============================================================ Behavioral Analysis ============================================================ Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows. Related FOR610 Labs: 1.2, 1.4, 1.6, 4.5 ──────────────────────────────────────────────────────────── Step 1: Environment Preparation Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes). Step 2: Network Interception Setup Tools: fakedns, inetsim, fakenet-ng Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP. $ fakedns $ inetsim $ fakenet Step 3: Monitoring Setup Tools: wireshark, tcpdump, strace Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring. $ wireshark $ tcpdump -i eth0 -w capture.pcap Step 4: Emulation (Safe Alternative) Tools: speakeasy, capa Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview. $ speakeasy -t specimen.exe -o report.json 2> report.txt $ capa specimen.exe Step 5: Execute & Monitor Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes. Step 6: Analyze Results Tools: wireshark, procdot Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes. $ wireshark $ procdot Step 7: Extract IOCs Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc. ──────────────────────────────────────────────────────────── Tip: 'fhelp cheat ' for full examples 'Ctrl+G' for interactive cheatsheet browser