CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
11 February 2020

Immunity Debugger Intro, Capture & Reroute Malware Traffic

by Coleman Kane

This lecture introduces some basic Immunity Debugger usage and walks through a number of configurations that enable the malware to execute in the VM, still attempt to communicate to its home IP, but get routed to a nc listener I set up so we can capture the traffic and interact with the backdoor.

IPTABLES command

On the VM I wanted to capture the traffic from, I ran a command using iptables to route the traffic to a local port. Here is that command:

iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.12.71 -p tcp --dport 444 -j REDIRECT --to-ports 8444

home

tags: malware - ghidra - immunity debugger - disassembly - lecture