[EN] Malware Analysis Lab Setup | Part 1
Hello everybody! We are going to set a lab where we will analyze malware programs In this article. Let’s start!
Firstly let’s start with understanding what malware is.
What is Malware?
Malware(Malicious Software) is the common name of ransomware, spyware, virus, and other dangerous, malicious software programs. These kinds of software programs usually developed by hackers for accessing devices/ systems without any permission, stealing data, and more. There are many ways to infect people but these days they mostly prefer sending e-mails.
We touched on what is malware. Now let’s get into the difference between static and dynamic malware analysis.
Dynamic and Static Analysis
There are 2 ways to analyze a portable executable(PE) file. If we want to look out what is software doing without running it, it is possible with static analysis. Let’s have a look difference between them.
- Analyze while malicious software is running
- Examine source code structure with a debugger
- Crosscheck differences between snapshots taken before and after running software.
- Compare differences between Registery information before and after running with using programs like Regshot
- Analyze requests which malicious software sends using Remnux distribution.
- Analyze without running the malware
- Analyze source code structure
- Check for obfuscation techniques using programs like die(Detect It Easy)
These are just a few steps of malware analysis. There are various ways to analyze malicious software programs. Also, we are setting a lab in malware analyses because we don’t want to malware infect our personal device. Because of this situation, we are going to disable the network between our personal device and the device where we analyze malware. For internet connection, we will create a virtual network.
For lab setup windows 7, remnux os, and VMware are required. We will use windows because we are going to analyze portable executable files. Also, we will use remnux for looking at how FTP, HTTP, SMTP, POP3, and DNS protocols act. We will use remnux as windows 7 machine’s gateway. After setting up these two operating systems we will continue with network configuration.
What is Snapshot and Network Configurations
Snapshot is a copy of our machine. When we run malware it could harm our device where we make our analyzes and we should set it up again. For examining the difference between running before/after malware and setting our lab easier we use snapshots.
First of all, let’s open our windows 7 virtual machine using VMware. From VMware settings, select VM. After that click Snapshot > Take Snapshot.
When you click Take Snapshot, a window will open. You should write the snapshot’s name and description there. That’s all 🙂
Now let’s configure the network.
Virtual Network Configuration
As I said we disable the network between our personal device and the device that we analyze malware. We should create a virtual network for internet connection. In VMware first, click Edit. After clicking Edit, select Virtual Network Editor option.
A new window will open. Click Change Settings there.
Let’s continue with clicking Add Network option and selecting a network name.
The network that we created is Host-Only. There shouldn’t be a tick on “Connect a host virtual adapter to this network” option. If there is a tick there, the connection between our personal device and the device that we analyze would not be closed. We will need Subnet IP and Subnet Mask. For now, let’s just save it. (I created VMware2 so I will continue with VMware2.)
Now we are going to add the network that we created to remnux os and our windows machine. You can add by changing Network Adapter > Custom: Specific virtual network setting.
We finished the network configuration. Now lets get into work!
We don’t want malware to send requests. For preventing it we should configure windows machine’s DNS address as remnux machine’s IP address. We can handle it from Control Panel> Network and Internet > Network and Sharing Center >Local Network Connection > Properties > Internet Protocol Version 4 .
We don’t want malware to send requests. For preventing it we should configure windows machine’s DNS address as remnux machine’s IP address. We can handle it from Control Panel> Network and Internet > Network and Sharing Center >Local Network Connection > Properties > Internet Protocol Version 4.
Don’t select the automatic IP option because we don’t want DHCP to give an IP address automatically. We will define the IP address from below. Let’s write the subnet IP which we configured via virtual network but we should change the last 2 numbers for different IP addresses. For the default gateway, we should write Remnux’s IP address.
We can learn Remnux’s IP address using ifconfig command.
As you can see our machine’s IP address is 192.168.128.128. We should change the default gate away and preferred server options and write Remnux’s IP address.
We finished the network configuration.
Configurations For Dynamic Analysis
It is time for looking up requests coming from windows device. We could handle it using FakeDNS and INetSim tools. . FakeDNS, shows DNS requests momentarily. Using INetSim we could see which services malware use. Also, this tool opens fake services. If you are opening this tool from a virtual machine, you should do configurations.
For configuration, we should open terminal and write: sudo leafpad /etc/inetsim/inetsim.conf . Go down and write service_bind_address Remnux_ip_address. Go more down and write dns_default_ip Remnux_ip_address. If you don’t do these two. Probably It would not work properly.
Now let’s look at usage of these programs.
Open a terminal and write fakedns
As you can see there is no connection but after a while, you can sniff windows’s own requests. In addition, you can just open a browser and try to enter a website.
It is possible to use INetSim writing sudo inetsim in terminal. It will open services automatically.
You can understand INetSim is working by trying to enter a website from windows machine. Probably you will see a screen like down below.
Thank you for reading, take care!
Translated from; pwnlab.me/tr-malware-analizi-laboratuvar-kurulumu-part-1