Malware Traffic Analysis Detection and Confirmation of Koi Stealer

1. Introduction

We conduct an advanced Malware Traffic Analysis to detect the presence of the Koi Stealer trojan documented in the "Big Fish in a Little Pond" exercise. By analyzing raw network data (PCAP), we simulate the role of a SOC Analyst to confirm the compromise of a Windows host within a corporate LAN. This study highlights the behavioral patterns of Koi Stealer from its initial obfuscated beacons to persistent Command and Control (C2) communications and sensitive data exfiltration.

2. Objectives

  • Identify explicit malicious signatures and traffic patterns within the network capture.
  • Determine the internal host affected (IP, MAC, Hostname) and the Command and Control server details.
  • Track the method and volume of data being exfiltrated from the internal network to the attacker server.
  • Compile a list of Indicators of Compromise (IoCs) for future defensive measures.

3. File Acquisition

Source: Malware Traffic Analysis September 2024 Environment.

Malware Link:
https://www.malware-traffic-analysis.net/2024/09/04/page2.html

Description: This capture file contains 5,091 packets recorded on September 4, 2024. It captures a Windows 10 workstation (172.17.0.99) interacting with a malware Command and Control server (79.124.78.197) showing classic RAT communication patterns.

4. Architecture of Work

Architecture

5. Procedure of Work

  • 1. Traffic Acquisition: Downloaded the PCAP file from the official malware traffic analysis repository for forensic evaluation.
  • 2. Environment Setup: Configured a forensic workstation for automated packet parsing and malicious feature extraction.
  • 3. Victim Identification: Identified host 172.17.0.99 with MAC address 18:3d:a2:b6:8d:c4 using NBNS broadcasts.
  • 4. C2 Interaction Mapping: Filtered all TCP HTTP traffic directed towards external IP 79.124.78.197.
  • 5. Payload Inspection: Decoded payload layers to identify HTTP GET and POST requests targeting endpoints like index.php and foots.php.
  • 6. Incident Logging: Generated 20 distinct incidents based on frame timing and URI endpoints to prove malware persistence.

6. Inferences: Proof for Malware Presence

1. Victim and Domain Mapping Evidence:

Inference 1

Through the analysis of NBNS broadcast packets, we identified the infected host as DESKTOP-RNVO9AT. The traffic data confirms the host is at 172.17.0.99 within the bepositive.com domain. This initial mapping establishes the victim’s identity and identifies the target environment for the malware infection.

2. Persistent Connection Attempts:

Inference 2

This visualization shows unauthorized TCP connections being initiated by the victim toward the malicious IP 79.124.78.197. The regularity of these attempts suggests an automated background task rather than human-generated traffic. This persistence is a key indicator of a Command and Control check-in mechanism attempting to bypass local firewalls.

3. Initial Malware Beacon:

Inference 3

Frame 2227 marks the first malicious GET request from the victim to the C2 server. This request verifies the attacker's server availability and initial connectivity. The use of an IP address instead of a domain name is a classic forensic red flag for malicious Command and Control communication.

4. Unique Victim Identifier (subid):

Inference 4

Analysis of the URI query string reveals the parameter subid=qIOuKk7U. This unique identifier allows the malware to track this specific infected workstation across multiple sessions. Tracking victim IDs is a standard feature in modern Trojans to manage multiple compromised systems within an attacker dashboard.

5. Malicious Registration Phase:

Inference 5

After the beacon, we observed a POST request to index.php, signaling the victim registration phase. This request transmits core system metadata, such as OS version and CPU details, to the attacker's database. This step ensures the attacker has all the necessary profile information to deploy more targeted exploit payloads later.

6. Fingerprint Transmission Analysis:

Inference 6

The hex dump shows encrypted binary data being transmitted within the body of an HTTP POST request. This payload represents the host's hardware fingerprint, scrambled to evade text-based detection by firewalls. The presence of nonsensical binary streams in application-level traffic confirms a specialized malicious tunnel is active.

7. High-Volume Exfiltration Sequence:

Inference 7

This list displays a high volume of POST requests targeting the foots.php endpoint. We identified over 20 separate exfiltration events occurring in rapid succession, indicating active file theft. This pattern is characteristic of a Trojan systematically dumping victim data to the attacker’s external storage infrastructure.

8. Binary Encoding Verification:

Inference 8

The discovery of specific content-encoding headers proves the malware uses custom binary formats to mask stolen information. This technique is designed to prevent simple keyword-based monitoring from identifying passwords or sensitive documents during transit. It validates that the infection is sophisticated enough to prioritize stealth during the sensitive exfiltration phase.

9. User-Agent Identity Spoofing:

Inference 9

We detected spoofed browser User-Agent headers designed to mimic legitimate web browsing activity. By pretending to be a common browser, the malware attempts to blend in with normal user traffic at the network edge. This is a common evasion tactic used by malware authors to fool basic traffic analytics that do not perform deep packet inspection.

10. Persistence Heartbeat Timing:

Inference 10

The timing analysis of HTTP requests proves a consistent heartbeat pattern used for Command and Control synchronization. These requests occur at regular intervals, which is indicative of an automated script rather than unpredictable human behavior. This "jitter" pattern is specifically tuned to keep the connection alive while trying to appear like benign background traffic.

11. Evidence of Binary Data Extractions:

Inference 11

Direct inspection of the packet’s hex payload identifies large chunks of non-printable characters being moved outbound. We confirmed that these chunks represent segments of files being pulled from the victim’s local directories. This forensic sighting provides irrefutable proof that information theft has moved from planning to active execution.

12. Stealth Leak Exfiltration Strategy:

Inference 12

The malware uses fragmented POST requests to leak data in small, manageable packets to stay under the radar of volume sensors. By avoiding large file transfers, it reduces the probability of triggering data loss prevention (DLP) alerts. This stealthy strategy confirms the Trojan was designed for long-term presence and high-value data harvesting over time.

13. C2 Infrastructure Redundancy:

Inference 13

We observed communication with a secondary server at 46.254.34.201, indicating infrastructure redundancy. This secondary node acts as a backup should the primary 79.124.78.197 server be taken offline. This multi-server approach shows that the attacker has a managed, resilient command infrastructure capable of surviving network intervention.

14. Encrypted Tunneling (TLS v1.3):

Inference 14

The presence of TLS v1.3 Client Hello packets toward the secondary IP indicates an encrypted exfiltration channel. By tunneling data through HTTPS on port 443, the malware makes it impossible to inspect the stolen payload without decryption keys. This ensures the data theft remains completely hidden from standard forensic auditing of the packet payloads.

15. Attacker Endpoint Acknowledgement:

Inference 15

The capture includes HTTP 200 OK responses from the malicious server following each exfiltration event. These responses confirm that each chunk of stolen data was successfully received and acknowledged by the attacker's server. This confirmation cycle validates that the Command and Control channel is highly stable and fully operational throughout the infection.

16. Throughput Spike Analysis:

Inference 16

Statistical spikes in the network I/O graph perfectly correlate with the timestamps of the malicious POST requests. These abnormal traffic pulses indicate a sharp increase in outbound throughput during periods of inactive user browsing. This statistical correlation between volume spikes and malicious frame numbers provides a strong evidence base for anomalous host behavior.

17. Victim TTL Profiling Verification:

Inference 17

Analyzing the IP headers, we found a Time-to-Live (TTL) value of 128, which is characteristic of Windows workstations. This fingerprinting confirms that the infected device at 172.17.0.99 is indeed a Windows-based target as initially suspected. Matching the TTL signature to the host profile provides a deeper technical verification of the victim's operating system environment during traffic analysis.

18. Protocol Misuse (Port 80 Binary Streams):

Inference 18

The malware exploits port 80 to push continuous binary streams instead of the usual localized web object requests. By using a standard port, it easily transits through network infrastructure that may not perform protocol consistency checks. This misuse demonstrates how modern Trojans utilize benign ports to transport malicious, non-compliant binary payloads across corporate perimeters.

19. Evasion Jitter Delay Analysis:

Inference 19

We identified a specific "jitter" delay of over 50 seconds introduced between communication pulses to confuse security sensors. This intentional delay makes the malware’s heartbeats appear more random, potentially evading simple anomaly detection algorithms. This evasion technique highlights the Trojan’s capability to adapt its communication timing to avoid triggering automated protection systems.

20. Culmination of the Data Breach:

Inference 20

The final packet analyzed confirms the successful exfiltration of high-value document strings from the workstation. We localized sensitive keywords within the encrypted body that suggest internal file names and content fragments were successfully stolen. This culmination provides the final "smoking gun" needed to declare a full-scale data breach on the compromised host.

Summary Comparison Analysis:

Summary Image

The total forensic summary shows a clear progression from infection to total compromise across an hour of network capture. By calculating the total data moved and frequency of incidents, we determined that this specific Trojan variant is focused on long-term data collection. This overall view acts as a definitive guide for the incident response team to remediate the infection and prevent future attacks of this nature.

7. The 5 Major Effects of Malware on Infrastructure

  • Stealthy Data Exfiltration: Sensitive user data is continuously streamed to external hosts in small, frequent chunks to avoid triggering volume-based alerts.
  • Persistence Establishment: By registering unique victim IDs, the malware ensures it can re-establish its control channel even after system reboots.
  • System Resource Consumption: Constant background activity, encryption routines, and networking tasks drain the host CPU and system memory.
  • Network Bandwidth Overhead: High volumes of repetitive POST traffic toward external malicious IPs consume local network throughput and increase latency.
  • Security Posture Compromise: Direct communication with malicious C2 servers effectively bypasses standard perimeter defenses and opens backdoors for future exploits.

8. New Findings From This Work

Identified the specific C2 endpoint foots.php used primarily for fragmented file exfiltration and sensitive data harvesting.Discovered the unique victim ID qIOuKk7U which remains constant across different sessions, allowing for long-term target tracking.Successfully correlated DNS queries to bepositive.com indicating internal victim enumeration and network context mapping by the malware.

9. The Use of AI in this Analysis

Artificial Intelligence was strategically integrated into this analysis to improve pattern recognition accuracy within the dense PCAP dataset. AI specifically helped in rapidly cross-referencing identified Indicators of Compromise against vast, emerging threat databases and automated the generation of statistical models for beaconing timing analysis.

10. Conclusion

This study confirms the successful identification and granular tracking of a serious malware infection within a simulated LAN. Through the combination of traditional forensics and behavioral analysis, we visualized the entire attack chain from beacon to exfiltration. These findings underscore the critical need for continuous monitoring and advanced data analytics to detect persistent threats that remain hidden under normal network traffic.

11. Links

12. References

13. Acknowledgements

I would like to extend my sincere gratitude to the individuals and organizations whose support was instrumental in this Malware Traffic Analysis study:

  • School of Computer Science and Engineering (SCOPE), VIT Chennai: I would like to convey my sincere appreciation to VIT Chennai for offering well-designed theory and laboratory courses in Computer Networks during the Winter Semester 2025–2026. The curriculum, aligned with industry standards, significantly contributed to strengthening my understanding and application of advanced forensic concepts.
  • Dr. T. Subbulakshmi: I am deeply thankful to Dr. T. Subbulakshmi, Professor at SCOPE, VIT Chennai, for her continuous support, expert guidance, and valuable mentorship, which greatly enriched my academic experience.
  • Gerald Combs & The Wireshark Team: I would like to extend my appreciation to Gerald Combs, the founder of Wireshark and recipient of the ACM Software System Award (2018), along with the Wireshark development team, for creating a powerful and reliable platform for network traffic analysis.
  • Bradley Duncan: I would also like to thank Bradley Duncan for his exceptional work on malware-traffic-analysis.net. His well-structured blogs provide a secure and insightful way to study malware behavior, making them an excellent resource for forensic analysis.
  • Peers & Technical Mentorship: I am thankful to my peers for their cooperation and engaging discussions that enhanced my learning. Special recognition goes to my friend Jeeva N for his assistance in grasping the basics of forensic investigation and data visualization.
  • Family Support: Lastly, I express my deepest thanks to my parents and siblings for their unwavering support and encouragement during my academic journey.

14. Author Information

Mr. Sabareez V, II year  B.Tech. CSE   student, School of Computer Science and Engineering , VIT Chennai | Date: 12/04/2026

©️ 2026 Malware Traffic Analysis: Detecting Koi Stealer | All Rights Reserved

Comments

Post a Comment