Skip to content

Extra Lab: Network Activity

Overview

The purpose of this lab is to be able to identify some of the network activity that malware generates.

Getting Started

You'll make use of tcpdump and ncat during this lab. For a quick reference see the Tcpdump Guide and the Ncat Guide.

To handle dns requests, use notepad to edit the file C:\windows\system32\drivers\etc\hosts. Have the host names resolve to 10.10.10.20.

Part 1: Avzhan

For this exercise analyze the network traffic generated by the avzhan malware (found at c:\malware\avzhan\avzhan.exe)

Run as Administrator

Make sure to run as admin by right-clicking and selecting Run as Administrator.

Questions

  • What host does avzhan try to resolve?
  • What port does avzhan try to connect to?
  • What type of information does avzhan send out?

Part 2: Wannacry

For this exercise analyze the network traffic generated by the Wannacry malware (found at c:\malware\wannacry\wannacry.exe).

Questions

  • What ip addresses and ports does Wannacry try to connect to? (list at least 3 not on the 10.10.10.X subnet)