Skip to main content

Part2.1 :Malware Analysis Malware Analysis Setting Up The Lab Environment

 Lab Requirements

Before you begin setting up a lab, you need a few components: a physical system running a

base operating system of Linux, Windows, or macOS X, and installed with virtualization

software (such as VMware or VirtualBox). When analyzing the malware, you will be

executing the malware on a Windows-based virtual machine (Windows VM). The

advantage of using a virtual machine is that after you finish analyzing the malware, you

can revert it to a clean state.


Overview Of Lab Architecture



Setting Up And Configuring Linux VM

$ sudo apt-get update

$ sudo apt-get install python-pip

$ pip install --upgrade pip

$ sudo apt-get install python-magic

$ sudo apt-get install upx

$ sudo pip install pefile

$ sudo apt-get install yara

$ sudo pip install yara-python

$ sudo apt-get install ssdeep

$ sudo apt-get install build-essential libffi-dev python python-dev

\ libfuzzy-dev

$ sudo apt-get install wireshark

$ sudo apt-get install tshark



INetSim (https://www.inetsim.org/index.html) is a powerful utility that allows

simulating various Internet services (such as DNS, and HTTP) that malware

frequently expects to interact with. Later, you will understand how to


$ sudo su

# echo "deb http://www.inetsim.org/debian/ binary/" > \

/etc/apt/sources.list.d/inetsim.list

# wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc

| \

apt-key add -

# apt update

# apt-get install inetsim


$ sudo gedit /etc/inetsim/inetsim.conf

Go to the service_bind_address section in the configuration file and add the

entry shown here:

service_bind_address 192.168.1.100


$ sudo inetsim


You can now isolate Ubuntu VM within your lab by configuring the virtual

appliance to use Host-only network mode. On VMware, bring up the Network

Adapter Settings and choose Host-only mode as shown in the following Figure.

Save the settings and reboot.



assign a static IP address of 192.168.1.100 to the Ubuntu Linux

VM.


$ sudo gedit /etc/network/interfaces

Add the following entries at the end of the file (make sure you replace ens33

with the interface name on your system) and save it:

auto ens33

iface ens33 inet static

address 192.168.1.100

netmask 255.255.255.0

dns_default_ip 192.168.1.100



At this point, the Linux VM is configured to use Host-only mode, and INetSim is

set up to simulate all the services. The last step is to take a snapshot (clean

snapshot)



Setting Up And Configuring Windows VM


Download Python

Configure your Windows VM to run in Host-only network configuration mode.

Configure the IP address of the Windows VM to 192.168.1.x (choose any IP

address except 192.168.1.100


Power on both the Linux VM and the Window VM, and make sure they can

communicate with each other. You can check for the connectivity by running the

ping command



Windows Defender Service needs to be disabled on your Windows VM as it may

interfere when you are executing the malware sample

Take a clean snapshot


Labels:

Comments

Post a Comment

Popular posts from this blog

Chain of Custody – Digital Forensics

  Chain of Custody – Digital Forensics Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the chain of custody is about following the correct and consistent procedure and hence ensuring the quality of evidence. The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or chronological documentation of the evidence. ·         Chain of custody indicates the collection, sequence of control, transfer and analysis. ·         It also documents details of each person who handled the evidence, date and time it was collected or transferred, and the purpose of the transfer. ·         It de...
Post a Comment
Read more

Part 1: Introduction to Computer Forensics for Windows

  Part 1: Introduction to Computer Forensics for Windows: https://tryhackme.com/room/windowsforensics1 Microsoft Windows is by large the most used Desktop Operating System right now. Private users and Enterprises prefer it, and it currently holds roughly 80% of the Desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics. In this module, we will learn about the different ways we can gather forensic data from the Windows Registry and make conclusions about the activity performed on a Windows system based on this data. In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person's actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations 'normal' users won't t...
Post a Comment
Read more

Step 2 : Collection & Preservation of evidence

Step 2 :  Collection  & Preservation of evidence   The collecting process in digital forensics is a critical phase of the investigation. It involves the systematic and careful acquisition of digital data from electronic devices or storage media in a manner that preserves the integrity and authenticity of the evidence. The following are the steps involved in the collecting process: Collection : This step involves the actual acquisition of the data from the device or storage media. This can be done by using a variety of techniques, including   Imaging : The first step in the collection process is to create a forensic image of the digital device or media that is being investigated. This involves creating an exact copy of the device or media, including all data, file systems, and metadata. The imaging process ensures that the original evidence is preserved and can be examined without altering it.  Live analysis: In some cases, it may be necessary to conduct...
Post a Comment
Read more