{ "id": "a6408233-e878-4e32-8214-b4e78a0b9302", "created_at": "2026-04-06T00:13:32.827425Z", "updated_at": "2026-04-10T03:24:24.507799Z", "deleted_at": null, "sha1_hash": "61e7168a3f00a5954bbb53cf48ec7d7354804722", "title": "Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1158284, "plain_text": "Quick Malware Analysis: PIKABOT INFECTION WITH\r\nCOBALT STRIKE pcap from 2023-05-23\r\nArchived: 2026-04-05 14:31:14 UTC\r\nThanks to Brad Duncan for sharing this pcap:\r\nhttps://www.malware-traffic-analysis.net/2023/05/23/index.html\r\nWe did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the\r\nfollowing:\r\ninstall Security Onion 2.4 in a VM:\r\nhttps://docs.securityonion.net/en/2.4/first-time-users.html\r\nimport the pcap using so-import-pcap:\r\nhttps://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap\r\noptionally enable the new DNS lookups feature:\r\nhttps://docs.securityonion.net/en/2.4/soc-customization.html?#reverse-dns-lookups\r\nThe screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session\r\ntranscripts. Want more practice? Check out our other Quick Malware Analysis posts at:\r\nhttps://blog.securityonion.net/search/label/quick%20malware%20analysis\r\nAbout Security Onion\r\nSecurity Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to\r\nthe opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines. \r\nSecurity Onion can also scale horizontally, growing from a standalone single-machine deployment to a full\r\ndistributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn\r\nmore about Security Onion, please see https://securityonion.net.\r\nOur 10th Annual Security Onion Conference is coming up soon, so reserve your seat today! Last day to register is\r\nSeptember 29. For more details, please see https://socaugusta2023.eventbrite.com/.\r\nDo you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public\r\ntraining class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is\r\nat a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For\r\nmore information, please see https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html.\r\nDo you want to deploy Security Onion to your enterprise and want the best enterprise hardware? We know\r\nSecurity Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware\r\nresearch, testing, and support to us, so you can focus on what's important for your organization. Not only will you\r\nhave confidence that your Security Onion deployment is running on the best-suited hardware, you will also be\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 1 of 7\n\nsupporting future development and maintenance of the Security Onion project! For more information, please see\r\nhttps://securityonionsolutions.com/hardware.\r\nScreenshots\r\nFirst, we start with the overview of all alerts and logs:\r\nNext, we focus on the alerts:\r\nWe can switch to ungrouped mode to see more detail:\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 2 of 7\n\nNotice that the last 4 alerts are for the same TCP stream, so let's pivot to pcap. Notice the user agent string, the\r\nbare IP host header, and the executable file that is downloaded:\r\nBack at the alerts, let's take a look at the pcap for the 3 \"ET CNC Feodo Tracker Reported CnC Server\" alerts:\r\nAfter reviewing alerts, let's look at all of the protocol metadata:\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 3 of 7\n\nNext, let's look at the Zeek Notices:\r\nWe'll next review HTTP transactions:\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 4 of 7\n\nNext, here are the SSL/TLS connections:\r\nWe'll next review the DNS lookups:\r\nThat sankey diagram is a little crowded, so let's maximize it:\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 5 of 7\n\nFinally, let's look at all connections:\r\nand in maximized format:\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 6 of 7\n\nSource: https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nhttps://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html" ], "report_names": [ "quick-malware-analysis-pikabot.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61e7168a3f00a5954bbb53cf48ec7d7354804722.pdf", "text": "https://archive.orkl.eu/61e7168a3f00a5954bbb53cf48ec7d7354804722.txt", "img": "https://archive.orkl.eu/61e7168a3f00a5954bbb53cf48ec7d7354804722.jpg" } }