So you want to rip apart malware? You wanna get into its innards, pull out its guts and lay them on the tables to take a look with a microscope? Excellent, I like you.
Student, Hobbyist, Junior Analyst… We all start somewhere. So you’ve found some malware, maybe pulled it off VirusTotal, if you’re in the latter group possibly from your workplace. You’ve stuck it in the ThreatGrid or Hybrid Analysis sandboxes, got a result. What happens when you need to check something off the grid. Files in HA or ThreatGrid can be leaked, upload to VirusTotal Intelligence? There goes your OpSec.
You could run it in IDA Dis-assembler, but you don’t speak shellcode and you don’t dream in ASM… yet. So what do you do, pass it off to a senior analyst who can do it for you? Bah that’s boring. There is plenty we can get from this to do basic triage and identify what’s going on.
Welcome to a two, maybe three part series that going to teach you the basics of Dynamic Malware Analysis. This will mainly be guidance based on what I’ve been learning over the past few months, I’m no superduper expert, but I can help you get past the few pitfalls I’ve had.
In this article we’ll get your lab setup, all we need is a basic set-up, a few tools and our brains. It’ll be surprisingly simple when we dive in, so let’s do it!
So what is our problem and what do we need? Ideally we want an isolated environment that we can run our potentially very dangerous files. We want to be able to see its network communication, without alerting the files creators,. Be able to see what is being changed on the OS, check registry changes, file changes, process creation etc.
Additionally, we want to be able to image our environment so it’s easy to return to a known good state… C’mon, you can all see where this is going. Time to fire up VMWare (VirtualBox / KVM are perfectly good free(er) alternatives)….
- Windows Analysis Machine — Windows 10
- iNetSim Network Simulation — Ubuntu Linux
These are the two environments you will need to have set-up in order to proceed, so for now do the basic installation for the operating systems in your Hypervisor and lets kick off.
If you don’t know Linux basics, Hypervisor Basics or are unfamiliar with windows… Go look at them before continuing.
Ensure that in VMWare both of your VM’s are showing host-only IP setups:
This is going to be critically important when we start analyzing dangerous files, you can further configure the host only network in the Edit > Virtual Network Editor option in VMware:
You can find further details on configuring VMWare’s virtual switches and host only configuration in their documentation, however for this having 2 IP’s on the same subnet will suffice. By default VMWare ships with VMNet01 which is a pre-configured host-only network that is more than suitable for this.
iNetSim Setup and Configuration
So you’ve installed your favorite flavor of Linux — Personally I’m using the latest version of Ubuntu Server, you don’t need to give it too much RAM, CPU or Disk Space, all it’s going to be doing is handling network requests. Once done you’re good to start:
As usual the first thing we want to do is update our OS packages, as I’m using Ubuntu I have the pleasure of apt…
nymia@inetsim:~$ sudo apt-get update
nymia@inetsim:~$ sudo apt-get upgrade
This is pretty much best practice, now lets add the iNetSim repository to our installation (you may need to do this from a root shell rather than sudo):
root@inetsim:~$ echo "deb http://www.inetsim.org/debian/ binary/" >> /etc/apt/sources.list
We then add the archive signing key provided by the iNetSim team to our installation to allow apt to verify the digital signatures of the package we’re going to install (Yes the dash at the end is important!):
root@inetsim:~# wget -O — http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
Update the packages list again to pull the latest versions from the repo we just added:
nymia@inetsim:~$ sudo apt-get update
Then finally we will be ready to install the iNetSim package (and all its dependencies):
nymia@inetsim:~$ sudo apt-get install inetsim
If you notice as part of the installation one of the last few lines reads:
Not starting INetSim. Edit /etc/default/inetsim to enable.
We’ve gotta do a little configuration before we’re good to go! Lets fire up our favorite text editor and have at it:
nymia@inetsim:~$ sudo vim /etc/inetsim/inetsim.conf
This is the main configuration file for the iNetSim application, we want to modify/uncomment the following lines. Before you do this you will need to know your servers IP (the one you’re on now, you should know that right….)
service_bind_address <your servers IP>
dns_default_ip <your servers IP>
These options will set both the binding IP for the service and the IP and Domains used within the application, when your malware requests www.malicious.com it’ll get back the IP of your iNetSim so that it forwards the rest of its juicy traffic there.
Save that file and be done with it. Then we move on:
nymia@inetsim:~$ sudo vim /etc/default/inetsim
Here we wanna change
ENABLED=1, Save, Quit and have a mouthful of beer. That steps done!
To fire up the application whenever you are ready its a fairly simple:
nymia@inetsim:~$ sudo inetsim
The output will tell you where log files etc are stored and that the simulation is running successfully, including IP address and Process info. The usual
CTRL+C to close. If you go to a web browser and open up the IP address of the server your iNetSim is running on you should see something like this:
If you see that, its working, well done! Now lets move over to our setup and fully licensed (right..) windows box…
Windows Analysis Box Setup and Configuration
OK so youve got your windows box all setup, make sure youre entirely up to date with your windows patches, you don’t want windows update shitting up your network traffic, because oh boy does it.
Ya ready for another set of links and applications to download? Go grab these:
WireShark — https://www.wireshark.org/
Wireshark is a network protocol analysis tool that allows you — in quite some depth — to look at the traffic passing over your network interfaces. This is going to be critical for identifying if your malware is trying to phone home.
CFF Explorer — http://www.ntcore.com/exsuite.php
CFF Explorer is part of a suite of tools that will allow you to view the internal structure of a PE, and will parse out important information such as compile dates, imports and exports.
PEView — http://wjradburn.com/software/PEview.zip
Similar to CFF Explorer above PEView will let you view the structure of a Portable Executable.
WinRAR — http://www.rarlab.com/download.htm
You may be wondering, wtf is winrar doing on this list.. why do we want an archiving tool? So many instances of common and APT malware have been dropped by Self Executing Archives and WinRAR is the only tool that will comprehensively show you the comment section of the RAR file that contains the SFX instructions.
010 Editor — https://www.sweetscape.com/010editor/
010 Editor is a fantastic text, hex, binary editor. frankly outstanding. It is however not free. There is a 30d trial available. Give it a shot, I found it well worth the purchase.
ILSpy — http://ilspy.net/
Beautiful little .NET disassembler, takes most .NET executable, gives you some lovely code. Just what mamma ordered.
And finally what is probably the most useful selection of tools that you can have the Windows SysInternals tool set — You can create a shortcut on the desktop that links to this URL:
The tools we will be using from this selection are:
- Procexp.exe / Procexp64.exe
A super hyped up version of your task manager, shows in-depth information about running processes.
Procmon shows realtime output for file system, registry, network and process activity. This little program is our baby, give it a name, love it.
TCPView is a graphical display of all TCP network sessions active on your host, it shows active, listening and transient connections. It’s a really pretty Netstat. I find it useful.
There are numerous other tools that will be helpful and when we start to dig into actual analysis, I may end up referencing some of those and Ill give you download links at the time. Dealing with Word docs and OLE objects is a prime example where other utilities will be useful.
When you’re done downloading and installing the applications above, set the primary DNS server for your network interface (within the guest OS) to be the IP address of the iNetSim server we setup earlier.
Now if you try to go to google for example, you should be routed to the Fake Website that we saw earlier.
Finally the last action we want to take on both of the machines we have setup at this point, is to create snapshots of them using our Virtual Machine Hypervisor. I advocate for good and obvious naming schemes so I get the following:
Performing snapshots like this allows us to quickly and easily return our environment to a known good state, this is super important when you consider what kind of tools we could be looking at and running in this VM.
*** It is highly advised at this point you go into your VM settings for both the iNetSim Simulator and the Windows Analysis machine and ensure that they are in Host Only networking mode, and that their IP addressing allows them to communicate — Re-take a snapshot after you have confirmed this ***
Trust me, you don’t wanna be looking at something that could potentially pull down an SMB spreading ransomware (topical huh..) and encrypt your entire media NAS…
Congratulations, you’ve setup a Malware Analysis lab. You’ve got a secure environment to run dodgy files and tools to look at them.
Ill be back in a few days with another article which will essentially be a walk through analysis of some malware, we can see what funkyness we can identify via these tools. In the mean time if you’re bored, Procmon.exe is worth a look ;)
See you then!