Personal Malware Analysis Environment
So you want to analyse malware, figure out what that dodgy looking executable does, make sure that email you received is legit and is not trying to steal all your data. Good, you’re in the right place.
BUT before you can jump in and start downloading a copy of WannaCry and figure out how the kill switch was discovered, you first need to ensure you protect yourself and your network.
This is where having a isolated Malware Analysis Environment (MAE) becomes important. In part one I will talk about some of the considerations needed if you want to start analysing malware.
Open Source (Get someone else to do the work)
There are plenty of platforms that will do analysis for you, mostly free of charge and very simple to use.
Virus Total (https://www.virustotal.com)
Virus total enables you to submit files, file hashes, URLs, IPs and domain names. It then runs them through a number of antivirus engines and url/domain black listing sites.
Hybrid Analysis (https://www.hybrid-analysis.com)
Hybrid Analysis allows you to submit files for both static and dynamic analysis, producing a report of its findings, as well as search through over 7.1M indicators of compromise (IOCs).
Any.Run again allows you to submit a suspicious file, which is then ran in a virtualized environment where screenshots can be captured as well as many other IOCs.
URL SCAN (https://www.urlscan.io)
A simple site that allows you to input a suspicious URL. The site will browse to the url and take note of all the activity on the page as well as take a live screenshot to enable you to get a understanding of what the website is likely to be used for.
This is just a small list of the available resources out their and although all of these tools are great and will give you results quickly, they may not always be the desired root to take. For example, if you had a specifically targeted attack, by submitting your finding to these sites, you are alerting the attacker that you are looking into them. Or your organisation my have a policy which prohibits you from sharing your findings with third parties. so you need a way to do your analysis offline.
Building your Own Lab
Malware labs differ from organisation to organisation but the majority of them follow the same basic principles. In this guide I will show you how to set up a simple lab on your own machine to get started, but the process can be scaled to any size environment.
Virtualisation software allows you to run multiple virtualised systems on one physical host (I’d recommend at least 16GB of ram). It also allows you to take snapshots, making it easy to revert to a clean, uninfected state after you have finished analysing.
There are plenty of products out there such as VMware Workstation, Microsoft Hyper-V, Oracle VirtualBox and VMware ESXi for server based virtualisation. For this guide I will be using VMware Workstation Pro, which offers a 30-day free trial.
Follow the installation guide for your chosen virtualisation software and once your are done you are ready to thinking about you analysis machines.
Machines and Tools
It helps to have multiple operating systems in your lab to see how a sample behaves in different environments as well as being able to replicate the OS that may be present in the organisation you are working for. So ensure you have both new and old versions of an operating system, such as windows XP and windows 7. I also recommend you have a Linux based system, even if you do not deal with Linux based malware, some analysis tools have been specifically designed to work on Linux. Having 2 to 3 machines will be enough to get you started and as you develop you can tweak you lab.
For your Linux environment I suggest you grab a copy of REMnux. REMnux is a dedication Linux distribution created by Lenny Zeltser specifically designed for malware analysis and reverse-engineering. It comes loaded with a bunch of tools and has great documentation. You can grab the OVA file from the website and I will show you how to import it into VMware later on.
As mentioned before the version of windows you run is completely up to you. Microsoft provide free evaluation OVA files fro windows 7, 8.1 and 10 which last 90 days, or you can buy a licensed copy of Windows. Regardless of which path you choose, you are going to want to install some tools once windows is up and running.
- Static Properties analysis: Pestudio, strings, CFF explorer, peframe, Detect it Easy, Hxd
- Behavioural analysis: Process Hacker, Process Monitor, RegShot, Wireshark, TcpLogView
- Code analysis: IDA pro, x64debug/x32dbg, OllyDumpEx, jmp2it, Scylla
There are many other tools out there and these are just a small number of them that you will be able to get started with. You might also want to get copies of other programs such as PDF viewers, Document Viewers, Web Browsers, Archiving software and so on.
If you don’t want to collate all your tools yourself you can use a tool from FireEye called Flare VM. Once you have a Windows installation ready, you simply navigate to a URL in windows explorer and the tool automatically runs and install all the tools for you. Follow the instructions HERE to get it up and running.
Defining a network is important when building your Lab, benefits include.
- Knowing your network to easily identify malicious DNS and IP requests
- Control what goes in and out of your network
- ISOLATION from other computers on your home network
- Easily intercept traffic between machines
I would recommend taking the time to draw out your lab and assign IPs to all your machines, it will make it easier when it comes to configuring your machines as well as analysing network traffic. I would also recommend dedicating one machine(RENnux) as your gateway and DNS server to control all your network traffic.
Look Forward To……
Pt 2 will be a step by step guide on installing your VMs and getting them Talking to each other.