What You'll Learn
- Capture and analyze malware network traffic using Wireshark, FakeNet-NG, and INetSim in a sandboxed environment
- Identify Command and Control (C2) callback patterns including DNS resolution, HTTP/HTTPS beacons, and custom protocol communications
- Analyze DNS requests generated during malware execution to reveal infrastructure and staging domains
- Monitor registry modifications during execution using Process Monitor filters and Autoruns before/after comparison
- Identify persistence mechanisms installed via registry changes (Run keys, services, scheduled tasks)
- Build a complete behavioral profile combining process, file, network, and registry activity
- Compare pre-execution and post-execution system snapshots to isolate all changes made by malware
- Document dynamic analysis findings systematically for SOC handoff and detection engineering
In Lesson 11.3, you traced what malware does to the file system and running processes. That tells you half the story. The other half lives in the network traffic leaving your sandbox and the registry keys the malware writes to survive a reboot. This lesson completes the dynamic analysis picture — after this, you will be able to describe everything a sample does from the moment it executes to the moment it phones home.
Capturing Malware Network Traffic
Why Network Capture Matters
Most modern malware does not operate in isolation. Within seconds of execution, it reaches out — resolving domains, downloading second-stage payloads, beaconing to C2 infrastructure, or exfiltrating data. If you only watch processes and files, you miss the attacker's infrastructure entirely.
The challenge: real malware connects to real infrastructure that may be sinkholed, seized, or actively monitored. Running malware that talks to live C2 from your corporate network is a career-limiting event. Sandbox network tools solve this by intercepting traffic before it leaves your analysis environment.
Tool Comparison for Sandbox Network Analysis
| Tool | Platform | What It Does | Best For |
|---|---|---|---|
| Wireshark | Windows/Linux | Full packet capture and protocol dissection | Deep protocol analysis after execution |
| FakeNet-NG | Windows | Intercepts all network traffic and responds with fake services | Tricking malware into revealing behavior without real connectivity |
| INetSim | Linux (REMnux) | Simulates HTTP, DNS, SMTP, FTP, and other services | Linux-based analysis environments |
| tcpdump | Linux | Command-line packet capture | Lightweight capture when GUI is unavailable |
FakeNet-NG: The Windows Analyst's Best Friend
FakeNet-NG intercepts DNS, HTTP, HTTPS, SMTP, and custom TCP/UDP traffic — responding with fake but valid-looking responses. Malware "thinks" it has internet connectivity and proceeds through its full execution chain.
# Start FakeNet-NG before executing the sample
C:\tools\fakenet\fakenet.exe
# FakeNet-NG output shows intercepted traffic in real-time:
# [DNS] Query: update-service[.]xyz -> 192.0.2.1
# [HTTP] GET /gate.php?id=DESKTOP-ABC123&os=10.0
# [HTTP] POST /submit.php Content-Length: 4096
# [HTTPS] Connection to cdn-static[.]xyz:443
Start FakeNet-NG before executing the sample. Malware often makes its first network call within milliseconds of execution. If your capture tool starts after the sample, you miss the initial DNS resolution and C2 check-in — often the most revealing traffic.
INetSim: The Linux Equivalent
On REMnux or any Linux analysis VM, INetSim provides the same fake-internet capability:
# Start INetSim (typically pre-configured on REMnux)
sudo inetsim
# Default configuration simulates:
# - DNS server (responds to all queries)
# - HTTP/HTTPS server (serves a default page)
# - SMTP server (accepts all email)
# - FTP server (accepts uploads/downloads)
# - IRC server (for older C2 protocols)
# Configure the malware VM to use INetSim host as DNS/gateway
Wireshark: Deep Packet Analysis
While FakeNet-NG/INetSim intercept and respond, Wireshark captures the raw packets for deep analysis. Run both simultaneously — FakeNet keeps the malware talking while Wireshark records everything.
Key Wireshark filters for malware analysis:
| Filter | Purpose |
|---|---|
dns | All DNS queries — reveals domains the malware tries to resolve |
http.request | HTTP requests — shows URIs, headers, User-Agents |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | New connection attempts — shows every host/port the malware tries to reach |
ip.addr != 10.0.0.0/8 && ip.addr != 192.168.0.0/16 | External traffic only — filters out local sandbox traffic |
frame contains "MZ" | Frames containing PE headers — possible second-stage download |
http.request.uri contains ".exe" or http.request.uri contains ".dll" | Payload download attempts |
Identifying C2 Callbacks
DNS Resolution Patterns
The first thing most malware does is resolve its C2 domain. Watch for:
| Pattern | Indicator | Example |
|---|---|---|
| DGA domains | Random-looking strings, high entropy | xk4mv9q2.xyz, a8hd2kfl.top |
| Recently registered domains | WHOIS shows creation date within 30 days | update-service-2026.com |
| Unusual TLDs | .xyz, .top, .buzz, .icu | cdn-delivery.buzz |
| Fast-flux DNS | Same domain resolves to different IPs rapidly | Multiple A records cycling every 60 seconds |
| DNS over HTTPS | Direct HTTPS calls to dns.google or cloudflare-dns.com | Bypasses your sandbox DNS interception |
| Subdomain encoding | Data embedded in subdomain labels | dXNlcm5hbWU.exfil.attacker.com |
DNS over HTTPS (DoH) is a growing evasion technique. Malware that uses DoH bypasses FakeNet-NG and INetSim DNS interception because the DNS query travels inside an encrypted HTTPS connection to a legitimate resolver. Watch for HTTPS connections to known DoH providers (1.1.1.1, 8.8.8.8, dns.google) early in execution.
HTTP/HTTPS Beacon Patterns
After DNS resolution, malware typically establishes a regular communication pattern with its C2 server:
# Typical HTTP beacon — check-in with system fingerprint
GET /index.php?uid=DESKTOP-ABC123&ver=2.1&os=10.0.19045 HTTP/1.1
Host: update-service.xyz
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
# C2 response — no tasking available
HTTP/1.1 200 OK
Content-Length: 2
OK
# Data exfiltration via POST
POST /upload.php HTTP/1.1
Host: update-service.xyz
Content-Type: application/octet-stream
Content-Length: 8192
[encrypted blob]
Red flags in HTTP traffic:
- Fixed intervals — Beacons every 30, 60, or 300 seconds with minimal jitter
- Unusual User-Agent strings — Outdated IE versions, missing fields, or custom strings
- Base64 in URLs —
/gate.php?d=SGVsbG8gV29ybGQ= - Abnormal POST sizes — Large uploads to paths that look like legitimate web endpoints
- Cookie-based C2 — Commands embedded in Set-Cookie headers
Custom Protocol C2
Advanced malware sometimes uses custom TCP or UDP protocols on non-standard ports:
# Look for non-HTTP traffic on common ports
tcp.port == 443 && !tls # Raw TCP masquerading as HTTPS
tcp.port == 53 && !dns # Raw TCP masquerading as DNS
udp && !dns && !dhcp # Unusual UDP traffic
Document every unique network connection:
| Timestamp | Protocol | Destination | Port | Purpose |
|---|---|---|---|---|
| 0.2s | DNS | (sandbox) | 53 | Resolve update-service.xyz |
| 0.5s | HTTP | 192.0.2.1 | 80 | C2 check-in with system info |
| 30.5s | HTTP | 192.0.2.1 | 80 | Beacon (30s interval) |
| 31.0s | HTTP | 192.0.2.1 | 80 | POST — exfiltrate clipboard data |
| 60.5s | HTTP | 192.0.2.1 | 80 | Beacon (30s interval) |
Registry Monitoring During Execution
Why Registry Matters
The Windows Registry is where persistence lives. Nearly every Windows malware family writes registry keys to ensure it survives reboots. Understanding which keys were modified tells you exactly how the malware plans to stay alive.
Process Monitor: Real-Time Registry Tracking
Process Monitor (Procmon) from Sysinternals captures every registry operation on the system. The challenge is filtering the noise — a clean Windows system generates thousands of registry operations per second.
Setting up Procmon for registry analysis:
- Open Procmon and clear any existing capture (
Ctrl+X) - Set a filter:
Operation→is→RegSetValue→Include - Add a second filter:
Operation→is→RegCreateKey→Include - Deselect the network and file system buttons in the toolbar — you only want registry events
- Start capture, then execute your sample
- After execution, add a filter for your sample's process name to isolate its activity
Critical registry filters for malware analysis:
| Filter | What It Catches |
|---|---|
Path contains HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Boot persistence (all users) |
Path contains HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Boot persistence (current user) |
Path contains HKLM\SYSTEM\CurrentControlSet\Services | Service creation/modification |
Path contains \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | Startup folder redirection |
Path contains \Environment | Environment variable manipulation |
Path contains \Policies\ | Group policy manipulation (disabling Defender, etc.) |
Autoruns: Before/After Comparison
Autoruns (also from Sysinternals) shows every program configured to run at startup. The before/after technique is straightforward and powerful:
- Before execution: Run Autoruns and save the output (
File → Save) - Execute the malware sample
- After execution: Run Autoruns again and save
- Compare: Use
File → Compareto diff the two snapshots
New entries highlighted in green are your persistence mechanisms. This is faster than sifting through thousands of Procmon events when you only care about the end result.
Autoruns covers more than the Run key. It checks scheduled tasks, services, drivers, DLLs, Winsock providers, print monitors, sidebar gadgets, Explorer shell extensions, browser helper objects, and dozens of other autostart locations. Some malware uses obscure persistence methods that Procmon filters might miss — Autoruns catches them all.
Linux Registry Equivalent: Persistence Locations
Linux does not have a registry, but malware still needs to persist. Monitor these locations:
| Location | Mechanism |
|---|---|
/etc/cron.d/, /var/spool/cron/ | Cron jobs |
~/.bashrc, ~/.profile, ~/.bash_profile | Shell initialization scripts |
/etc/systemd/system/, ~/.config/systemd/user/ | Systemd services and timers |
/etc/init.d/ | SysV init scripts |
/etc/ld.so.preload | Shared library preloading (LD_PRELOAD hijack) |
~/.ssh/authorized_keys | SSH key backdoor |
/etc/rc.local | Boot-time script execution |
# Snapshot approach on Linux
# Before execution:
find /etc/cron* /var/spool/cron -type f -exec md5sum {} \; > /tmp/cron_before.txt
systemctl list-unit-files --state=enabled > /tmp/services_before.txt
md5sum ~/.bashrc ~/.profile > /tmp/shell_before.txt
# After execution:
find /etc/cron* /var/spool/cron -type f -exec md5sum {} \; > /tmp/cron_after.txt
systemctl list-unit-files --state=enabled > /tmp/services_after.txt
md5sum ~/.bashrc ~/.profile > /tmp/shell_after.txt
# Compare
diff /tmp/cron_before.txt /tmp/cron_after.txt
diff /tmp/services_before.txt /tmp/services_after.txt
diff /tmp/shell_before.txt /tmp/shell_after.txt
Building the Complete Behavioral Profile
You have now observed four dimensions of malware behavior:
| Dimension | Tool | Key Findings |
|---|---|---|
| Process activity | Procmon, Process Hacker | Process tree, child processes, injected threads |
| File system changes | Procmon, snapshot diff | Dropped files, modified configs, deleted evidence |
| Network activity | Wireshark, FakeNet-NG | C2 domains, beacon intervals, exfil patterns |
| Registry changes | Procmon, Autoruns | Persistence keys, security policy modifications |
The Behavioral Profile Template
Compile all four dimensions into a structured profile:
=== BEHAVIORAL PROFILE ===
Sample: invoice_march_2026.exe
SHA256: a1b2c3d4...
Analysis Date: 2026-02-23
Environment: Windows 10 22H2, FlareVM
--- EXECUTION CHAIN ---
invoice_march_2026.exe (PID 4521)
└─ cmd.exe /c copy payload.dat %TEMP%\svchost.exe
└─ %TEMP%\svchost.exe (PID 5102)
└─ powershell.exe -enc [base64] (PID 5340)
--- FILE ACTIVITY ---
CREATED: C:\Users\analyst\AppData\Local\Temp\svchost.exe (copied payload)
CREATED: C:\Users\analyst\AppData\Roaming\update.dat (encrypted config)
DELETED: C:\Users\analyst\Downloads\invoice_march_2026.exe (self-deletion)
--- NETWORK ACTIVITY ---
DNS: update-service.xyz → 192.0.2.1 (C2)
DNS: cdn-static.xyz → 192.0.2.2 (payload host)
HTTP: GET /gate.php?id=DESKTOP-ABC123 (check-in, every 30s)
HTTP: POST /submit.php (exfil, 8KB clipboard data)
HTTPS: cdn-static.xyz:443 (downloaded second-stage, 245KB)
--- REGISTRY CHANGES ---
CREATED: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
Value: C:\Users\analyst\AppData\Local\Temp\svchost.exe
MODIFIED: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Value: 1 (Defender disabled)
Pre/Post Execution Snapshots
For maximum coverage, take comprehensive system snapshots before and after:
Windows (using built-in tools):
# Before execution — save baseline
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\snapshots\run_before.reg
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\snapshots\run_user_before.reg
Get-ScheduledTask | Export-Csv C:\snapshots\tasks_before.csv
Get-Service | Export-Csv C:\snapshots\services_before.csv
Get-NetTCPConnection | Export-Csv C:\snapshots\connections_before.csv
Get-ChildItem C:\Users\$env:USERNAME\AppData -Recurse | Export-Csv C:\snapshots\appdata_before.csv
# After execution — save modified state
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\snapshots\run_after.reg
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\snapshots\run_user_after.reg
Get-ScheduledTask | Export-Csv C:\snapshots\tasks_after.csv
Get-Service | Export-Csv C:\snapshots\services_after.csv
# Compare
Compare-Object (Get-Content C:\snapshots\run_before.reg) (Get-Content C:\snapshots\run_after.reg)
Always revert to a clean snapshot after analysis. Malware may install rootkits, modify system binaries, or disable security tools in ways that are difficult to fully reverse. VM snapshots are your safety net — never analyze a second sample on a modified system.
Documenting Findings Systematically
The SOC Analyst's Network IOC Table
Every network artifact becomes an IOC for your detection team:
| IOC Type | Value | Context | Confidence |
|---|---|---|---|
| Domain | update-service.xyz | Primary C2 domain | High |
| Domain | cdn-static.xyz | Payload delivery host | High |
| IP | 192.0.2.1 | C2 server IP (may change) | Medium |
| URL | /gate.php?id= | C2 check-in URI pattern | High |
| URL | /submit.php | Exfiltration endpoint | High |
| User-Agent | Mozilla/5.0 (compatible; MSIE 10.0) | Outdated UA string | Medium |
| Beacon Interval | 30 seconds | C2 callback timing | Medium |
The Registry IOC Table
| IOC Type | Value | Context |
|---|---|---|
| Registry Key | HKCU\...\Run\WindowsUpdate | User-level persistence |
| Registry Value | Path to %TEMP%\svchost.exe | Masquerading as legitimate process |
| Registry Key | ...\Windows Defender\DisableAntiSpyware = 1 | Security tool tampering |
Connecting to Detection Engineering
Every behavioral finding maps to a detection rule:
| Finding | Detection Rule |
|---|---|
Beacon every 30s to /gate.php | Network IDS rule: HTTP request pattern + interval |
| HKCU Run key creation by non-installer | Sigma rule: process_creation + registry write to Run key |
| Defender disabled via registry | Sigma rule: Event ID 13 (Sysmon) + specific registry path |
| DNS query for DGA domain | DNS monitoring rule: high-entropy domain detection |
Key Takeaways
- Start network capture tools (FakeNet-NG or INetSim) before executing the sample — the first few seconds of traffic are the most revealing
- FakeNet-NG (Windows) and INetSim (Linux) simulate internet services so malware reveals its full communication behavior without reaching real C2 infrastructure
- C2 identification focuses on three layers: DNS resolution (what domains), HTTP patterns (beacon intervals, URI structures, User-Agents), and custom protocols (non-standard port usage)
- Procmon registry filters isolate persistence writes in real-time; Autoruns before/after comparison catches the end result across all autostart locations
- Linux persistence monitoring requires checking cron, systemd, shell configs, and SSH authorized keys
- The complete behavioral profile combines four dimensions — process + file + network + registry — into a single structured document
- Every finding maps to a detection rule: network IOCs feed IDS rules, registry changes feed Sigma rules, process chains feed endpoint detections
- Always revert to a clean VM snapshot after analysis — never reuse a contaminated environment
What's Next
You can now trace malware through every phase of execution: what it runs, what it drops, where it connects, and how it persists. In Lesson 11.5, we shift to the most common delivery vector in the threat landscape — Office documents and macros. You will learn to analyze malicious Word documents, Excel spreadsheets, and PDFs without ever opening them, using oletools to extract and deobfuscate VBA macros that deliver the payloads you have been analyzing in your sandbox.
Knowledge Check: Network & Registry Monitoring
10 questions · 70% to pass
Why should you start FakeNet-NG or INetSim BEFORE executing a malware sample?
What is the primary difference between FakeNet-NG and Wireshark in a malware analysis sandbox?
In Lab 11.4, you capture malware network traffic in a sandbox. Which DNS pattern most strongly suggests Domain Generation Algorithm (DGA) activity?
Which Wireshark display filter shows only new TCP connection attempts to identify every host and port malware tries to reach?
A malware sample beacons to a C2 server with HTTP GET requests every 30 seconds with minimal jitter. What makes this pattern suspicious compared to legitimate web traffic?
When configuring Process Monitor for registry analysis, which two operations should you filter for to capture malware persistence writes?
In Lab 11.4, you use Autoruns to compare before/after snapshots. Why is Autoruns more reliable than manual registry checks for finding persistence?
Which Linux persistence mechanism involves modifying files in /etc/systemd/system/ to create a new service that runs at boot?
A complete behavioral profile combines four dimensions of analysis. Which dimension would reveal that a sample disables Windows Defender via the DisableAntiSpyware registry value?
Why is it critical to revert to a clean VM snapshot after each malware analysis session rather than continuing with the same environment?
0/10 answered