\"Bot](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfhXQF4PEtecUGNb6IJMLnn_JUnjGtWlmrfrGy-eravweYGU4MHi-ejpVcdCAeetxzzvMKhGj_6wiZoz0vgVA-ZAprhWiIFaRkXbvQnPTHxse9T0sYgDDTLvaSJA8uyk7gu6ZDMgw?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
![\"Analyzing](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeUJWYpO3BhNpWtiXjI8L_SbtLBSdtiVgRz84Vxvys9fsH7edO2-tK2EpNwC6Gl8L97jRbs-YXy7ZFeZh6nlxEBs7u_6eI5zx4b7e7zjrOrVVwHRz8hL0gJbyN8Fnp2srLlhvHa?key=GfgC7HbFUYSfz75rIeUrQ4uI\")
<\/figure>\n\n\n\n