Malware Presence Confirmation – Koi Loader / Koi Stealer Analysis

 

Introduction

With the increasing complexity of cyber threats, analyzing network traffic has become a key method for detecting malicious activities. Koi Loader and Koi Stealer are types of information-stealing malware that communicate with remote command-and-control (C2) servers to transmit data and receive instructions. These malware variants rely heavily on HTTP and TCP communication to operate in the background without user awareness.

In this project, a PCAP file containing network traffic from a system infected with Koi malware is analyzed using Wireshark. The focus is on identifying suspicious HTTP requests, abnormal TCP behavior, and repeated communication patterns to confirm the presence of malware.

Objectives

  • To analyze network traffic using a PCAP file
  • To identify suspicious HTTP and TCP communication patterns
  • To detect repeated connections with external servers
  • To confirm malware presence through abnormal network behavior

Malware PCAP File Link

https://www.malware-traffic-analysis.net/2025/01/23/index.html

Description of the PCAP File

The PCAP file contains captured network traffic generated by a system infected with Koi Loader / Koi Stealer malware. The dataset primarily consists of HTTP and TCP communication between the infected host and external servers. The traffic shows repeated requests, unusual endpoints, and continuous background communication, indicating possible command-and-control activity and data transfer behavior.

Architecture Diagram



The architecture illustrates how network traffic from an infected system is captured and analyzed using Wireshark. Different protocol layers such as DNS, HTTP, and TCP are examined to detect suspicious patterns. Communication with an external command-and-control server is also represented.

Procedure

  1. Selected a malware dataset related to Koi Loader / Koi Stealer.
  2. Downloaded the PCAP file from a trusted source.
  3. Opened the PCAP file using Wireshark.
  4. Applied filters such as http and tcp to isolate relevant traffic.
  5. Identified suspicious IP addresses and HTTP requests.
  6. Analyzed packet details including headers and payloads.
  7. Observed repeated communication patterns indicating automated behavior.
  8. Captured screenshots of relevant findings as evidence. 

Inferences (Proof for Malware Presence)

  1. HTTP GET requests to external domains were observed, indicating outbound communication.
      Multiple HTTP GET requests observed from the infected host to an external server, indicating outbound communication.

  2. HTTP POST requests were detected, suggesting possible data transmission.
    HTTP POST request detected, suggesting possible transmission of data from the infected system.

  3. Suspicious domain names were found in HTTP Host fields.

        Suspicious domain identified in the HTTP Host field, indicating communication with an untrusted server.

  4. Unusual and lengthy URL paths were observed in HTTP requests."
       Unusual URL pattern observed in HTTP request, indicating possible malicious resource access.

  5. Suspicious or uncommon User-Agent strings were identified.

       User-Agent string observed in HTTP request, potentially used by malware to mimic legitimate browser traffic.

  6. Repeated HTTP requests to the same server were detected.
       Repeated HTTP requests to the same server observed, indicating persistent communication with a potential command-and-control server.

  7. Presence of HTTP response packets indicating active communication
       HTTP response packets observed, confirming active communication between the infected system and external server.

  8. Redirection behavior was identified through HTTP responses.
    .  Detailed HTTP response showing status code 200 OK and associated header fields, indicating successful data exchange.

  9.  Repeated communication with a specific external IP address was observed.
       Repeated communication with a specific external IP address observed, indicating possible command-and-control server interaction.

  10. Continuous packet flow to the same destination indicates persistent connection.
          Continuous communication with the same external server observed over time, indicating persistent network activity.

  11. Communication with external public IP addresses outside the local network was detected.
          Communication between the local host and an external public IP address observed, indicating outbound network activity.

  12. High frequency of packets within short intervals indicates automated behavior.
             High frequency of packets observed within short time intervals, indicating automated network activity.

  13. Encoded or unreadable payload data was observed in TCP streams.
        Encoded or unreadable payload data observed in TCP stream, indicating transmission of structured network data.

  14. Large packet sizes suggest significant data transfer.
        Multiple packets with maximum frame size (1514 bytes) observed, indicating significant data transmission activity.

  15. HTTP POST payloads indicate possible data exfiltration.
       HTTP POST request with payload observed, indicating possible data transmission from the infected system.

  16. Regular intervals between packets indicate beaconing behavior.
        Regular interval communication observed in packet timestamps, indicating beaconing behavior.

  17. Continuous background traffic was observed without user interaction.
       Continuous background network activity observed, indicating persistent communication without user interaction.

  18. Repetitive request patterns suggest automated malware activity.
       Repetitive HTTP requests to the same endpoint observed, indicating automated malware behavior.

  19. Multiple TCP SYN packets indicate repeated connection attempts.
       Multiple TCP SYN packets observed, indicating repeated attempts to establish connections with external servers.

  20. Retransmissions and failed packets indicate unstable or suspicious connections. 
       TCP analysis flags observed in packet data, indicating irregular or abnormal network communication patterns.

The 5 Effects of Malware

  • Unauthorized transmission of sensitive data to external servers
  • Establishment of persistent communication with attacker-controlled systems
  • Increased network traffic and system resource usage
  • Risk of further malware download and system compromise
  • Loss of user privacy and potential data breaches 

New Findings 

  • Identification of repeated communication with suspected external servers
  • Detection of consistent HTTP request patterns
  • Observation of beaconing behavior through regular packet intervals
  • Evidence of potential data transfer using HTTP POST requests
  • Continuous background activity indicating automated malware execution

The Use of AI  

Artificial Intelligence tools were used to support the analysis of network traffic and understanding of malware behavior. AI assisted in identifying suspicious patterns, generating filtering strategies, and organizing the findings in a structured manner. It also helped in improving clarity and presentation of the results.

Conclusion

The analysis of the PCAP file confirmed the presence of Koi Loader / Koi Stealer malware. Various indicators such as abnormal DNS queries, repeated communication with external servers, and suspicious traffic patterns were identified. This experiment provided valuable insights into real-world malware detection using network traffic analysis.

YouTube Video Link

https://youtu.be/A2nNMPcSqaI

GitHub Repo Link for Malware Presence Confirmation

https://github.com/Maanya-Agrawal/Malware-Presence-Confirmation-Koi-Loader-Koi-Stealer-Analysis

References

  1. https://www.malware-traffic-analysis.net/2025/01/23/index.html
  2. Malware Traffic Analysis Blog

Acknowledgements

I would like to thank my parents, VIT SCOPE, and the course instructors for their guidance and support in completing this digital assignment during the current semester.


Comments

  1. HiaApril 12, 2026 at 1:08 AM

    This is a very well-structured analysis. The use of Wireshark filters is clearly explained.

    ReplyDelete
  2. GloriaApril 12, 2026 at 1:17 AM

    Great post, really clear breakdown of a complex topic. The explanation of how it spreads was especially useful.

    ReplyDelete
  3. G MrudularamApril 12, 2026 at 1:24 AM

    Good explanation of malware presence and its effects. The use of network traffic analysis makes it easy to follow.

    ReplyDelete

Post a Comment