CrimsonGlory edited this page Nov 29, 2017 · 2 revisions

Malcom is a tool used for traffic and network artifact analysis of malware communications. It can also be a great source to gather intelligence on since it can easily be queried and the link between elements are visually represented.

I use Malcom for three main purposes:

  • Quickly determine if a host, IP, or URL is "known-bad" (i.e. it has been flagged as being malicious by other websites or sources).

  • Get some intelligence on what relates two different elements. For example, you could see that several different hosts are pointing to a same IP address (or small AS), which has been seen in previous attacks. Eventually, you could also see what those same hosts have been registered by three different email addresses, which have also been seen in phishing kits.

  • Get a detailed overview of the kind of network traffic patterns a host is displaying. Is it pinging specific IP addresses? Is it sending SMTP traffic? Is it part of a botnet? What kind of C&C infrastructure is being used?


This section displays all elements present in the database. Since you'll quickly get lots of elements in the DB, the best way to use this tab is to filter results using the search box (you can use regular expressions)

dataset-main.png This is what the dataset looks like after importing the ZeusTracker feeds.

Clicking on an element name shows the whole graph for that element. Elements with lots of connections can be quite heavy to graph.

nodes-tomchop.png Graph for the host tomchop.me. nodes-zeus.png Graph for a ZeuS-infected webpage.

You can highlight specific elements and their neighbors using the searchbox

nodes-tomchop-highlight.png Hostname tomchop.me highlighted nodes-zeus-highlight.png Url highlighted


Feeds allow to gather data or intelligence from external sources to be incorporated into Malcom's engine. As of this writing, only one feed has been created into Malcom, and it gets its data from ZeusTracker. Feeds are pretty straightforward to create - a wiki article on how to create feeds will be posted soon.

Feeds can include anything from

feeds.png Available feeds (only one for now!)


The sniffer tab allows to sniff traffic and add nodes to Malcom's engine. Added nodes can thus be correlated with the ones already existing in the database.

sniffer-sessions.png sniffer-nodes.png

This especially useful when analyzing malware - you can see at a glance if it's communicating with known-bad hosts or what kind of network topology it's using:

p2p.png Sample traffic from a computer infected with ZeuS-p2p.

The sniffer tab has a subtab called Flows, which displays all traffic flows (duh), reconstructed from the sniffed traffic.

sniffer-dataflow.png Example of how an HTTP request to http://tomchop.me plays out.

Can come in handy when trying to recover malware configuration files, or see what kind of data is being posted / transferred. For now, it only recognizes HTTP requests and responses. More to come soon.

sniffer-payload-contents-2.png sniffer-payload-contents.png

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.