🔏
roguebook
  • group
    • Web
      • Concepts
      • OAuth 2.0
      • File upload
      • API testing
      • Web Cache Decpetion
      • CORS
      • CSRF
      • Cross site web socket hijacking
      • XS-Leaks
    • Bug Bounty
      • Recon
        • Dorking
          • SSL Checker
        • Wordlists
          • Twitter wordlist suggestions
      • Tips & Tricks
        • Combined
        • CSP Bypasses & open redirect
        • 403 Bypass
        • Arrays in JSON
        • Open Redirect
        • Next.js Application
        • Locla File Read
        • External Link
        • xss bypass
        • CSRF cors bypass
        • ssrf
      • Talks/Interviews/Podcasts
        • Bug Bounty Talks
        • Podcasts
          • Critical Thinking - Bug Bounty Podcast
            • Learning
      • Tools
    • Android
      • Getting Started
      • Intent Attack Surface
      • Broadcast Receivers
      • Android Permissions
      • Android Services
      • Content and FileProvider
      • WebView & CustomTabs
      • Insecure Storage
      • Tips & Tricks
    • Thick Client
      • Lab Setup
      • Information Gathering
      • Traffic analysis
      • Insecure Data storage
      • Input validation
      • DLL hijacking
      • Forensics
      • Extra resources
    • OSINT
      • OpSec
    • Malware Analysis
      • Lab Setup
      • Networking
      • Tools
      • Malware source
      • Basic Static Analysis
      • Basic Dynamic Analysis
      • Advanced Analysis
      • Advanced Static Analysis
      • Advanced Dynamic Analysis
      • Malicious Document Analysis
      • Shellcode Analysis
    • Malware Development
    • Blue Team
      • Tools
      • Malware Analysis
        • Basic Static Analysis
    • Assembly
      • Instructions
    • Binary Exploitation
    • Infographics
    • Malware Analysis
    • Threat Modeling
Powered by GitBook
On this page
  1. group
  2. Malware Analysis

Basic Dynamic Analysis

PreviousBasic Static AnalysisNextAdvanced Analysis

Last updated 27 days ago

  1. Run inetsim for internet simulation in remnux

  2. keep active wireshark listener in remnux

  3. If you have to run malware again, you should revert back to fresh snapshot. You don't know what malware may have done.

  4. run procmon to analyze what your process do.

  5. It is good idea to save floss output to a file, when dealing with long binaries.

  6. Run binary and in remnux run inetsim and wireshark to record network signatures.

  7. for host base analysis run procmon on fresh instance. and filter for process name then operation column is good column to filter things for. Remember filter in procmon is case sensitive. so you have to type File, file won't work for that.

  8. for more host base analysis we will use tcpview to see what tcp sockets our host mahcine opens to establish remote network connection

  9. We can use procmon too for TCP filter as operation to see more details along with tcpview.

  10. another trick: 

matt told that we can point c2 host to flarevm itself by chnaging /etc/hosts file of flarevm
which forces it to connect to itself.

  1. process tree in procmon can show PID of malware and what processes it executes then using that pid we can filter for it to see everything it does. as parent process id is this.

Advance malware tries to break this parent- child process tree to hide it from edr products.