3. Behavioral Analysis.md

Process hacker

Just running on the background.

Process monitor

filter > processname is FILENAME process tree > explorer.exe > children File > Save > All events > Comma-Separated Values > ProcDOT > Procmon [...] > Launcher [...] > Refresh

Regshot

First snap before detonation, second after detonation

INetSim

logs: /var/log/inetsim files: /var/lib/inetsim configuration: /etc/inetsim/inetsim.conf

start_service dns
service_bind_address 0.0.0.0
dns_default_ip LHOST

Wireshark

ip.addr / ip.src / ip.dst == IP
tcp.port == PORT

http or dns
http.request
http.response.code == CODE

!(arp or dns or icmp)
tcp.analysis.flags
tcp.flag.syn / tcp.flag.reset == 1

Redirect traffic going to any IP

On REMnux:

accept-all-ips start
accept-all-ips stop

Using iptables:

iptables -t nat -A PREROUTING -i eth0 -j REDIRECT
iptables -t nat -D PREROUTING -i eth0 -j REDIRECT

Debuggers

x32dbg/x64dbg

bp CreateProcessW bp CreateProcessA bp LoadLibraryA bp GetProcAddress