- self-hosted or cloud malware analysis lab.
- malware file
- Download VirtualBox
link :- virtualbox
- Download Windows 10
link :- windows10
-
Download Remnux
-
make sure to download virtual box OS
link :- remnux
-
Setup Windows 10 With Guest Additions
-
-
now give the name for VM Like FlareVm.
-
now in the ISO image section choose the windows 10 image downloaded.
-
now in hardware section select at least 4 GB ram and one processor.
-
now for hard disk give at least 70 GB.
-
now click finish.
-
now start the VM.
-
now select the install now option and custom install.
-
now in the disk partion click new and apply do not change the size of the drive.
-
-
now select the highest GB partion and click next.
-
now windows 10 is installing in VM.
-
let it install completely have a tea/coffe break and come back.
-
after installing while reboot please remove the ISO CD.
-
now set up your windows 10 VM.
make sure that the name of the pc should not have any sapces in between like 'hacker boy' it should be 'hackerboy'
-
now go to the devices tab and select the insert guest additions CD.
-
-
Go to "This PC" -> CD Drive Virtualization -> Run the VBoxWindowsAdditions-amd64 -> Reboot Device.
-
setting up Flare VM.
-
Disable proxy auto detect setting
- In the Windows search bar, search “proxy settings”,
- Switch "Automatically detect settings" button off
-
Disable Windows Defender
- Search "Defender", open Defender settings and set all Defender Settings to off.
-
Disable Windows Defender in GPO
- In the Windows Search Bar, search and select "edit group policy"
- In GPO, navigate to → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Enable “Turn off Microsoft Defender Antivirus”
-
Disable Windows Firewall
- GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Domain Profile → Disable “Protect All Network Connections”
- Do the same but for the Standard profile
-
Disable the windows security
- search "windows security", open windows security settings → virus and threat protection.
- off all the settings.
-
Now Take A Snapshot
-
Download & Install FlareVM.
- In PowerShell Admin prompt, run:(Run as Administrator)
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\\install.ps1")
- If in case the code doesn't work for you please try this instead.
- open cmd and type.
cd Desktop
- now type.
type null > install.ps1
- open the link in web browser.
link :- flare
-
now copy all the text and paste it in the install.ps1
-
now follow the process.
- now in the PowerShell run as administrator.
Unblock-File .\\install.ps1
Set-ExecutionPolicy Unrestricted
.\\install.ps1
-
Now you will see a dialog box appears after one-two minutes please leave everything as default and click next and OK.
-
now the installation process starts.
Please Note That This Process Can Take Up to 1 -2 Hours Depending on the internet and hardware
-
setting up the remnux VM.
-
It is very simple just simply double click the downloaded file.
-
please install a package inetsim if it is not prsent.
sudo apt install inetsim
-
now setting the fake network.
-
enter the following in the terminal.
inetsim
now run these commands.
cd /etc/inetsim/
nano inetsim.config
-
now make changes accordingly.
-
Uncomment start_service dns
-
Set the service_bind_address to 0.0.0.0
-
Set the DNS Default IP to IP address of Remnux VM address. (10.0.0.3)
-
-
-
please take the snapshot of the remnux VM also.
-
configuring the virtualbox network settings.
-
Create an isolated host-only adapter network for Windows 10 machine and Remnux to talk to each other.
-
create a host only network adapter.
-
please set accordingly.
-
in the windows machine open the following.
-
Right Click -> Properties. Set IPv4 Address to a separate private range (ex. 10.0.0.1). Set DHCP Server address to x.x.x.2, lower bound to x.x.x.3 and upper to x.x.x.254
- Ensure all VMs are using Host-only Adapter,Isolated Ethernet Adapter
- you can do by going in to the machine -> settings -> network -> change from NAT to Host-only-adapter#2.
image
-
open the flare vm machine and download the malware file.
-
make sure to change the network adapter settings to NAT to enable internet.
-
link :- zeus
-
please make sure you are using the flare vm and microsoft edge to download the malware.
-
now unzip the file. password is
infected
- now open virus total and upload the file for analysing.
make sure after the virus total scan completes please change the network settings back to the host only adapter
please make sure your machine should not have internet access
-
now keep that in the side lets do the analysis part.
-
Zeus malware introduction.
- If you know about Greek myths or enjoy Marvel comics, you probably know the name "Zeus."
- "Zeus" is the Greek god of sky and thunder.
- but the "Zeus" we are referring is to is malware called(zbot)
- it is a financial or banking trojan.
- it was first created in the year 2007 by eastern Europe hackers.
- Tools Used: -
- pestudio(master),
- virus total(antivirus scanning),
- floss(strings),
- cutter(strings),
- hxd(hexbytes),
- capa(string),
- cmder(file type),
- hashcal(hash),
- hashmyfiles(hash),
- xorsearch(url),
- exeinfo pe(packing|).etc,.
- procman(child process).
- process hacker(windows process).
- cutter,
- yara(IOC).
- wireshark(capture traffic).
- regshot(winregkeys), etc
- Static analysis: -
this type of analysis doen not involve the installation of malware into the system, its safe and a secure way to analyse the data.
-
foot printing:-
-
pe studio : simply drag and drop the file.
-
open cmder
-
using floss & capa
floss invoice_2318362983713_82393134Zio.pdf.exe
floss strings -5 invoice_2318362983713_82393134Zio.pdf.exe
floss -v invoice_2318362983713_82393134Zio.pdf.exe
capa.exe invoice_2318362983713_82393134Zio.pdf.exe
capa.exe -vv invoice_2318362983713_82393134Zio.pdf.exe
-
you will get the hashes, strings, architecture, file type, libraries, headers,.
-
please note everything.
-
you can find the strings and suspected process and apis in the "malware report" and "pe process.txt" and "pe api.txt"
-
screenshots :-
-
-
-
-
-
-
-
Packing:- We can see that the file size are same and no difference is found which is a good sign. If the zip or packed file size is less than the extracted file it means it is having some other extra files which might be malicious.
-
Dynamic analysis: -
this type of analysis involves the installation of malware on to the system, it is very risky and please take necessary precautions while running the malware.
-
Process:-
- this is were we find the parent process and child process of the malicious application.
- We can see the child process of the .exe file here.
-
Capturing Network: -
- It is a very good process to capture the network as it can give as the sensitive data which the app might sent to the attacker and also we can any additional downloads done.
- But make sure while doping this analysis it is recommended to do it in a fake network using fakenetwork in windows or inetsim in linux.
- In Our Scenario there is a http get request with some activity lets see this.
- Following the http stream we can find it is attempting to go to the fpdownload.macromedia.com
- We can further analyse this website it get more information, as we have done some research we found it is a genuine website of adobe and it is not much risky.
-
Registry keys: -
- Always look into the registry keys because the malware tries to create or modify the regkeys to use them in further process.
- As we can see that so many regkey requests have been made and the malware is replicating it self to other files.
- Here in this case it is using the google update services to do its activity.
-
Graphs:-
- Graphs lets us to understand the source code in easy manner and understand it compliance.
- Here we have seen some graphs for further analysis.
- Of course it is very difficult to go through each and every single function graph but we can start from the suspected functions which were found in the static analysis and then go deeper.
-
Creating yara rule(IOC):-
// import pe
Rule Zeus {
Meta:
Author = “SaiSumanth”
Strings:
$file_name="invoice_2318362983713_823931342io.pdf.exe" ascii
// Suspected name of functions and DLL functionalities.
$function_name_KERNEL32="AsksmaceaglyBubuPulsKaifTeasMistPeelGhisPrimChaoLyr
eroeno" ascii
$function_name_KERNERL32_CreateFileA="CellrotoCrudUntoghCols"
ascii
$function_name_KERNEL32_FINDFIRSTFILEA="GeneAilshe"
ascii
// PE Magic Byte.
$PE_magic_byte="MZ"
// Hex String Function Name + DLL.
$hex_string_SHLWAPI_PATHREMOVEFILESPECA= {44 65 6E 79 4C 75 62 65 4475 6E 73 73 61 77 73 4F 72 65 73 76 61 72 75 74 00 53 48 4C 57 41 50 49}
condition:
// Use the pe library to create fine-grained rules for PE files.
// pe.ispie
$PE_magic_byte at 0 and $filename
and $function_name_KERNEL32
or $function_name_KERNERL32_CreateFileA
-
The above yara code is taken from the internet which is freely available to use to do malware analysis.
-
Generally if a malware is found success in the yara rule that means it is malicious and you should not tamper or install it.
-
Screenshots :-
-
-
-
-
For More Details PLease go to Malware analysis report