Installing the MalConfScan with Cuckoo to Analyze Emotet

soji256
soji256
May 23, 2019 · 14 min read
Image for post
Image for post

On April 22, 2019, JPCERT/CC published a tool called MalConfScan on github. MalConfScan is a Volatility plugin extracts configuration data of known malware. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan can dump the following malware:

- Ursnif
- Emotet
- Smoke Loader
- PoisonIvy
- CobaltStrike
- NetWire
- PlugX
- RedLeaves / Himawari / Lavender / Armadill / zark20rk
- TSCookie
- TSC_Loader
- xxmm
- Datper
- Ramnit
- HawkEye
- Lokibot
- Bebloh (Shiotob/URLZone)
- AZORult
- NanoCore RAT
- AgentTesla
- FormBook
- NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
- Pony
- njRAT

JPCERT/CC seems to have done a great job.

You can use it as Volatility, but at the bottom of the page there was a note saying MalConfScan with Cuckoo and it seemed to work with Cuckoo, so I started building the environment first.

Building the Environment for “MalConfScan with Cuckoo”

Image for post
Image for post
Environment for “MalConfScan with Cuckoo”

Preparation for Ubuntu 18.04.2

Ubuntu18.04.2 (Cuckoo host)

  • Memory Size: 8GB
  • CPU Cores : 4
  • CPU ”Virtualize Intel VT-x/EPT or AMD-V/RVI” : ON
  • HDD:80GB
  • Network Adapter: NAT
  • User Name: infected
  • Ubuntu 18.04.2 LTS (iso image)
    https://www.ubuntu.com/download/desktop

The “Virtualize Intel VT-x/EPT or AMD-V/RVI” is a setting for changing the number of CPU cores in VirtualBox in the virtual machine. If you do not change the number of cores, you do not need to change the setting.

Update Ubuntu

sudo apt update
sudo apt upgrade -y

Preparation for MalConfScan with Cuckoo

sudo apt install -y git make vim
sudo apt install -y python python-pip python-setuptools python-virtualenv virtualenv
sudo apt install -y libjpeg8-dev zlib1g-dev

git clone https://github.com/JPCERTCC/MalConfScan.git
# for cuckoo best practice
virtualenv venv
. venv/bin/activate

Enter the above command to move to an isolated Python environment. The screen displays (venv) at the beginning of the prompt as follows:

Image for post
Image for post
Virtualenv (venv)

From here, you must enter the command in an isolated environment. If you follow the steps listed, you will enter the commands in an isolated environment. If you are unable to follow the steps due to an unexpected situation, enter “. venv/bin/activate” and return to an isolated environment before continuing. The following steps assume you are in an isolated environment.

# for Volatility
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install
cd ../
pip install distorm3 pefile

cp MalConfScan/malconfscan.py venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/utils venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/yara venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/

# for MongoDB
sudo apt install -y libffi-dev libssl-dev libjpeg-dev zlib1g-dev swig
sudo apt install -y mongodb

# for elasticsearch 5.6.0 (https://github.com/cuckoosandbox/cuckoo/issues/2085)
sudo apt install -y openjdk-11-jdk
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.0.deb
sudo dpkg -i elasticsearch-5.6.0.deb
rm elasticsearch-5.6.0.deb

# for mitmproxy
sudo apt install -y python3-dev python3-pip
pip3 install mitmproxy

# for tcpdump (https://cuckoo.readthedocs.io/en/latest/faq/#tcpdump-permission-denied)
sudo apt install -y apparmor-utils
sudo aa-disable /usr/sbin/tcpdump

# for non-root user (in this case, user name is "infected")
sudo usermod -a -G vboxusers infected
sudo groupadd pcap
sudo usermod -a -G pcap infected
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

# for VirtualBox
sudo apt install -y virtualbox
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Cuckoo uses SQLite3 as the default DB. It is recommended to change to MySQL or PostgreSQL mainly for performance reasons, but it seems to be no problem for small users, so we will proceed with standard SQLite3.

Preparing virtual machines for sandbox

We will use the above OS image to try out “MalConfScan with Cuckoo”. You should use a clean copy of Windows 7 to take advantage of this tool. And it can be implemented in much the same way. The big difference is that you don’t have to delete the “VirtualBox Guest Additions” step.

Virtual machines on VirtualBox (Windows 7)

  • Version: Windows 7 SP1 (32-bit)
  • CPU Cores: 2
  • Memory Size: 1280 MB
  • Video Memory Size: 32 MB
  • Display - Remote Display: Disable
  • System - Enable I/O APIC: Enable (automatically)
  • User Name: IEUser

We are changing the number of CPU cores and memory size to avoid virtual environment detection. It is not required to use MalConfScan. Note that “Intel VT-x/EPT or AMD-V/RVI Virtualization” must be enabled in order to change the number of CPU cores. If you can’t change it, check the VMware settings in Ubuntu.

Launch a virtual machine on VirtualBox to change the preferences

  • Disable Windows Update
  • Disable Windows Defender
  • Disable Windows Firewall
  • Disable UAC (Set not to notify)
  • Select “Ask me later” when asked to set when starting IE
  • Installing Python 2.7 https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
  • Installing PIL-1.1.7.win32-py2.7.exe
    http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
  • Set agent.py in startup folder
    agent.py :
    https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py
    Startup folder :
    %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
  • Network Settings
    - IP address:192.168.56.101
    - Subnet mask:255.255.255.0
    - Default gateway:192.168.56.1
    - Preferred DNS server:8.8.8.8
    - Alternate DNS server:8.8.4.4
  • Suppressing Network Noise (Disable Teredo, LLMNR, etc.)
    - To open the Group Policy Editor, [Windows key] + R, and then type “gpedit.msc”
    - Computer Configuration- > Administrative Templates- > Network- > DNS Client, and then enable “Turn off Multicast Name Resolution”
    - Computer Configuration- > Administrative Templates- > System- > Internet Communication Management, and then enable “Restrict Internet Communication”
    - Enter the following at the command prompt.
netsh interface teredo set state disabled
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM]
“SystemBiosDate”=”06/12/10"
“SystemBiosVersion”=”BC1.05"
“VideoBiosVersion”=”VC1.20"
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBox*]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxGuest\Enum]
  • Change the network configuration of VirtualBox to “Host-only Adapter”
    - Make sure “vboxnet0” is selected
    - If “Not Selected”, execute the following command
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
  • Uninstall “Oracle VM VirtualBox Guest Additions”
    - Will be asked to reboot, so reboot
  • Verify agent.py is started after reboot
    - You should see a black screen with the title “C:\Python 27\python.exe”
    - If not started, check that the contents of agent.py match the contents of the source.
  • Minimize agent.py’s window so it doesn’t get in the way of screenshots during analysis
  • Run the previously created init.reg

When you have completed all of the above steps, take a snapshot of the virtual machine while it is still running. Save the snapshot as “cuckoo”. Be careful not to mistake the virtual machine and snapshot names as they will be used in the Cuckoo configuration file. When you are finished taking snapshots, shut down the virtual machine. You can also terminate VirtualBox itself.

The sandbox virtual machine is now ready. Return to Cuckoo setup.

MalConfScan with Cuckoo Setup

reboot

Patch Cuckoo to make MalConfScan available.

git clone https://github.com/jpcertcc/malconfscan-with-cuckoo.git
git clone -b 2.0.6 https://github.com/cuckoosandbox/cuckoo.git

. venv/bin/activate
cd cuckoo
patch -p1 < ../malconfscan-with-cuckoo/malconfscan.patch
python stuff/monitor.py
python setup.py sdist develop
cd ../
cuckoo

Initializes mitmproxy. To generate the certificate file required for the configuration, start it once and exit with [Ctrl] + C.

# for create the “.mitmproxy” dir
mitmproxy
[Ctrl]+C
# Copy the certificate to a location for Cuckoo to use
cp .mitmproxy/mitmproxy-ca-cert.p12 .cuckoo/analyzer/windows/bin/cert.p12

Replace mitm.py to avoid errors later.

#for https://github.com/cuckoosandbox/cuckoo/issues/2313
wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/9a1cd18a079de49cc5279631c04995313e2b509e/cuckoo/auxiliary/mitm.py
mv mitm.py ./cuckoo/cuckoo/auxiliary/

Introduce the m2crypto that Cuckoo needs to analyze. Follow these steps:

# for m2crypto
wget http://deb.debian.org/debian/pool/main/m/m2crypto/m2crypto_0.24.0.orig.tar.xz
wget http://deb.debian.org/debian/pool/main/m/m2crypto/m2crypto_0.24.0-1.1.debian.tar.xz
tar xvf m2crypto_0.24.0.orig.tar.xz
tar xvf m2crypto_0.24.0–1.1.debian.tar.xz
cp -r debian/ M2Crypto-0.24.0/
sudo apt install -y quilt
echo export QUILT_PATCHES=debian/patches>>.bashrc
source .bashrc
. venv/bin/activate
cd M2Crypto-0.24.0/
quilt push
python setup.py sdist
cd ../
sudo apt install -y libssl1.0-dev
pip install M2Crypto-0.24.0/dist/M2Crypto-0.24.0.tar.gz

Start up MongoDB and ElasticSearch for use with Cuckoo.

sudo service elasticsearch start
sudo systemctl enable elasticsearch
sudo service mongodb start
sudo systemctl enable mongodb

Modifying the Cuckoo Configuration File

vi .cuckoo/conf/auxiliary.conf[mitm]
# Enable man in the middle proxying (mitmdump) [yes/no].
#enabled = no
enabled = yes
(snip)
# path is correct.
#mitmdump = /usr/local/bin/mitmdump
mitmdump = /home/infected/.local/bin/mitmdump

vi .cuckoo/conf/cuckoo.conf
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
#memory_dump = no
memory_dump = yes
(snip)
# The value is expressed in bytes, by default 128 MB.
#upload_max_size = 134217728
upload_max_size = 1610612736

vi .cuckoo/conf/memory.conf
[basic]
# Profile to avoid wasting time identifying it
#guest_profile = WinXPSP2x86
guest_profile = Win7SP1x86

vi .cuckoo/conf/processing.conf
[memory]
# Create a memory dump of the entire Virtual Machine. This memory dump will
# then be analyzed using Volatility to locate interesting events that can be
# extracted from memory.
#enabled = no
enabled = yes

vi .cuckoo/conf/reporting.conf
[mongodb]
#enabled = no
enabled = yes
(snip)
[elasticsearch]
#enabled = no
enabled = yes
(snip)
#hosts = 127.0.0.1
hosts = 127.0.0.1:9200

vi .cuckoo/conf/virtualbox.conf
[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
#label = cuckoo1
label = Win7SP1x86
(snip)
# Example (Snapshot1 is the snapshot name):
#snapshot =
snapshot = cuckoo
(snip)
# Example (vboxnet0 is the interface name):
#interface =
interface = vboxnet0

Cuckoo Network Configuration

ls -l /etc/resolv.conf
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved restart

Next, configure iptables. Allow sandbox to communicate to the Internet, but prohibit access to internal IPs. I’ve tested this configuration, but I’m worried about communicating with the Internet. It is recommended that you isolate Ubuntu, the sandbox host, unless you specifically need to connect to the Internet.

# Initializes iptables settings.
sudo iptables -t nat -F
sudo iptables -F
sudo iptables -L
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i vboxnet0 -j ACCEPT
sudo iptables -A INPUT -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.0.0/16 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 172.16.0.0/12 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 10.0.0.0/8 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo sysctl -w net.ipv4.ip_forward=1

Persistent Settings (Select Yes for displayed choices).

sudo apt install -y iptables-persistentsudo bash
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
exit

Verify Network Settings.

$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i vboxnet0 -j ACCEPT
-A INPUT -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.56.0/24 -d 192.168.0.0/16 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 172.16.0.0/12 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 10.0.0.0/8 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT
$ sudo iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -j MASQUERADE

Launch Cuckoo

sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Now that everything is ready, start Cuckoo.

cuckoo community
cuckoo

If the following display appears, it will start up safely and it will be waiting for the sample to be delivered.

                             ),-. /
Cuckoo Sandbox <(a ` — -’,’
no chance for malwares! ( `-, ._> )
) _>.___/
_/
Cuckoo Sandbox 2.0.6
www.cuckoosandbox.org
Copyright © 2010–2018
Checking for updates…
You’re good to go!
Our latest blogposts:
* IQY malspam campaign, October 15, 2018.
Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing DDE to achieve code execution.
More at https://hatching.io/blog/iqy-malspam
* Hooking VBScript execution in Cuckoo, October 03, 2018.
Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.
More at https://hatching.io/blog/vbscript-hooking
* Cuckoo Sandbox 2.0.6 pentest, September 18, 2018.
Cuckoo Sandbox 2.0.6 public pentest performed by Cure53 and sponsored by PolySwarm!
More at https://hatching.io/blog/cuckoo-206-pentest
* Cuckoo Sandbox 2.0.6, June 07, 2018.
Interim release awaiting the big release.
More at https://cuckoosandbox.org/blog/206-interim-release
* Cuckoo Sandbox 2.0.5: Office DDE, December 03, 2017.
Brand new release based on a DDE case study.
More at https://cuckoosandbox.org/blog/205-office-dde
2019–05–21 23:54:00,165 [cuckoo.core.scheduler] INFO: Using “virtualbox” as machine manager
2019–05–21 23:54:00,737 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019–05–21 23:54:00,757 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Cuckoo Web interface

. venv/bin/activate
cuckoo web
Performing system checks…
System check identified no issues (0 silenced).
May 22, 2019–03:21:32
Django version 1.8.4, using settings ‘cuckoo.web.web.settings’
Starting development server at http://localhost:8000/
Quit the server with CONTROL-C.

When the above display appears, you are ready.

Go to “http://127.0.0.1:8000/" and you’ll see the Cuckoo Web page. When you D&D the file you want to analyze in the “SUBMIT A FILE FOR ANALYSIS” space, the analysis setting screen appears. For URLs and hash values, paste them into “Submit URLs/hashes” and click “Submit” to move to the analysis setting screen.

Image for post
Image for post
Cuckoo Web — Firefox

The following is the result of parsing Emotet. it is determined to be Emotet and the list of communication destinations is extracted.

Image for post
Image for post
Cuckoo Report Sanmple — Emotet

Using Cuckoo after a reboot

sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0. venv/bin/activate
cuckoo &
cuckoo web &

Thanks.

References

About Cuckoo

About Sandbox

About Volatility

About Elasticsearch

About Network Settings

Sites used to resolve errors

Appendix

Office 2016 in Sandbox Crashes During Analysis

You can avoid this by using an older version of Office or by changing the option to turn off injection (Enable Injection/Enable behavior analysis.).

Image for post
Image for post
Options : Enable Injection

Dark Mode

Effects of analytical environment detection measures.

  • a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
    https://github.com/a0rtega/pafish

The results are as follows.

Image for post
Image for post
Pafish 1/3
Image for post
Image for post
Pafish 2/3
Image for post
Image for post
Pafish 3/3

Initialize iptables

sudo iptables -t nat -F
sudo iptables -F
sudo iptables -L

Disable Screen Lock

  • [Setting] -> [Power] -> [Blank screen] -> Never

About Modifying emotetscan.py

vi MalConfScan/utils/emotetscan.py# p_data["IP " + str(i)] = str(inet_ntoa(ip)) + ":" + str(port)
p_data[str(unpack("!I", ip)[0])] = str(inet_ntoa(ip)) + ":" + str(port)

Original text

Update History

  • 2019/05/25 Fixed some typographical errors.
  • 2019/06/01
    - Added network noise suppression to the sandbox environment.
    - Removed modification to emotetscan.py around MongoDB (Issues #2) .
    - Added a note about a bug that caused Office 2016 to crash.
    - Added a reboot of the host to the procedure before the first run of mitmproxy.
    - Added iptables initialization to the procedure. Fixed “sudo iptables -P FORWARD DROP” missing from iptables settings.
    - Added modification to emotetscan.py (Issue #3).
    - Corrected incorrect file path modification to cert.p 12 in “.cuckoo/conf/auxiliary.conf” (There was no problem with the default description.).
  • 2019/06/08
    - Changed the title from “Build a MalConfScan with Cuckoo environment to analyze Emotet”.
    - The description of the modification to emotetscan.py has been moved from the text to the appendix.
  • 2019/08/05
    - Added reference to the articles introducing MalConfScan by JPCERT/CC.
  • 2020/03/03 Revised.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store