Investigating Suspicious Network Traffic Using VirusTotal and WHOIS

By

 


In this project, I investigated suspicious network activity by analysing network logs and verifying the reputation of external IP addresses using threat intelligence tools such as VirusTotal and WHOIS.
The goal of this investigation was to determine whether outbound connections from internal systems were legitimate or potentially malicious. By analysing the logs and researching the destination IP addresses, I was able to identify one anomalous connection that could indicate suspicious activity.

This type of investigation reflects a common task performed by Security Operations Center (SOC) analysts, who monitor alerts and investigate unusual network behaviour.

Investigation Overview

The investigation focused on analysing network logs that recorded outbound HTTPS connections from internal hosts to various external IP addresses.

Several factors were considered during the investigation:

• Destination IP address
• Reputation of the IP address
• Connection frequency and pattern
• Ownership and location of the IP address

To verify the legitimacy of the external connections, I performed reputation checks using threat intelligence platforms.

Tools Used

VirusTotal was used to analyse the reputation of external IP addresses by checking them against multiple security vendor databases.

WHOIS lookup was used to identify the organisation that owns the IP address and determine whether the connection was likely legitimate.

The network logs originated from Darktrace, which detected unusual connection patterns and generated alerts for investigation.

Log Investigation

Log A

The internal device 10.104.3.12 was observed repeatedly connecting to the external IP address 52.10.70.80 over HTTPS (port 443).

A VirusTotal lookup showed that no security vendors flagged the IP address as malicious.

WHOIS analysis revealed that the IP belongs to Amazon Web Services (AWS), a widely used cloud infrastructure provider. Because AWS hosts many legitimate services, this traffic was considered normal and safe.

Log B (Anomalous Activity)

This log showed repeated outbound connections from the internal host 10.22.6.143 to the external IP address 185.176.220.70.

Further investigation revealed several suspicious indicators:

• VirusTotal flagged the IP address as malicious by multiple security vendors
• WHOIS lookup showed the IP belongs to 2Cloud Ltd. in Latvia
• The internal device attempted to connect to the IP repeatedly over time

This repeated communication pattern resembles beaconing behaviour, which is commonly associated with malware communicating with a command-and-control (C2) server.

Because of these indicators, this activity was classified as suspicious.

Log C

The internal host 10.104.3.12 also connected to the IP address 54.203.83.74.

VirusTotal analysis showed no malicious detections, and WHOIS confirmed that the IP belongs to Amazon Web Services.

Since the IP is associated with a trusted cloud provider, the activity was considered legitimate.

Log D

Additional network logs showed connections from 10.104.3.12 to the IP address 35.163.229.237.

Reputation checks confirmed that this IP also belongs to Amazon Web Services and was not flagged by any security vendors.

Therefore, this activity was classified as safe cloud communication.

Log E

This log contained a Darktrace alert indicating an increase in SSL or HTTP connections to the IP address 52.10.70.80.

Although the alert indicated unusual connection behaviour, reputation analysis confirmed the IP belongs to Amazon Web Services and is not malicious.

This suggests the alert was triggered due to an increase in traffic volume rather than malicious activity.

Identifying the Anomaly

After analysing all logs, the IP address 185.176.220.70 stood out as the most suspicious.

This IP was flagged because:

• Multiple security vendors identified it as malicious
• It belongs to a hosting provider unrelated to normal business operations
• The internal system repeatedly attempted to communicate with the address

These indicators suggest potential malware communication or a potentially unwanted application contacting an external server.

Recommended Response

If this activity occurred in a real organisational environment, the following actions would be recommended:

• Isolate the affected host (10.22.6.143) from the network
• Perform a full malware scan on the device
• Block the malicious IP address at the firewall
• Monitor the network for additional connections to the same IP address
• Investigate the running processes on the host to identify the source of the traffic

Key Takeaways

1. Through this investigation, I learned how to analyse network logs and verify suspicious IP addresses using threat intelligence tools.

2. I gained practical experience identifying anomalous network behaviour and distinguishing between legitimate cloud traffic and potentially malicious connections.

3. This project also strengthened my understanding of how SOC analysts investigate alerts and determine whether suspicious activity represents a real security threat.

4. By combining log analysis, IP reputation checks, and behavioural indicators, security teams can more effectively detect and respond to potential intrusions.

Comments

Post a Comment

Popular posts from this blog

Practical IDS Lab (SNORT)

By
Image
  Detecting Network Intrusions with Snort in My Home Lab In this project, I built a practical Intrusion Detection System (IDS) lab using Snort , an open-source Network Intrusion Detection System widely used by security analysts . The lab environment included an Ubuntu VM running Snort, a Kali Linux VM acting as the attacker machine, and a Metasploitable 2 VM as the intentionally vulnerable target. The goal of this project was to simulate basic attacks such as ICMP pings and Nmap SYN scans , detect them using custom Snort rules , and document the alerts for portfolio demonstration. Lab Topology & Overview The virtual lab was set up on an isolated internal/host-only network to ensure all testing remained safely contained. The environment consisted of: • Ubuntu (Snort IDS) — Used to install and run Snort, monitor traffic, and store alert logs. • Kali Linux — Used as the attacker machine to generate pings, port scans, and reconnaissance traffic. • Metasploitable 2 — S...
Read more

Malware Traffic Analysis with Wireshark - Detecting Dridex C2 Traffic

By
Image
  In this project, I analysed a PCAP capture of a compromised Windows machine to uncover signs of a Dridex  banking Trojan infection. Using Wireshark   I identified encrypted TLS sessions, extracted suspicious Server Name Indication (SNI) domains , followed malicious TCP streams, and confirmed active C2 beaconing. This post shows step-by-step how I discovered the infection along with key Indicators of Compromise ( IOCs ) so you can replicate the same process in your own malware traffic analysis lab . Lab Topology & Overview Host OS for analysis: Ubuntu . Packet analysis tool: Wireshark Enviromental Setup & Pcap download Before opening the PCAP file , I ensured my virtual machine was isolated from the Interne t so that any embedded malware activity could NOT communicate externally. I changed my VMware network adapter to LAN Segment (Away From Internet) : What this guarantees No accidental malware execution No C2 communication leaving the VM Safe packet analysi...
Read more

Building My Personal Cybersecurity HomeLab

By
Image
  Introduction In the fast-paced world of cybersecurity , having a safe and controlled environment for testing tools and techniques is essential. For my first project, I built a fully functional cybersecurity HomeLab using VMware Workstation Pro 17 . This HomeLab allowed me to simulate real-world scenarios, practice both red and blue team skills , and prepare for future professional work without risking my main system or any live network. Objectives - Create an isolated virtual network for cybersecurity testing. - Install multiple virtual machines (VMs) to simulate different systems and environments. - Configure networking to allow both internet access and private lab communications. - Lay the foundation for advanced cybersecurity projects such as IDS/IPS deployment , malware analysis , and threat detection. Tools and Resources I used a range of tools and virtual machines to build my HomeLab. This variety ensured I could replicate real-world cybersecurity environmen...
Read more