Malware Analysis Series 0x5

4 min readMar 23, 2024

Hello You.

Today we are going to continue talking about the basic dynamic analysis approach. We’ll discuss tools like Regshot, ApateDNS, Wireshark, netsh …

Let’s dive in

Yeah I know I’m a little bit late. sorry about that :P

RegsHot

Regshot is a tool used to take a snapshot of the registry hive, before and after you execute the malicious file then you can use it to compare these two snapshots to check any changes, there will be a lot of noise but it is easily identifiable and we can filter them out.

After taking the first shot and the second one (after executing the malware, duh) we can compare them and this how the output would look like:

Wireshark

We use wireshark to make network-based signatures, and the way we do it is by sniffing the network traffic and examining the content of the packets or to where they’re going.

Firstly we need to choose the interface, here I’ll use Ethernet interface,when you click on it you will be faced by another screen that will capture all traffic that is going through this interface

if you are smart enough, you would ask me this question (Why there are no DNS queries before the TCP or HTTP packets?) that’s because I’m using another tool called ApateDNS, but let’s see what’s going on here before we move on to another tool.

I used curl mahmoud.me\thatismeto get the content of that page on that website. You can see in wireshark that it sniffed that packet.

You can see here it is the same content that we got in the curl result.

ApateDNS

It is a tool written by Mandiant team used to spoof DNS responses to a user-specified IP address (in my case I put my REMnux VM IP address), It listens on UDP port 53 on the local machine.

on my REMnux VM I installed INetSim which is a software used for simulating common internet services. so now any request that will initiated from my windows machine will be redirected to the REMnux VM.

One of ApateDNS cool features is the NXDOMAIN which is an option that can trick malware into giving us additional domains it has in its configurations.

netsh

Why I’m even mentioning this? Imagine that you are suspecting that there is a malware on one of your critical machines (something like a vital server for a business you are working for), and you need to do packet sniffing to check what is going on, but there is a policy preventing you from installing Wireshark or any other external tool that may affect the critical server, the only option you have is to use built-in tools in windows to do the same job.

Here is where Netsh comes. Using Netsh we can sniff packets on going through the network.

But there is a problem the file that will be generated using netsh have teh .etl extention.

C:\> netsh trace start capture=yes tracefile=C:\logFiles\mfnettrace.etl
C:\> # to stop the trace 
C:\> netsh trace stop

our goal is to to retrive the .etl file from the server and modify it so that it can be opened with tools such as wireshark, for the task of modyfing it we will use etl2pcapng.exe