Basic Dynamic Analysis

1. Run inetsim for internet simulation in remnux

2. keep active wireshark listener in remnux

3. If you have to run malware again, you should revert back to fresh snapshot. You don't know what malware may have done.

4. run procmon to analyze what your process do.

5. It is good idea to save floss output to a file, when dealing with long binaries.

6. Run binary and in remnux run inetsim and wireshark to record network signatures.

7. for host base analysis run procmon on fresh instance. and filter for process name then operation column is good column to filter things for. Remember filter in procmon is case sensitive. so you have to type File, file won't work for that.

8. for more host base analysis we will use tcpview to see what tcp sockets our host mahcine opens to establish remote network connection

9. We can use procmon too for TCP filter as operation to see more details along with tcpview.

10. another trick:

matt told that we can point c2 host to flarevm itself by chnaging /etc/hosts file of flarevm
which forces it to connect to itself.

1. process tree in procmon can show PID of malware and what processes it executes then using that pid we can filter for it to see everything it does. as parent process id is this.

Advance malware tries to break this parent- child process tree to hide it from edr products.