Description
Lab Description: The goal of this lab is to analyze network behavior using dynamic analysis tools.
Lab Environment: Use of variety of tools is needed for this lab. It is recommended to do this lab in a virtualized environment. The tools we will be using are:
- ApateDNS
- Wireshark
- Process Monitor (ProcMon)
- Text editor
Lab Files that are Needed:
- exe
- Word-dropper.zip
- pcap
Lab Exercise 1 – Using Wireshark to perform Live collection
Learning Outcomes 1, 2, & 3
Using both ApateDNS and WireShark, capture the DNS requests made by domain_generation.exe and answer the following questions:
- How many domains were generated?
- Is there a discernible pattern to the domains used?
- Did they change with each run of the program or were the domains consistent?
LAB EXERCISE 2 – Using Wireshark to Analyze a PCAP
Learning Outcomes 1, 2, & 3
The purpose of this part is to understand the behavior of malware based on its network activity. Â Answer the following questions by providing short answers and/or screen shots.
Task 1 – Use CryptoLocker.pcap
- What domains do you think the malware tried to connect to (how many, roughly)?
- Look up some of the IP addresses that were resolved using this service https://ipinfo.io/ (or any you prefer) – did you notice any trends in the IPs used?
- What happens when the sample can connect to a host?
- Does it appear that the sample was able to successfully connect to any host? Hint, see the DNS query number 808 and the resulting TCP stream
Task 2 – Use Word-Dropper.pcap
This capture came after opening a malicious Word Document.
- What domains were used?
- What happened after the domains tried to connect? What did the sample request and how did it request it?
- Do you think the sample was successful in infecting the host?
