Tool Release: FakeNet-NG - Next Generation Dynamic Network Analysis Tool

As a reverse engineer on the FLARE (FireEye Labs Advanced Reverse Engineering) team, I regularly perform basic dynamic analysis of malware samples. The goal is to quickly observe runtime characteristics by running binaries in a safe environment. One important task during dynamic analysis is to emulate the network environment and trick the malware into thinking it is connected to the Internet. When done right, the malware reveals its network signatures such as command and control (C2) domain names, User-Agent strings, URLs queried, and so on.

Today, I am releasing FakeNet-NG which can be used to quickly perform basic dynamic malware analysis and extract good network-based indicators. Some of the features include full support for Windows 7 and later operating systems, process logging, advanced process and host traffic filtering engine, support for third party tools (e.g. debuggers, HTTP proxies, etc.) and many others. The tool is also highly configurable and can be used to perform more advanced tasks such as process and traffic filtering, aiding in automatic malware unpacking, security assessment of thick-client applications and many others.

Take a look at my blog post with a more detailed explanation of FakeNet’s features as well as a sample use-case here:

If you are attending BlackHat USA this year, stop by the Arsenal area for a live demo of the tool and pick up some shwag.

You can get the latest version of FakeNet-NG at the following Github repo: