Personal Research Project
2025
Dynamic Malware Analysis and Persistence Detection
Project Overview
This project focused on detecting and analyzing QuasarRAT, a remote access trojan, in a controlled home lab environment. The goal was to use Velociraptor DFIR to identify persistence mechanisms, indicators of compromise (IoCs), and command-and-control (C2) activity. I set up an isolated lab with a Windows endpoint, a Velociraptor server, and supporting tools to emulate real-world conditions safely.
Please View the Full Project Here:
nguye340.github.io/velociraptor-endpoint-detection-report-QuasarRAT-infection/
Approach
I deployed Velociraptor agents on the Windows VM and configured a Velociraptor server to collect endpoint artifacts. To trigger malicious activity, I introduced a QuasarRAT sample and used INetSim to simulate internet services, allowing the malware to attempt communication with a fake C2 server. Wireshark was used to capture and analyze network traffic, while Velociraptor focused on endpoint-level artifacts such as persistence entries, registry changes, and process execution.
Challenges and Solutions
One challenge was that QuasarRAT would not exhibit its full behavior without internet connectivity. To solve this, I integrated INetSim to safely emulate external services, which allowed the malware to perform beaconing as if it were online. Another difficulty was correlating endpoint artifacts with network traffic. I addressed this by running Velociraptor queries in parallel with Wireshark captures, which made it possible to confirm that persistence changes aligned with observed C2 beaconing.
Key Findings
- Identified persistence mechanisms used by QuasarRAT, including registry-based autoruns.
- Observed and documented network beaconing patterns consistent with RAT communication attempts.
- Extracted IoCs such as process names, registry keys, and C2 traffic signatures.
- Confirmed Velociraptor’s effectiveness in collecting forensic artifacts that complemented network-level analysis.
Outcome
The project demonstrated how Velociraptor can be used alongside supporting tools to detect and analyze advanced threats in a safe environment. I successfully documented IoCs, persistence behaviors, and network activity of QuasarRAT, producing a structured report that could guide future detection and response workflows. This project strengthened my practical skills in DFIR, threat hunting, and lab-based malware analysis, while also highlighting the importance of correlating endpoint and network data during investigations.
