Archived Blog
Inside a VMWare instance I executed the malware sample with oSpy and monitored the traffic.
ProcessExplorer shows that the malware excutable named x.exe was executed.
Below we can see that oSpy intercept the network traffic.
Lets take a closer look on the data...
Here we can see that oSpy lets us know which network API function were involved in the network communication.
oSpy also allows us to look at each piece of data that was sent and received over the network.
From the network analysis we can see that sample malware was trying to download a binary called 2.exe and 3.exe from a .CN website.
One of the key reasons you'd want to run oSpy as opposed to Wireshark is that oSpy is a user-land monitoring program, allowing us to monitor only certain applications as opposed to all network traffic. This way you get to see which traffic is originating from which process. Since oSpy hooks into user-API calls, it also has the nice feature of allowing us to sync API calls with the IDA Pro Disassembler.
oSpy is nice and handy tool to have in your anti-malware tool-kit.
Security Researcher: Moti Joseph