Malware Traffic Analysis | Spoonwatch Writeup

Time for another malware traffic analysis exercise! These are really enjoyable and quick little exercises while still offering a lot of good information to learn. I highly recommend any aspiring or current cybersecurity professional to check out Malware Traffic Analysis and do the exercises. In the previous Malware Traffic Analysis writeup, I just walked through my process of answering the challenge questions, but this time, I’m going to format the writeup as if I was writing a brief incident summary with an Executive Summary, Compromised Host Details, Indicators of Compromise (IOC’s), and Screenshots and References. Let’s get into it.

Executive Summary

On 07 January 2022 at 1607 UTC, a workstation with hostname DESKTOP-GXMYNO2 was infected with credential stealing malware known as “Oski Stealer”. The logged-in user at time of infection was steve.smith. It is assessed with high confidence that browser cookies and autofill data, host system information, and user credentials were successfully exfiltrated by the attacker. This assessment is based on an analysis report published on [Report 1], and packet analysis of the exfiltration activity observed post-compromise [Screenshot 1].

Compromised Host Details

MAC address: 95:5c:8e:32:58:f9
IP address:
Hostname: DESKTOP-GXMYNO2 [Screenshot 2]
User: steve.smith [Screenshot 2]

Indicators of Compromise (IOC’s)

Host Based IOC’s

The following is a list of files associated with the compromise, their file sizes, file types, and their SHA-256 hashes. The filename in parentheses is the correct name of each file. During the infection, the files were disguised and given false names with the .jpg file type in an attempt to evade detection. Of note, all of the files listed are legitimate DLL’s and not inherently malicious. They are indicators of compromise since they are associated with this specific infection chain. The presence of these files should be combined with the network-based IOC’s also listed below in order to form a holistic assessment.

  • 1.jpg (sqlite3.dll), 645,592 bytes, SHA256: 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
  • 2.jpg (freebl3.dll), 334,288 bytes, SHA256: a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
  • 3.jpg (mozglue.dll), 137,168 bytes, SHA256: 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
  • 4.jpg (msvpc140.dll), 440,120 bytes, SHA256: 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
  • 5.jpg (nss3.dll), 1,246,160 bytes, SHA256: e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
  • 6.jpg (softokn3.dll), 144,848 bytes, SHA256: 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
  • 7.jpg (vcruntime140.dll), 83,748 bytes, SHA256: c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

Network Based Indicators of Compromise

  • Malicious IP Address & Port: (HTTP) (Screenshots 3 & 5)

In the investigation, the compromised host was observed having made HTTP POST requests to*1-7.jpg [Screenshot 4]. After these POST requests were made, the compromised host began downloading the individual files. The compromised host also made an HTTP POST request in which a .zip file containing multiple autofill text files, cookies, and credentials were exfiltrated to the malicious IP address over port 80 HTTP [Screenshot 1]. This activity matches the activity described in the Oski Stealer analysis report published by [Report 1].

References & Screenshots

Report 1:

Screenshot 1:

Google Chrome autofill data being exfiltrated via HTTP POST request to malicious IP.

Screenshot 2:

Compromised host account and hostname.

Screenshot 3:

Communication between compromised host and malicious IP.

Screenshot 4:

Compromised host making HTTP POST request to malicious IP before downloading first file.
Virustotal results for the malicious IP address.


In conclusion, I really enjoyed this particular exercise. Before completing it, I was not aware of the Oski Stealer malware, but now I have a functional understanding of it and how to identify it in network traffic.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: