u/Financial-Target-398

I analyzed a Bandook RAT PCAP and noticed something I initially missed:

One C2 server was contacted 37 minutes before any DNS activity appeared in traffic, suggesting the malware used a hardcoded fallback IP before resolving the secondary domain.

I documented:

* packet timeline * IOC extraction * Wireshark analysis * MITRE ATT&CK mapping * detection recommendations

I’d appreciate feedback specifically on:

* analysis accuracy * missed indicators * detection logic * weak assumptions in the report

GitHub repo: https://github.com/HariCipher/bandook-c2-traffic-analysis.git

Would especially appreciate critique from blue team / DFIR people.

My Analysis of a Bandook RAT PCAP

I analyzed a Bandook RAT PCAP and noticed something I initially missed:

One C2 server was contacted 37 minutes before any DNS activity appeared in traffic, suggesting the malware used a hardcoded fallback IP before resolving the secondary domain.

I documented:

* packet timeline

* IOC extraction

* Wireshark analysis

* MITRE ATT&CK mapping

* detection recommendations

I’d appreciate feedback specifically on:

* analysis accuracy

* missed indicators

* detection logic

* weak assumptions in the report

GitHub repo:

https://github.com/HariCipher/bandook-c2-traffic-analysis.git

Would especially appreciate critique from blue team / DFIR people.

I analyzed a Bandook RAT PCAP and noticed something I initially missed:

One C2 server was contacted 37 minutes before any DNS activity appeared in traffic, suggesting the malware used a hardcoded fallback IP before resolving the secondary domain.

I documented:

• packet timeline
• IOC extraction
• Wireshark analysis
• MITRE ATT&CK mapping
• detection recommendations

I’d appreciate feedback specifically on:

• analysis accuracy
• missed indicators
• detection logic
• weak assumptions in the report

GitHub repo: https://github.com/HariCipher/bandook-c2-traffic-analysis.git

Would especially appreciate critique from blue team / DFIR people.