chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


[#1] Introduction to Malware Analysis & Lab Setup Guide filter_list
Author
Message
[#1] Introduction to Malware Analysis & Lab Setup Guide #1
[Image: icon_adware.png]
Introduction to Malware Analysis & Lab Setup Guide

By: Tracefl0w
Greetings everyone!
First and foremost, I’d like to welcome you, the very reader to my malware workshop. I’ll be running this workshop in my free time with the intent to educate and inspire others to the world of malware!
I’m very excited about this and hope you are too. When I started my own journey within this field of work, I remember it as being a very fun and exciting journey. As a matter of fact, it still is for anyone new or seasoned within this career field. Being able to take a suspicious malware executable and analyze/reverse engineer it to better understand its inner works can be a very intense but also a very self-rewarding process. You have to like what you do in order to be able to be successful within this field. Stop chasing the image and start chasing the passion. With the incredible amount of malware circulating around the web today, it makes the job so much more versatile and enjoyable. Some of you might be learning about Malware analysis as a hobby, which is by no means wrong. I can assure you that by the end of the series your malware knowledge combined with everything you’ve learned will help you in other fields outside of malware analysis/reverse engineering.


In this part of the series we’ll be building our very own local Malware lab and later on dive in to the real world of Malware!
Before we dive into the world of Malware, we need to have make sure we’ve got our toolbox handy and loaded with everything required for the tasks that we’ll be handling.


We’ll be using a virtualization platform that we’re going to perform our malware analysis on. There are many advantages to using such a platform, I’ll mention a few.
  • Controlled environment
  • Run multiple different operating systems at the same time.
  • Advanced functionalities such as creating snapshots, reverting the system, pausing it, automation and etc.
Establishing the Environment Baseline

The first step is installing some form of Virtualization Software where we’ll be conducting our malware analysis/reverse engineering. It may seem like a small step, yet it’s a significant one. It’s important to install virtualization software that you feel comfortable configuring and troubleshooting. VirtualBox and Hyper-V are good free options. If you’re considering VMware Workstation I’d like to remind you that you’ll need the commercial version which is Workstation Pro, hence the free version doesn’t support creating snapshots (VMware does provide a 30-day trial though). It’s an essential feature that you’ll need when you’re conducting malware analysis, you’ll need to be able to revert the VM back to the original state so you can start a new analysis later on.

Step 2: Install the OS on your virtualisation platform
If you don’t have a licensed version of Windows for your virtual machine, you can download a free Windows 10 VM from Microsoft. Go to the Microsoft Edge page for downloading virtual machines. Select “MSEdge on Win 10 (x64)” and pick the virtualization platform that’s identical to the one you have.

[Image: cbf314ccdecbef8ac3a3af4456e102ad.png]

Once you’ve downloaded the image and extracted the archive, you want to follow the steps appropriate for starting the VM in the virtualisation software of your choice. For instance, you can just extract the downloaded files to a suitable directory and launch the file “MSEdge – Win10.vmx”.
It’s important to know that the Windows OS in this VM expires after 90 days. Microsoft recommends “setting a snapshot when you first install the virtual machine which you can roll back to later.”
The password Microsoft assigned to this virtual machine is “Passw0rd!” You won’t need it for starting the VM, which will automatically log you in, but you might need to supply it when configuring the OS or installing software.

Step 3: Update the VM and Install Flare
The first time you boot into the VM, you’ll most likely be able to connect to the internet, assuming your physical host has internet access. You can use this connection to update the OS to the latest patch level and install malware analysis tools.
There are a lot of different malware analysis tools and downloading them would take a very long time, which makes the Flare VM Distribution a great option for us to use.

[Image: df47457056fd976c2bb1de6becb8a85b.png]

While, VM utilities such as VirtualBox Guest Additions and VMware Tools may be useful and convenient for sharing clipboard contents and file, I’d stay away from installing it. Most of the modern malware establishes different VM detection techniques and the use of these additions does increase the chance of malware detecting a virtualized environment, or even prevent itself from launching.
If you won’t be using the file sharing methods supported by your virtualization software, don’t worry because there’s alternative methods. One of them is accessing the files through a USB from within the VM. Another one is SFTP which I won’t go into, however it allows you to access files from your physical host or another VM using a SFTP client such as WINSCP.

Step 4: Isolating our VM and Disabling Windows Defender
This is a very important step, follow it carefully and pay attention to it.
Make sure that you shut down your VM and navigate to the VM settings to disable folder sharing. The reason we do this is to make sure that the Malware cannot escape, in my case you’d navigate to VM > Settings  > Options > Shared Folders and click Disabled.
You may also want to change the network settings for the VM so it doesn’t have any network access. For instance, in VMware Workstation Pro you could put it into Host-Only mode by going to VM > Settings… > Hardware > Network Adapter and selecting Host-Only.

[Image: 570f8de9bfb66ad7b5c3538f8fdbdd1f.png]

By changing the network settings to host-only it limits the connection so that the VM can only send traffic to the Host and amongst other Vm’s on the network which share a network segment. You may start the VM now that it’s no longer connected directly to the physical network. Don’t forget to disable Windows Defender, we don’t want it to interfere with our malware analysis. You can do this by using Group Policy within Windows. While you’re at it, you might want to consider disabling windows updates as well.
Finally, you want to take a snapshot of the VM. This will be the “original” state that our virtual machine resets to every time we’re conducting malware analysis. I strongly recommend you to not use this VM for other tasks or connecting it to other networks.

Let the journey begin!
You’re now ready to analyze some malware! I’ll be posting another part sometime in the near future, make sure to be on the lookout for that!
Please do note that it takes me a tremendous amount of time to write this and format it.
Nonetheless, I hope you enjoyed reading my first part of the malware analysis series and I’m looking forward to hear what your take is on this, would you be interested in more?
Let me know!


Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

[+] 1 user Likes Tracefl0w's post
Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #2
A very well written and elaborated tutorial.

I'm glad you've mentioned the VM's Isolation- It's extremely Important It's confined solely to that environment. I have In depth tutorials on my blog on how to setup and configure VMware Workstation, VirtualBox and Hyper-V. If anyone requires assistance In this capacity, let me know.

That aside, a job well done.
[Image: AD83g1A.png]

Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #3
(07-23-2019, 04:41 AM)mothered Wrote: A very well written and elaborated tutorial.

I'm glad you've mentioned the VM's Isolation- It's extremely Important It's confined solely to that environment. I have In depth tutorials on my blog on how to setup and configure VMware Workstation, VirtualBox and Hyper-V. If anyone requires assistance In this capacity, let me know.

That aside, a job well done.
Appreciate the wonderful feedback and honest input like always.


Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

[+] 1 user Likes Tracefl0w's post
Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #4
excellent turorial and very well written, thanks for the share

Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #5
malware analysis is very good to learn

Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #6
(07-23-2019, 04:41 AM)mothered Wrote: A very well written and elaborated tutorial.

I'm glad you've mentioned the VM's Isolation- It's extremely Important It's confined solely to that environment. I have In depth tutorials on my blog on how to setup and configure VMware Workstation, VirtualBox and Hyper-V. If anyone requires assistance In this capacity, let me know.

That aside, a job well done.

I require some assistance. Because I would like to know more about the virtual enviroment.

And to the OP: Thanks for sharing. This helps me to understand it more

Reply

RE: [#1] Introduction to Malware Analysis & Lab Setup Guide #7
(10-17-2019, 12:56 PM)ITNull1 Wrote:
(07-23-2019, 04:41 AM)mothered Wrote: A very well written and elaborated tutorial.

I'm glad you've mentioned the VM's Isolation- It's extremely Important It's confined solely to that environment. I have In depth tutorials on my blog on how to setup and configure VMware Workstation, VirtualBox and Hyper-V. If anyone requires assistance In this capacity, let me know.

That aside, a job well done.

I require some assistance. Because I would like to know more about the virtual enviroment.

Click the "Website" button on my profile, and have a look at the Virtualization category.

I've covered In depth tutorials on VMware, Hyper-V, VirtualBox and many sandbox environments.
[Image: AD83g1A.png]

Reply






Users browsing this thread: 1 Guest(s)