Skip to main content

Part2.1 :Malware Analysis Malware Analysis Setting Up The Lab Environment

 Lab Requirements

Before you begin setting up a lab, you need a few components: a physical system running a

base operating system of Linux, Windows, or macOS X, and installed with virtualization

software (such as VMware or VirtualBox). When analyzing the malware, you will be

executing the malware on a Windows-based virtual machine (Windows VM). The

advantage of using a virtual machine is that after you finish analyzing the malware, you

can revert it to a clean state.


Overview Of Lab Architecture



Setting Up And Configuring Linux VM

$ sudo apt-get update

$ sudo apt-get install python-pip

$ pip install --upgrade pip

$ sudo apt-get install python-magic

$ sudo apt-get install upx

$ sudo pip install pefile

$ sudo apt-get install yara

$ sudo pip install yara-python

$ sudo apt-get install ssdeep

$ sudo apt-get install build-essential libffi-dev python python-dev

\ libfuzzy-dev

$ sudo apt-get install wireshark

$ sudo apt-get install tshark



INetSim (https://www.inetsim.org/index.html) is a powerful utility that allows

simulating various Internet services (such as DNS, and HTTP) that malware

frequently expects to interact with. Later, you will understand how to


$ sudo su

# echo "deb http://www.inetsim.org/debian/ binary/" > \

/etc/apt/sources.list.d/inetsim.list

# wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc

| \

apt-key add -

# apt update

# apt-get install inetsim


$ sudo gedit /etc/inetsim/inetsim.conf

Go to the service_bind_address section in the configuration file and add the

entry shown here:

service_bind_address 192.168.1.100


$ sudo inetsim


You can now isolate Ubuntu VM within your lab by configuring the virtual

appliance to use Host-only network mode. On VMware, bring up the Network

Adapter Settings and choose Host-only mode as shown in the following Figure.

Save the settings and reboot.



assign a static IP address of 192.168.1.100 to the Ubuntu Linux

VM.


$ sudo gedit /etc/network/interfaces

Add the following entries at the end of the file (make sure you replace ens33

with the interface name on your system) and save it:

auto ens33

iface ens33 inet static

address 192.168.1.100

netmask 255.255.255.0

dns_default_ip 192.168.1.100



At this point, the Linux VM is configured to use Host-only mode, and INetSim is

set up to simulate all the services. The last step is to take a snapshot (clean

snapshot)



Setting Up And Configuring Windows VM


Download Python

Configure your Windows VM to run in Host-only network configuration mode.

Configure the IP address of the Windows VM to 192.168.1.x (choose any IP

address except 192.168.1.100


Power on both the Linux VM and the Window VM, and make sure they can

communicate with each other. You can check for the connectivity by running the

ping command



Windows Defender Service needs to be disabled on your Windows VM as it may

interfere when you are executing the malware sample

Take a clean snapshot


Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Chain of Custody – Digital Forensics

  Chain of Custody – Digital Forensics Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the chain of custody is about following the correct and consistent procedure and hence ensuring the quality of evidence. The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or chronological documentation of the evidence. ·         Chain of custody indicates the collection, sequence of control, transfer and analysis. ·         It also documents details of each person who handled the evidence, date and time it was collected or transferred, and the purpose of the transfer. ·         It de...
Post a Comment
Read more

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more