I would like to share about HTTP traffic analyzer which is useful when you are analyzing malware. For sure modern malware will do some stages in order to deliver their core functonality in order to evade detection.
There is a handy tools that allows you to analyze HTTP traffic easlily, when it is running it will become the proxy of the entire system so that it can catch all request and response from the server.
Let see the UI. Request history
All the necessary information are shown by default in sequence so that you see the what request is being made in time history.
When you execute a malware intentionaly for analyses purpose, you need to focuse your eyes to that malware activities. We can easily filter out the information based on the application that trigger the request by selecting the Quick Filters Application
When you select based on the application and then all the information in every section of the application will be directly updated
After we can filtered out the information based on the application name and then what we need to know for further where this application is communicating. We can use the statistic window by following this steps. Go to Performance menu and select Domains
Domain Statistic Window will give you the unique domain that the application you selected is contacting to. You can start to profile the domain with external Threat Intel information to find the bad domain
Beside that we can also see how many times the application contacted each domain so that we can have idea perhaps how many times the payload is being downloaded by the malware to evade the detection including the records of the difference variable GET or POST to that domain.
Most of the malware will download their payload in the second or third stage to evade the malware detection and sandbox. If you wished to find out the payload that has been downloaded then you can see in the request and response detail window.
First you need to select the HTTP request that might interest you then analyze the server response
We can see that the above is Chrome downloaded a content with type application/msi lets analyze the request and response
We can see that Chrome download an application called putty-64bit-0.74-installer.msi from host the.earth.li
We can now analyze further what is the server responded to this request in the Response Detail window
The server responded OK with status 200 at Specific date. We see that there are three subsection that we can use for analyzing the detail. We can also see the content that server delivered to the client in the content tab
Interesting that as malware analyst, we can download this payload directly from here by right clicking in the window and choose save content
Lets try to execute the payload that we extracted from the http response
The HTTP Debugger is very halpful to gain a quick analysis to see what is going on in the system wide OS. It gives you a very easy installation and configuration to start the process.