Operation PCAP Autopsy — PA-02

“Lumma in the Room-ah” — Lumma Stealer Malware Traffic Investigation

Blue Team / SOC • PCAP Analysis • Suricata IDS • Detection Rule Writing • MITRE ATT&CK

Context

PA-02 is the second Operation PCAP Autopsy investigation — a detection-focused analysis built on real-world malware traffic sourced from malware-traffic-analysis.net.

The objective: take a PCAP containing a Lumma Stealer infection, analyze the traffic, map the full kill chain, extract IOCs, write Suricata detection rules based on observed behavior, and validate them by replaying the capture through Suricata on a dedicated SOC STATION.

PA-02 was deliberately chosen because Lumma Stealer uses HTTP-based exfiltration — the opposite of PA-01’s encrypted C2. This allows content-match Suricata rules that inspect actual HTTP fields (URI paths, Host headers, POST methods), demonstrating a fundamentally different detection approach from PA-01’s behavioral rules.

What I Did

pa 02 http post c2
  • Analyzed a Lumma Stealer infection from PCAP (51,181 packets) and reconstructed the full five-stage kill chain
  • Identified five malicious domains — three behind Cloudflare, two on direct IPs — each serving a distinct purpose in a layered relay infrastructure
  • Verified all five connections via TCP handshake confirmation (SYN → SYN-ACK → ACK)
  • Discovered that Cloudflare Encrypted Client Hello (ECH) hides delivery domains from TLS inspection — proving DNS is the only reliable detection layer for Cloudflare-fronted infrastructure
  • Identified two distinct JA3 fingerprints to the same C2 — revealing a two-phase connection pattern (check-in vs exfiltration module)
  • Extracted C2 exfiltration pattern: HTTP POST to /api/set_agent with form-urlencoded stolen browser credentials, cookies, and system fingerprints
  • Identified spoofed User-Agent (Chrome/144) as an additional detection indicator
  • Extracted IOCs and mapped activity to MITRE ATT&CK (10 techniques across 6 tactics)
  • Wrote 13 Suricata detection rules across three layers:
    • 5 DNS rules (early warning — all malicious domains)
    • 5 TLS SNI + JA3 rules (connection confirmation + exfil module correlation)
    • 3 HTTP content rules (C2 host match, precision POST match, domain-agnostic behavioral)
  • Validated all 13 rules via PCAP replay on SOC STATION (Kali Linux VM)

Detection Approach

Detection rules were written across three layers to provide defense in depth against the full kill chain.

Layer 1 — DNS: Catches the earliest signal. When a host queries a malicious domain, the DNS rule fires even if the connection is blocked downstream. This layer proved critical for Cloudflare-fronted domains where TLS inspection is blind.

Layer 2 — TLS SNI + JA3: Catches the connection itself. For domains where the real name appears in the TLS Server Name Indication field, SNI rules confirm the connection. A JA3 correlation rule combines the TLS fingerprint with the SNI to positively identify Lumma’s exfil module — high confidence, low false positives.

Layer 3 — HTTP Content: Catches the exfiltration. Rules match on the C2 host header, the POST method + URI path (/api/set_agent), and the spoofed User-Agent. The final rule is domain-agnostic — it fires on the behavioral pattern regardless of which C2 domain is in use, surviving domain rotation entirely.

Key lesson: one of the TLS SNI rules (hiyter.com) did not fire because Cloudflare’s Encrypted Client Hello hid the real domain. The corresponding DNS rule caught it instead. This validated the entire layered strategy — when one layer is blind, another compensates.

pa 02 12 rules fired 1

12 of 13 rules validated successfully against the original PCAP. The single non-firing rule is a documented and explained finding, not a failure.

Skills Demonstrated

  • PCAP-driven malware traffic analysis (Wireshark)
  • Multi-domain kill chain reconstruction from network evidence
  • IOC extraction and MITRE ATT&CK mapping
  • Suricata rule writing across DNS, TLS, and HTTP layers
  • Content-match detection design for HTTP-based C2
  • JA3 TLS fingerprinting and correlation rules
  • Cloudflare ECH analysis and detection layer impact assessment
  • Layered detection architecture (broad rules + precision rules)
  • Rule validation via PCAP replay and troubleshooting (parser errors, buffer normalization)
  • Living Off Trusted Services (Cloudflare) recognition

Boundaries & Intent

This operation works exclusively from network traffic — no endpoint forensics, no sandbox detonation, no reverse engineering. The scope is intentionally limited to what a SOC analyst can observe and act on from PCAP data alone.

Tactics not observable from PCAP (Persistence, Privilege Escalation, Credential Access) are documented as gaps — not missed findings. These require endpoint telemetry, which is the focus of the planned Operation Prism Box series.

The comparison between PA-01 (behavioral rules for encrypted C2) and PA-02 (content-match rules for HTTP C2) is intentional — together they demonstrate that detection engineers must master both approaches and know when each applies.

Source & Documentation

Full investigation methodology, detection rules, and IOC references are available in the project repository.

View on GitHub

Scroll to Top