Select Page

In this malware analysis tutorial I showcase all the leading methods for quickly and effectively analyzing a malicious binary. A malware lab is used by security analysts to study malware’s behavior and research its capabilities in conditions that allow for the safe dynamic execution and static analysis of the otherwise malicious files. In this post I go over setting up a malware analysis lab at home in only 5 steps.

The guru believes in multitasking always where possible. Therefore I am going to list all of the relevant skills that you are learning by completing this tutorial. These are in addition to, and including malware analysis.

  •  Beginner Go Programming – We are going to create a binary (a compiled program that is executable). This is the “evil binary.exe” we run in the Action Steps section of the tutorial to test out the new malware analysis lab.
  • Beginner Malware Analysis Skills – MA experience is extremely valuable in a potential security analyst candidate and makes you a badass…
    • Static – We are using a program called strings written by Mark Russinovich, see SysInterals. We are also using a program called pyew. RegShot is an application that creates a snapshot of the Windows registry at a single point in time. A snapshot is created before and after file execution. By comparing the two you can discover the changes the file operations created during its run. Static analysis involves examining a suspicious file without running it. Without running the evilbinary.exe file we are running these tools against it to uncover anything that is detectable in a static analysis.
    • Dynamic – We are running the suspect file in order to demonstrate dynamic analysis. Dynamic analysis means running the file, since it is executable. Not sure if you can run a file?

For the Malware Analysis Tutorial

Prerequisites

  • VirtualBox
  • A Windows 10 virtual machine configured to use a custom Host Only network adapter
  • A Remnux Linux virtual machine configured to use a custom Host Only network adapter
  • Go

Step 1. VirtualBox

Get it here.

Step 2. Remnux Virtual Machine

The fastest way to get Remnux is to get the OVA file from the official site here.

Verify the Checksum of the OVA file

This is security best practice. Not sure if it’s necessary? Read about what happened to CCleaner. Basically hackers put multiple-stage malware directly into production code. The breach is then detected, but not before many users downloaded the infected version of the software.

From the Remnux Docs:

The file is around 2GB in size; its SHA-256 hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6

File Hash For Remnux OVA File

Hash checks out!

Import Appliance in VirtualBox

This will create a new virtual machine by importing the ova file directly.

Steps

  • VirtualBox VM
    • File
      • Import Appliance
        • Choose the path where the Remnux OVA file is located
  • Assign memory size (recommended RAM is ok)
  • Create a virtual hard disk now option
  • VDI (VirtualBox Disk Image)
  • Dynamically Allocated
    • Note: the other option Fixed Size is more friendly for exporting the virtual machine should you want to, therefore select that option if you plan on moving remnux around)
  • Assign the size of the virtual hard disk (20+ GB is recommended)
  • Click Create

Install VirtualBox Guest Additions

Guest Additions enables you to resize the virtual machine’s screen size as well as some other viewer friendly options. You want this.

Steps

  • Settings
    • Storage
      • Add Optical Drive to Controller IDE. Leave empty. Choose OK.
  • Start virtual machine.
  • VirtualBox VM
    • Devices
      • Insert Guest Additions CD image…
  • In a terminal type the following, one after the other. (use auto-complete tab to ensure everything is there)
sudo mount /dev/sr0 /mnt/cdrom
sudo /mnt/cdrom/VBoxLinuxAdditions.*
  • Reboot the virtual machine.

Enable Sharing and Copying

In able to move files back and forth you must enable two separate settings within VirtualBox.

Steps

  • VirtualBox VM
    • Devices
      • Shared Clipboard
        • Host to Guest
      • Drag and Drop
        • Host to Guest

Step 3. Windows 10 Virtual Machine

Get it here.

Then create a new virtual machine following the same steps for Remnux. Although the process is identical, there is one difference. Attach the .iso you just downloaded to the virtual machine. Hit OK!

Click on the CD! Choose your Windows .iso

Step 4. Code the Payload

Make a new file in $GOPATH/src/fakeEvilBin/main.go. Copy the code below and paste it into the new file.

package main

import (
	"time"

	"github.com/sparrc/go-ping"
)

func main() {
	pinger, err := ping.NewPinger("www.ethicalhackingguru.com")
	if err != nil {
		panic(err)
	}

	pinger.Count = 3
	pinger.Run() 
}

Run this command

GOOS=windows GOARCH=386 go build -o evilbinary.exe main.go

This compiles the program to run on Windows.

Step 5. Malware Analysis Lab Action Steps

Utilities

  • Strings
  • ApateDNS
  • Pyew
  • RegShot

ApateDNS by FireEye

Get it here.

RegShot

Get it here.

Action Steps

  • Launch Remnux
    • Ensure the virtual machine is host only adapter configured.
  • Launch Windows 10
    • Ensure the virtual machine is host only adapter configured.
  • In a Remnux terminal run the following:
ipconfig
sudo inetsim
  • In Windows 10
  • Run ApateDNS
    • After entering the IP address of the Remnux machine you acquired in the previous step (ifconfig) choose Start Server

Analyze evilbinary.exe

Using the file command

file evilbinary.exe
evilbinary.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

Using the strings command

strings evilbinary.exe

Using the pyew command

pyew evilbinary.exe

See below: “Cannot be run in DOS mode” is part of the DOS Stub found in the PE file format’s file header. This confirms the initial discovery that the file is an executable.

Pyew Output

Notice the text representation the hex data here, “cannot be run in DOS Mode”.

Launch the evil executable

What’s happening underneath the interface pumping out website names is the inner logic of the ApateDNS application. By listening on DNS port 53 it hears all requests made to translate these site names into addresses usable by machines…(DNS working). It replies to these requests, logging the entries and showing them on the screen for us. All while never placing the host machine in actual danger.

Malware is tricked into giving up its C2 information

This is how malware is tricked into giving up its command and control servers without really running the malware under normal circumstances.

Note You don’t have to use the IP address of a running Remnux server in order to do this part. It is helpful to do so in that it won’t mess with the DNS settings of your Windows 10 virtual machine at the time of execution.

Malware Analysis Lab Screen Configuring InetSim

The IP address of the ApateDNS server is the address for the Remnux VirtualBox VM. Find it by using the command ‘ifconfig’ in Remnux terminal.

Watch As the DNS Requests Pour In

Real malware’s DNS requests look similar to this although the domain names will likely be hard to understand syntactically. You are going to see requests to things like “jslkdafjkldsjfsdfesjglee.com” etc. There is a reason behind this. These domains are chosen to be confusing to security analysts on purpose. This makes things thing threat actor attribution more difficult for prying eyes.

Malware Lab Screen for ApateDNS Running

Evilbinary.exe is reaching out to ethicalhackingguru.com!

Sysinternals Autoruns

Use autoruns to see all the programs that run when Windows starts. See sysinternals autoruns.

C:\autoruns
error: