This FAQ, collaboratively created by the community, addresses the content of the lesson titled “Dynamic Malware Analysis Example #1”
You can locate this exercise within the LetsDefend content:
Dynamic Malware Analysis
SOC Analyst Learning Path
If there are any specific questions regarding the lesson or exercise, please don’t hesitate to ask them here.
I am using the VM on Let defend. I am unable to capture SMTP traffic in wireshark. I tried disabling promiscuous mode that did not work as well.
Wrong tip.
Filter for DNS.
all other writesup shows SMTP, not DNS, plus DNS won’t give you the dest. port.
I am also facing similar issue. after letting the capture count cross 10000 events I could able to capture 2 SMTP events. i could not able to trace SMTP server.
Since the server that the malware communicates with is not active, no SMTP traffic is generated during dynamic analysis. Therefore, you can use any.run analyses for solving the questions. Any.run link is provided in the hints for the questions. Analysis URL: Analysis law.exe (MD5: 31F840EFBB9F5116F6BF1334C1FD55FD) Malicious activity - Interactive analysis ANY.RUN
Hi ogunal,
I have been trying to find an answer to a question which is bouncing around in my head regarding both of the dynamic analysis exercises. My research has largely not provided me an answer so I am hoping you can assist.
Granted when the vm network is set to host only adaptor even pointing to a fake dns server the network traffic does not resolve correctly. My problem is, this means when we are doing dynamic analysis in our roles we cannot trust the network information presented as it may be incomplete. Trying Any.Run in the community edition does not present credible results either.
So, I have been trying to find a method to conduct an analysis with a ‘live’ network connection that does not present a risk to my network. So far my search has not presented any options for this.
Any guidance on how to achieve this? I assume if you want to fork out a huge amount of month per month for an Any.Run subscription you get the option to run a dynamic analysis in a ‘live’ network situation.
This just seems to leave a pretty big gap in the confidence of dynamic analysis results.
Thanks