In this project, I conducted a malware analysis investigation focused on unusual network traffic within an organization. Using the provided PCAP file, I identified the Ursnif Trojan variant as the malware responsible for the suspicious activity. I analyzed the network connections originating from an internal host (10.18.20.97) to external malicious IP addresses, noting behaviors consistent with data exfiltration and command-and-control (C2) communications.

I documented the malware’s Indicators of Compromise (IOCs), including IP addresses, communication ports, event messages, and DNS anomalies. I assessed the malware’s functionality, highlighting its capabilities to steal sensitive information, establish remote access via C2 servers, and potentially deploy additional payloads. I evaluated network traffic indicators, while noting that persistence mechanisms would require deeper endpoint forensic analysis to confirm registry or startup modifications.

Based on my findings, I recommended immediate isolation of the infected host, blocking outbound traffic to known malicious servers, and deploying enhanced IDS/IPS solutions. I also emphasized updating endpoint protections and implementing stricter logging of DNS and HTTPS traffic. Through this malware analysis, I demonstrated my ability to perform real-world threat detection, IOC identification, risk assessment, and provide actionable security remediation strategies.