Malware analysis is the process of understanding malware, its origin, behaviour, and impact. Malware analysis is usually done in secure sandbox environments. Just like most professional malware analysis, this lab will focus on the use of multiple machines to reach a successful analysis.
During this analysis, we will be using 3 main machines: Windows 11, REMnux, and its tool INetSim. Windows 11 will have the role of the victim, where all security measures will be turned off; REMnux will be the VM which will be doing the network observation and act as a functioning Default Gateway and DNS server where we will analyze every packet that is coming through; And INetSim will act as an "Internet simulator", giving malware false positives making it think that it is connected to the internet. Additionally, the lab will operate on the premises that Bridged networks/NAT/"temporary internet access"/USB passthrough and Shared folders are all prohibited from use. The lab will be documented through 5 main phases: VM setup, REMnux configuration, Windows 11 configuration, Testing/Results, and Installation of toolkits for future references and snapshot creation in case of malware detonation.
Step 1: VM Setup.
The first step of the VM Setup is to install Oracle VirtualBox through this link (https://virtualbox.org). After we are done with downloading the .exe file for Windows hosts, we proceed with the installation process and finish installing the Virtualbox.
Afterwards, we continue with downloading the .ova virtualbox-ready REMnux file (through this link (https://docs.remnux.org/install-distro/get-virtual-appliance) and the Windows 11 ISO from the official page (https://www.microsoft.com/en-us/software-download/windows11).
After the successful installation of .ova and Windows 11 iso files, the next step is to add them to the Virtualbox, which is done through the "New" command. The next step is to fulfill one of the main points of this lab, to configure VMs without involving NAT/DHCP/Bridging (as seen in the picture below).
This is done through the "Internal Network" option in Virtualbox on both "attached to" VMs, which were also set to promiscuous mode to allow all for better practice, so that we are certain that we have packets travelling only between these two VMs. An important note would also be that the Network Adapter Name should remain the same for both VMs, so that they can keep the Virtual Cable Connection.
2. REMnux configuration
After setting up the VMs and the internal connection, the next step was to move on to the VM configurations. Since we are not connected and do not have access to either a DNS or a DHCP server, we need to configure them manually. After some online research i came across this link (https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/), which helped me understand the commands and logic of the lab.
First i ran the "ip a" command, which showed a list of interfaces.
Afterwards, I decided to run these commands:
I also configured the INetSim with the material I found from this link (https://www.inetsim.org/documentation.html), from which I found out that I should use:
sudo nano /etc/inetsim/inetsim.conf
In the .conf file, I enabled the DNS service, changed the service_bind_address to 10.0.0.1 (matching that of the default DNS IP), and changed the dns_default_ip to the static IP, which is 10.0.0.1.
However, after that i ran into trouble with port 53. I found this out by running INETSim, which told me that the UDP socket couldn't be created, since it was being used by systemd-resolved. After further research, i realized that since we do not have internet access, i can kill systemd-resolved with no consequences, which was done through these commands:
It showed that port 53 UDP/TCP was finally successfully working.
3. Windows 11 configuration
After the completion of the REMnux setup, the next step was to take care of Windows 11.
Here, the first step was to configure the IPV4 settings, where I manually set an IP address of 10.0.0.2 (most homelabs tun on this range), with an equivalent subnet of 255.255.255.0, while for the DNS and Gateway i chose to write 10.0.0.1 to match the static IP of the REMnux VM.
This would guarantee us that if we were to open a malware and it tried to attack us using port 80 (http), it would be directed straight to the REMnux VM, which would ensure a "false positive" spoofed DNS server. Since most modern malware are cutoff when they have no connection, this is a crucial step so we can see the true potential of the malware we choose for future analysis.
Additionally, in order to make the Windows 11 environment as fragile as possible so REMnux can fully analyse the malware potential, Windows firewall, Proxy settings, and Windows security were all deactivated. C: folder was also listed as an exception.
4.Testing/Results
With Windows 11 setup finalized, the next step was to see if everything worked. To do so, a simple test of searching for "google.com" in the web browser in Windows 11 was conducted, where the result showed that the configuration was successful. As can be seen in the picture, INETSim showed us a fake HTML webpage, which the malware can take as a false positive in order to continue operating, and then we can use REMnux to further analyze it.
5. Installation of toolkits for future references and snapshot creation in case of malware detonation.
Finally, for future references, I decided to install various tools such as Wireshark, PEBear, yara, cutter, etc. Using the ISO method, I integrated them through the Virtualbox, and then installed them inside of Windows 11, allowing us for an internet-free setup. One thing I should mention is that some tools required some x64 and x32 runtime compilers, which I integrated in the same way as I did the main applications.
After that, as a final precaution measure, 2 snapshots of this initial phase of each VM were taken, just to make sure to have a clean baseline we can go back to after every malware detonation.
No comments:
Post a Comment