ethical.blue Magazine

// Cybersecurity clarified.

Create Malware Analysis Laboratory

2022-03-12   Dawid Farbaniec
...
It's pretty clear that no one should run malware on their system. There is an isolated environment needed. This text describes how to create free and secure environment for learning malware analysis.

Everyone has their favorite tools. The solutions presented here are not the only way and there are many alternatives. When choosing the solutions, I focused on selecting applications which are free and user-friendly for newbie readers.

Purposes of Malware Analysis

The main goal of analyzing malware is to understand the threat and how it works. The purposes are for example: research, response to incident, threat hunting, better detection etc.

Types of Malware Analysis

There are two main types of malware analysis:
1. Static Analysis is done without executing the code. It's about analyzing file properties, reading decompiled code etc.
2. Dynamic Analysis is done by executing the malicious code in isolated environment.

Stages of Malware Analysis Process

The typical stages of analysis process are presented below.
1. Automated Analysis gives overview of malware sample and defines hypotheses that can be later tried to confirm. It can be done for example by using a sandbox.
2. Static Analysis gives some properties of malware sample which can be later included as IoCs (Indicators of Compromise). It can be done using disassembler, decompiler, hex editor etc. Notice that static analysis will not reveal the crypted or packed code functionality.
3. Behaviour Analysis gives better understanding what sample does to system. It can be done for example by detonating sample in isolated environment while file and network monitors are running. The step by step execution in debugger is also welcome here.
4. Manual Code Reversing takes more time, but gives a lot of details about malware sample. The main tools used in this stage are disassemblers, decompilers and debuggers.

The Idea of Virtual Machines

Virtualization technology allows to run one operating system inside another operating system using a special program which is called hypervisor. The guest operating systems are executed on virtual machines which are abstract computing platforms. This is great solution for malware analysis as the virtual machines are isolated from each other. If the malicious code infects the guest system, the host system remains clean. Of course, no one knows if there exists zero-day exploit or not which causes the escape from a virtual machine and execute code on host. After all, while maintaining hygiene at work, the host system and local network should be safe.


Figure. Role of virtualization in malware analysis.

Selecting the Host Operating System

You can read here and there that Linux host operating system with Windows guest operating system is more secure for malware analysis because of platform difference.

The Windows host with Windows guest can be also used but work hygiene and updated system is a must.

Selecting the Hypervisor Program

The hypervisor is responsible for managing virtual machines. When writing this I have experience with two free solutions: VMware Workstation Player and VirtualBox.

VMware Workstation Player:
Quote:
The free version is available for non-commercial, personal and home use. We also encourage students and non-profit organizations to benefit from this offering. Commercial organizations require commercial licenses to use Workstation Player.

While the VirtualBox is Open Source (GNU General Public License version 2).

In this tutorial VirtualBox is chosen.

Installing VirtualBox

Open https://www.virtualbox.org/wiki/Downloads and select option Platform packages » Windows hosts (while installing on Windows).








Installing Guest Operating System

The Windows 10 ISO file can be downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. There is about 6.7 GB to download.


Import downloaded virtual machine file into VirtualBox.





Create a pre-boot snapshot of virtual machine.




Customize the virtual machine hardware.




The 40 GB hard disk is too small for installing many tools. Let's expand the virtual machine disk size to around 70 GB.





...and snapshot! :-)


Start virtual machine.



The FLARE VM is available for free on GitHub.


To execute installation script there is PowerShell needed (as Admin).


Type the following command to change directory where you downloaded FLARE VM.
cd "C:\Users\IEUser\Downloads\flare-vm-master\flare-vm-master"

Bypass PowerShell execution policy with command:
Set-ExecutionPolicy -ExecutionPolicy Bypass

Execute installation script with command:
.\install.ps1

Provide the password for IEUser: Passw0rd!

It should look like this.


While tools are downloading and installation is in progress you can go for a walk. This will take some time to complete.


Well done.


Uninstall guest additions for better environment security.


Tools are ready!



Do not forget to take snapshot!



Sources of Malware Samples for Analysis

Samples can be collected by creating a honeypot or honeynet.

When learning malware analysis these places are a good start:
https://bazaar.abuse.ch/browse/
https://any.run/ (registration required)

Online Malware Analysis Services

To get general overview of malware sample one can use automated tools like the following.

ANY.RUN - Interactive Online Malware Sandbox
https://any.run/

Joe Sandbox Cloud Basic - Automated Malware Analysis
https://www.joesandbox.com/#windows

VirusTotal
https://www.virustotal.com/

Be Careful and Go On!

Have a good work hygiene when analyzing malware samples.
  • Be responsible when enabling internet connection during analysis (it's your IP address!).
  • Save and transfer samples in secure way for example in password protected ZIP archive.
  • You do not know if sample has logic bomb or zero-day exploit.

Bibliography

https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html [access: 2022-03-11]
https://www.virtualbox.org/ [access: 2022-03-11]
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ [access: 2022-03-11]

ethical.blue Appz

Categories

Archives


Donate to ethical.blue Magazine website maintenance with cryptocurrency or PayPal.

aspnet
Connections: 23

bitcoin diesel