So, here's the quick and dirty. We'll download the sample, rename it, copy it to system32 dir and edit a useless service to load it on startup.
- Grab the file here.
- Rename it to "booyah.dll"
- Copy "booyah.dll" to "C:\Windows\System32\"
- Open Regedit and navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla\Parameters
- Right click on "ServiceDll", click "Modify", change the current DLL to point to "booyah.dll", and click OK
- Close Regedit and Reboot.
What's next? If you've done malware analysis before, you know you should have been capturing ALL network traffic from this host. Continue sniffing and looking for interesting things. Capture all of the traffic to disk with tcpdump, tshark or daemonlogger. Then run it through Snort with the Emerging Threats ruleset or ngrep looking for interesting strings. The possibilities are endless.
Oh yeah, don't forget to put this behind some kind of firewall or filtering device so you can keep a handle on it. I've got mine sitting behind a Vyatta-based bridging firewall that is working quite well for this use. I'm also sniffing directly on the bridged interface.