In this malware analysis tutorial I showcase all the leading methods for quickly and effectively analyzing a malicious binary. A malware lab is used by security analysts to study malware’s behavior and research its capabilities in conditions that allow for the safe dynamic execution and static analysis of the otherwise malicious files. In this post I go over setting up a malware analysis lab at home in only 5 steps.
The guru believes in multitasking always where possible. Therefore I am going to list all of the relevant skills that you are learning by completing this tutorial. These are in addition to, and including malware analysis.
- Beginner Go Programming – We are going to create a binary (a compiled program that is executable). This is the “evil binary.exe” we run in the Action Steps section of the tutorial to test out the new malware analysis lab.
- Beginner Malware Analysis Skills – MA experience is extremely valuable in a potential security analyst candidate and makes you a badass…
- Static – We are using a program called strings written by Mark Russinovich, see SysInterals. We are also using a program called pyew. RegShot is an application that creates a snapshot of the Windows registry at a single point in time. A snapshot is created before and after file execution. By comparing the two you can discover the changes the file operations created during its run. Static analysis involves examining a suspicious file without running it. Without running the evilbinary.exe file we are running these tools against it to uncover anything that is detectable in a static analysis.
- Dynamic – We are running the suspect file in order to demonstrate dynamic analysis. Dynamic analysis means running the file, since it is executable. Not sure if you can run a file?
Table of Contents
For the Malware Analysis Tutorial
Prerequisites
- VirtualBox
- A Windows 10 virtual machine configured to use a custom Host Only network adapter
- A Remnux Linux virtual machine configured to use a custom Host Only network adapter
- Go
Step 1. VirtualBox
Get it here.
Step 2. Remnux Virtual Machine
The fastest way to get Remnux is to get the OVA file from the official site here.
Verify the Checksum of the OVA file
This is security best practice. Not sure if it’s necessary? Read about what happened to CCleaner. Basically hackers put multiple-stage malware directly into production code. The breach is then detected, but not before many users downloaded the infected version of the software.
From the Remnux Docs:
The file is around 2GB in size; its SHA-256 hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6
Import Appliance in VirtualBox
This will create a new virtual machine by importing the ova file directly.
Steps
- VirtualBox VM
- File
- Import Appliance
- Choose the path where the Remnux OVA file is located
- Import Appliance
- File
- Assign memory size (recommended RAM is ok)
- Create a virtual hard disk now option
- VDI (VirtualBox Disk Image)
- Dynamically Allocated
- Note: the other option Fixed Size is more friendly for exporting the virtual machine should you want to, therefore select that option if you plan on moving remnux around)
- Assign the size of the virtual hard disk (20+ GB is recommended)
- Click Create
Install VirtualBox Guest Additions
Guest Additions enables you to resize the virtual machine’s screen size as well as some other viewer friendly options. You want this.
Steps
- Settings
- Storage
- Add Optical Drive to Controller IDE. Leave empty. Choose OK.
- Storage
- Start virtual machine.
- VirtualBox VM
- Devices
- Insert Guest Additions CD image…
- Devices
- In a terminal type the following, one after the other. (use auto-complete tab to ensure everything is there)
sudo mount /dev/sr0 /mnt/cdrom sudo /mnt/cdrom/VBoxLinuxAdditions.*
- Reboot the virtual machine.
Enable Sharing and Copying
In able to move files back and forth you must enable two separate settings within VirtualBox.
Steps
- VirtualBox VM
- Devices
- Shared Clipboard
- Host to Guest
- Drag and Drop
- Host to Guest
- Shared Clipboard
- Devices
Step 3. Windows 10 Virtual Machine
Get it here.
Then create a new virtual machine following the same steps for Remnux. Although the process is identical, there is one difference. Attach the .iso you just downloaded to the virtual machine. Hit OK!
Step 4. Code the Payload
Make a new file in $GOPATH/src/fakeEvilBin/main.go. Copy the code below and paste it into the new file.
package main import ( "time" "github.com/sparrc/go-ping" ) func main() { pinger, err := ping.NewPinger("www.ethicalhackingguru.com") if err != nil { panic(err) } pinger.Count = 3 pinger.Run() }
Run this command
GOOS=windows GOARCH=386 go build -o evilbinary.exe main.go
This compiles the program to run on Windows.
Step 5. Malware Analysis Lab Action Steps
Utilities
- Strings
- ApateDNS
- Pyew
- RegShot
ApateDNS by FireEye
Get it here.
RegShot
Get it here.
Action Steps
- Launch Remnux
- Ensure the virtual machine is host only adapter configured.
- Launch Windows 10
- Ensure the virtual machine is host only adapter configured.
- In a Remnux terminal run the following:
ipconfig sudo inetsim
- In Windows 10
- Run ApateDNS
- After entering the IP address of the Remnux machine you acquired in the previous step (ifconfig) choose Start Server
Analyze evilbinary.exe
Using the file command
file evilbinary.exe evilbinary.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Using the strings command
strings evilbinary.exe
Using the pyew command
pyew evilbinary.exe
See below: “Cannot be run in DOS mode” is part of the DOS Stub found in the PE file format’s file header. This confirms the initial discovery that the file is an executable.
Launch the evil executable
What’s happening underneath the interface pumping out website names is the inner logic of the ApateDNS application. By listening on DNS port 53 it hears all requests made to translate these site names into addresses usable by machines…(DNS working). It replies to these requests, logging the entries and showing them on the screen for us. All while never placing the host machine in actual danger.
Malware is tricked into giving up its C2 information
This is how malware is tricked into giving up its command and control servers without really running the malware under normal circumstances.
Note You don’t have to use the IP address of a running Remnux server in order to do this part. It is helpful to do so in that it won’t mess with the DNS settings of your Windows 10 virtual machine at the time of execution.
Watch As the DNS Requests Pour In
Real malware’s DNS requests look similar to this although the domain names will likely be hard to understand syntactically. You are going to see requests to things like “jslkdafjkldsjfsdfesjglee.com” etc. There is a reason behind this. These domains are chosen to be confusing to security analysts on purpose. This makes things thing threat actor attribution more difficult for prying eyes.
Sysinternals Autoruns
Use autoruns to see all the programs that run when Windows starts. See sysinternals autoruns.
C:\autoruns