The most important one is the following: -redir tcp:8000::8000.
This parameter redirects the local 8000 port to the port 8000 of the virtual machine.
Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware.
Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.
You can, of course, change the port but note that it at port 80 in Unix/Linux based environments as it needs root privileges, opening a big security hole (imagine the malware escaping from the virtual machine and owning your real system).
When the virtual machine finish the booting process (wait about 2 minutes or so to the Debian based operating system to boot) you can navigate with your preferred browser to
After a while a report's summary like the following one will be generated: When the analysis finishes, a report's summary page with 4 links (at the moment of writing this little article) appears. This option shows the complete raw trace file generated by WINE.
The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course).
With this information, analyzing malware's behavior turns out to be very easy.
Project's web page: WINE: PEFile by Ero Carrera: PEId Signatures: DSignatures PEId:
In cap and gown, a master's student walks across the stage.
After this operation, the malware is executed using the shell script malware_(the file is stored in the folder /home/malware/bin).