Installing the MalConfScan with Cuckoo to Analyze Emotet

soji256
soji256
May 23 · 14 min read

On April 22, 2019, JPCERT/CC published a tool called MalConfScan on github. MalConfScan is a Volatility plugin extracts configuration data of known malware. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan can dump the following malware:

- Ursnif
- Emotet
- Smoke Loader
- PoisonIvy
- CobaltStrike
- NetWire
- PlugX
- RedLeaves / Himawari / Lavender / Armadill / zark20rk
- TSCookie
- TSC_Loader
- xxmm
- Datper
- Ramnit
- HawkEye
- Lokibot
- Bebloh (Shiotob/URLZone)
- AZORult
- NanoCore RAT
- AgentTesla
- FormBook
- NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
- Pony
- njRAT

JPCERT/CC seems to have done a great job.

You can use it as Volatility, but at the bottom of the page there was a note saying MalConfScan with Cuckoo and it seemed to work with Cuckoo, so I started building the environment first.

Building the Environment for “MalConfScan with Cuckoo”

We will build Ubuntu 18.04. 2 LTS on VMware as a Cuckoo host. Build a Python environment for Cuckoo (venv) and a Windows 7 environment for Sandbox (VirtualBox) on Ubuntu.

Preparation for Ubuntu 18.04.2

Prepare a fresh Ubuntu 18.04. 2. If you are using MalConfScan, you will be able to prepare without any problems, so I will skip the steps, but I will explain it assuming that the environment is as follows.

Ubuntu18.04.2 (Cuckoo host)

  • On VMware (VMware Workstation 15 Pro)
  • Memory Size: 8GB
  • CPU Cores : 4
  • CPU ”Virtualize Intel VT-x/EPT or AMD-V/RVI” : ON
  • HDD:80GB
  • Network Adapter: NAT
  • User Name: infected
  • Ubuntu 18.04.2 LTS (iso image)
    https://www.ubuntu.com/download/desktop

The “Virtualize Intel VT-x/EPT or AMD-V/RVI” is a setting for changing the number of CPU cores in VirtualBox in the virtual machine. If you do not change the number of cores, you do not need to change the setting.

Update Ubuntu

Update Ubuntu to the latest state.

Preparation for MalConfScan with Cuckoo

Enter the above command to move to an isolated Python environment. The screen displays (venv) at the beginning of the prompt as follows:

From here, you must enter the command in an isolated environment. If you follow the steps listed, you will enter the commands in an isolated environment. If you are unable to follow the steps due to an unexpected situation, enter “. venv/bin/activate” and return to an isolated environment before continuing. The following steps assume you are in an isolated environment.

Cuckoo uses SQLite3 as the default DB. It is recommended to change to MySQL or PostgreSQL mainly for performance reasons, but it seems to be no problem for small users, so we will proceed with standard SQLite3.

Preparing virtual machines for sandbox

We’ll be preparing Windows 7 for the sandbox for a while. From the perspective of avoiding detection of virtual environments, it is desirable to prepare a fresh Windows 7, but there are also OS images for verification as follows.

We will use the above OS image to try out “MalConfScan with Cuckoo”. You should use a clean copy of Windows 7 to take advantage of this tool. And it can be implemented in much the same way. The big difference is that you don’t have to delete the “VirtualBox Guest Additions” step.

Virtual machines on VirtualBox (Windows 7)

  • Machine Name: Win7SP1x86
  • Version: Windows 7 SP1 (32-bit)
  • CPU Cores: 2
  • Memory Size: 1280 MB
  • Video Memory Size: 32 MB
  • Display - Remote Display: Disable
  • System - Enable I/O APIC: Enable (automatically)
  • User Name: IEUser

We are changing the number of CPU cores and memory size to avoid virtual environment detection. It is not required to use MalConfScan. Note that “Intel VT-x/EPT or AMD-V/RVI Virtualization” must be enabled in order to change the number of CPU cores. If you can’t change it, check the VMware settings in Ubuntu.

Launch a virtual machine on VirtualBox to change the preferences

  • Set display resolution to 1024 x 768
  • Disable Windows Update
  • Disable Windows Defender
  • Disable Windows Firewall
  • Disable UAC (Set not to notify)
  • Select “Ask me later” when asked to set when starting IE
  • Installing Python 2.7 https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
  • Installing PIL-1.1.7.win32-py2.7.exe
    http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
  • Set agent.py in startup folder
    agent.py :
    https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py
    Startup folder :
    %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
  • Network Settings
    - IP address:192.168.56.101
    - Subnet mask:255.255.255.0
    - Default gateway:192.168.56.1
    - Preferred DNS server:8.8.8.8
    - Alternate DNS server:8.8.4.4
  • Suppressing Network Noise (Disable Teredo, LLMNR, etc.)
    - To open the Group Policy Editor, [Windows key] + R, and then type “gpedit.msc”
    - Computer Configuration- > Administrative Templates- > Network- > DNS Client, and then enable “Turn off Multicast Name Resolution”
    - Computer Configuration- > Administrative Templates- > System- > Internet Communication Management, and then enable “Restrict Internet Communication”
    - Enter the following at the command prompt.
  • Change the network configuration of VirtualBox to “Host-only Adapter”
    - Make sure “vboxnet0” is selected
    - If “Not Selected”, execute the following command
  • Uninstall “Oracle VM VirtualBox Guest Additions”
    - Will be asked to reboot, so reboot
  • Verify agent.py is started after reboot
    - You should see a black screen with the title “C:\Python 27\python.exe”
    - If not started, check that the contents of agent.py match the contents of the source.
  • Minimize agent.py’s window so it doesn’t get in the way of screenshots during analysis
  • Run the previously created init.reg

When you have completed all of the above steps, take a snapshot of the virtual machine while it is still running. Save the snapshot as “cuckoo”. Be careful not to mistake the virtual machine and snapshot names as they will be used in the Cuckoo configuration file. When you are finished taking snapshots, shut down the virtual machine. You can also terminate VirtualBox itself.

The sandbox virtual machine is now ready. Return to Cuckoo setup.

MalConfScan with Cuckoo Setup

Reboot the host machine. (This is to deal with the problem that mitmproxy does not start properly if it does not reboot.)

Patch Cuckoo to make MalConfScan available.

Initializes mitmproxy. To generate the certificate file required for the configuration, start it once and exit with [Ctrl] + C.

Replace mitm.py to avoid errors later.

Introduce the m2crypto that Cuckoo needs to analyze. Follow these steps:

Start up MongoDB and ElasticSearch for use with Cuckoo.

Modifying the Cuckoo Configuration File

From here, we will modify various Cuckoo configuration files according to the environment.

Cuckoo Network Configuration

Configure network settings. First, fix a bug in systemd.

Next, configure iptables. Allow sandbox to communicate to the Internet, but prohibit access to internal IPs. I’ve tested this configuration, but I’m worried about communicating with the Internet. It is recommended that you isolate Ubuntu, the sandbox host, unless you specifically need to connect to the Internet.

Persistent Settings (Select Yes for displayed choices).

Verify Network Settings.

Launch Cuckoo

You should have rebooted, so enable vboxnet0 first.

Now that everything is ready, start Cuckoo.

If the following display appears, it will start up safely and it will be waiting for the sample to be delivered.

Cuckoo Web interface

Starts WebUI for use in a browser. Open another terminal and type:

When the above display appears, you are ready.

Go to “http://127.0.0.1:8000/" and you’ll see the Cuckoo Web page. When you D&D the file you want to analyze in the “SUBMIT A FILE FOR ANALYSIS” space, the analysis setting screen appears. For URLs and hash values, paste them into “Submit URLs/hashes” and click “Submit” to move to the analysis setting screen.

The following is the result of parsing Emotet. it is determined to be Emotet and the list of communication destinations is extracted.

Using Cuckoo after a reboot

Since vboxnet0 appears to be disabled, you must enable vboxnet0 by typing the following command before starting Cuckoo:

Thanks.

References

About MalConfScan

About Cuckoo

About Sandbox

About Volatility

About Elasticsearch

About Network Settings

Sites used to resolve errors

Appendix

Office 2016 in Sandbox Crashes During Analysis

Cuckoo 2.0. 6 has a known bug (Issue # 2302, Issue # 2737, etc.) that crashes the open process when you try to parse an Office file such as docx with MS Office 2016 (Office 365, etc.) in the sandbox.

You can avoid this by using an older version of Office or by changing the option to turn off injection (Enable Injection/Enable behavior analysis.).

Dark Mode

You can change the color by clicking the brush icon in the upper right corner. There are 3 types, including dark mode, so please choose the one you like.

Effects of analytical environment detection measures.

This is just for your information, but we checked how much we can avoid the detection of the analysis environment by analyzing pafish.

  • a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
    https://github.com/a0rtega/pafish

The results are as follows.

Pafish 2/3
Pafish 3/3

Initialize iptables

Disable Screen Lock

  • [Setting] -> [Privacy] -> [ScreenLock] -> OFF
  • [Setting] -> [Power] -> [Blank screen] -> Never

About Modifying emotetscan.py

Previous versions of MalConfScan required a fix, but it’s now fixed and no longer needed. The following is the correction method.

Original text

Build a MalConfScan with Cuckoo environment to analyze Emotet -setodaNote (Japanese)
https://soji256.hatenablog.jp/entry/2019/05/23/004911

Update History

  • 2019/05/23 New.
  • 2019/05/25 Fixed some typographical errors.
  • 2019/06/01
    - Added network noise suppression to the sandbox environment.
    - Removed modification to emotetscan.py around MongoDB (Issues #2) .
    - Added a note about a bug that caused Office 2016 to crash.
    - Added a reboot of the host to the procedure before the first run of mitmproxy.
    - Added iptables initialization to the procedure. Fixed “sudo iptables -P FORWARD DROP” missing from iptables settings.
    - Added modification to emotetscan.py (Issue #3).
    - Corrected incorrect file path modification to cert.p 12 in “.cuckoo/conf/auxiliary.conf” (There was no problem with the default description.).
  • 2019/06/08
    - Changed the title from “Build a MalConfScan with Cuckoo environment to analyze Emotet”.
    - The description of the modification to emotetscan.py has been moved from the text to the appendix.
  • 2019/08/05
    - Added reference to the articles introducing MalConfScan by JPCERT/CC.

soji256

Written by

soji256

Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256]

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade