Malware

[EN] Malware Analysis Lab Setup | Part 1

Reklam

[EN] Malware Analysis Lab Setup | Part 1

Hello everybody! We are going to set a lab where we will analyze malware programs In this article. Let’s start!

Firstly let’s start with understanding what malware is.

What is Malware?

Malware(Malicious Software) is the common name of ransomware, spyware, virus, and other dangerous, malicious software programs. These kinds of software programs usually developed by hackers for accessing devices/ systems without any permission, stealing data, and more. There are many ways to infect people but these days they mostly prefer sending e-mails.

We touched on what is malware. Now let’s get into the difference between static and dynamic malware analysis.

Dynamic and Static Analysis

There are 2 ways to analyze a portable executable(PE) file. If we want to look out what is software doing without running it, it is possible with static analysis. Let’s have a look difference between them.

Dynamic Analysis

  • Analyze while malicious software is running
  • Examine source code structure with a debugger
  • Crosscheck differences between snapshots taken before and after running software.
  • Compare differences between Registery information before and after running with using programs like Regshot
  • Analyze requests which malicious software sends using Remnux distribution.
Dynamic analysis and static analysis difference
Dynamic analysis and static analysis difference

Static Analysis

  • Analyze without running the malware
  • Analyze source code structure
  • Check for obfuscation techniques using programs like die(Detect It Easy)

These are just a few steps of malware analysis. There are various ways to analyze malicious software programs. Also, we are setting a lab in malware analyses because we don’t want to malware infect our personal device. Because of this situation, we are going to disable the network between our personal device and the device where we analyze malware. For internet connection, we will create a virtual network.

Lab Setup

For lab setup windows 7, remnux os, and VMware are required. We will use windows because we are going to analyze portable executable files.  Also, we will use remnux for looking at how FTP, HTTP, SMTP, POP3, and DNS protocols act. We will use remnux as windows 7 machine’s gateway. After setting up these two operating systems we will continue with network configuration.

What is Snapshot and Network Configurations

Snapshot

Snapshot is a copy of our machine. When we run malware it could harm our device where we make our analyzes and we should set it up again. For examining the difference between running before/after malware and setting our lab easier we use snapshots.

First of all, let’s open our windows 7 virtual machine using VMware. From VMware settings, select VM. After that click  Snapshot > Take Snapshot.

VMware virtual network configuration-1
VMware virtual network configuration-1

When you click Take Snapshot, a window will open. You should write the snapshot’s name and description there. That’s all 🙂

VMware virtual network configuration-2
VMware virtual network configuration-2

Now let’s configure the network.

Virtual Network Configuration

As I said we disable the network between our personal device and the device that we analyze malware. We should create a virtual network for internet connection. In VMware first, click Edit. After clicking Edit, select Virtual Network Editor option.

VMware virtual network configuration-1
VMware virtual network configuration-1

A new window will open. Click Change Settings there.

VMware virtual network configuration add network -1
VMware virtual network configuration add network -1

Let’s continue with clicking Add Network option and selecting a network name.

VMware virtual network configuration add network -2
VMware virtual network configuration add network -2

The network that we created is Host-Only. There shouldn’t be a tick on “Connect a host virtual adapter to this network” option. If there is a tick there, the connection between our personal device and the device that we analyze would not be closed. We will need Subnet IP and Subnet Mask. For now, let’s just save it. (I created VMware2 so I will continue with VMware2.)

VMware virtual network configuration add network 3
VMware virtual network configuration add network 3

Now we are going to add the network that we created to remnux os and our windows machine. You can add by changing Network Adapter > Custom: Specific virtual network setting.

Virtual machine network configuration
Virtual machine network configuration

We finished the network configuration. Now lets get into work!

We don’t want malware to send requests. For preventing it we should configure windows machine’s DNS address as remnux machine’s IP address. We can handle it from Control Panel> Network and Internet > Network and Sharing Center >Local Network Connection > Properties > Internet Protocol Version 4 .

We don’t want malware to send requests. For preventing it we should configure windows machine’s DNS address as remnux machine’s IP address. We can handle it from Control Panel> Network and Internet > Network and Sharing Center >Local Network Connection > Properties > Internet Protocol Version 4.

Don’t select the automatic IP option because we don’t want DHCP to give an IP address automatically. We will define the IP address from below. Let’s write the subnet IP which we configured via virtual network but we should change the last 2 numbers for different IP addresses.  For the default gateway, we should write Remnux’s IP address.

Windows Machine DNS configuration
Windows Machine DNS configuration

We can learn Remnux’s IP address using ifconfig command.

Learn Remnux Machine IP address
Learn Remnux Machine IP address

As you can see our machine’s IP address is 192.168.128.128. We should change the default gate away and preferred server options and write Remnux’s IP address.

Windows Machine DNS Configuration -2
Windows Machine DNS Configuration -2

We finished the network configuration.

Configurations For Dynamic Analysis

It is time for looking up requests coming from windows device. We could handle it using FakeDNS and INetSim tools. . FakeDNS, shows DNS requests momentarily. Using INetSim we could see which services malware use. Also, this tool opens fake services. If you are opening this tool from a virtual machine, you should do configurations.

For configuration, we should open terminal and write: sudo leafpad /etc/inetsim/inetsim.conf .  Go down and write service_bind_address Remnux_ip_address. Go more down and write dns_default_ip Remnux_ip_address. If you don’t do these two. Probably It would not work properly.

Now let’s look at usage of these programs.

Open a terminal and write fakedns

Remnux FakeDNS -1
Remnux FakeDNS -1

As you can see there is no connection but after a while, you can sniff windows’s own requests. In addition, you can just open a browser and try to enter a website.

Remnux FakeDNS -2
Remnux FakeDNS -2

It is possible to use INetSim writing sudo inetsim in terminal. It will open services automatically.

Remnux INetSim
Remnux INetSim

You can understand INetSim is working by trying to enter a website from windows machine. Probably you will see a screen like down below.

Control to Windows INetSim
Control to Windows INetSim

Thank you for reading, take care!

Translated from; pwnlab.me/tr-malware-analizi-laboratuvar-kurulumu-part-1

Reklam
Reklam

wakeup

Interested in cyber sec. & software development.

İlgili Makaleler

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Başa dön tuşu