If you quickly want to find out what the malware in your sandbox is resolving, you can use ApateDNS. This free tool will listen for outgoing DNS requests and is able to spoof the answer.
In my example I started the ApateDNS tool in my sandbox and set the DNS reply IP to my secondary machine -10.150.120.150.
I captured a DNS request to “www.google.be” and its DNS response address was spoofed to 10.150.120.150. This way the malware will start its connection pointed to this IP address -10.150.120.150.
Next I’ll set up the “TCP/IP Swiss army knife” – netcat.
On my secondary machine, the one with IP 10.150.120.150, I started a netcat listener on port 80.
~ $ sudo nc -l 80
If the malware then opens an HTTP connection to “www.google.be”, I will receive its HTTP requests.
GET / HTTP/1.1 Accept: */* Accept-Language: nl-be User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: www.google.be Connection: Keep-Alive Cookie: PREF=ID=815......:
This might be fast way to find out what connections your malware is trying to make.
(netcat is also available for windows)