 Let me show you how to use a fake Net-NG to do a simple dynamic analysis of a malware sample. So first let me start Wireshark and let's filter on DNS traffic. And now I will launch the sample like this. So it elevates. Okay and you can see here request for writeRoundion.ru And the response is from DNS that the name is not found. So I will just let it go. Okay we get the error. So you can see a request for writeRoundion.ru and then another one with a subnone name, er and some numbers. All of them get no such name replies. So name is not found. So when the DNS name is not found it will not be able to establish a TCP connection. So you cannot look into it to see how it behaves. And that's where fakeNet can help you. So let's close this. And let me first just show your ping to a non-existing domain like this. And it could not resolve the host so you get no ping. Now when you launch fakeNet like this, fakeNet will launch many services. For example also a DNS listener. Okay so it is running. And now let's do the ping again. And you see right now we get a reply. And that is because if you look here into the log you will see that a DNS request was received for this domain here. And it responded with this IP address. And if you do an IP config here you can see that it is in the same subnet as this machine. So that is what fakeNet does. So we will stop it now and use it to analyze our sample. So what I'm going to do first is launch an elevated command prompt. I'm going to demo here. And then fakeNet. And now I will launch fakeNet. And I will redirect the standard error output to file like this. This will log all the messages from fakeNet to a file. Okay. And then let's start our sample again. Okay. And now you can see that the sample behaves differently. You get the connection error much faster. Let's say okay. And it has deleted itself so now we can stop fakeNet. Okay. And now if we go into the fakeNet folder we have here our output log. Here. And here you see our sample. It does a WPAD request. And it also does a request for this Russian domain. And then it also logs the post request that it is. An HTTP request because it's on listener 80. And so the interesting thing now is that you can see what kind of network traffic you can expect. And this is the URL that was used. And also interestingly here is the user agent string. This is a very special specific user agent string Christmas Mystery 553. Later on you can see all the requests here to this subdomain with the request fail. And this request contains data. And the data is here. So not only do you have this in this output file. But this has also been saved in packets here. This is the last capture that was saved by fakeNet. And if I open that with wire shark here. I have for example when I filter for DNS the queries and the responses. And if I filter for HTTP. Here for example I have the request the post HTTP. And I can do for example a follow TCP stream to see what happens. And you see here what fakeNet does. It responds with the default HTML page. And that is something you can change. It's all customizable. So this is how fakeNet can help you by simulating a network and the internet. So that you can analyze samples, malware samples. For example if you don't want to connect them to the internet. Or if they no longer work because the CNC is no longer available.