Malware analysis should always be done with caution. Also, in order to trick the most sophisticated malware into executing, one needs to make it believable that malware is on a real host.
The host machine doesn’t really matter. However I would recommend either Linux or macOS for Windows malware analysis and a Windows - for Linux/macOS malware in case the VM solution in use has a sandbox-escape vulnarebility. This way the malware won’t be able to run on the host even if it manages to escape (unless this is some cross-platform solution 😩).
- VBox: REMnux + Windows VM. See here for more detail.
- Parallels: Kali + Windows VM + macOS VM. This is my config since I do macOS reversing as well.
- Separate physical forensics machine with no network access. An option, since this way you don’t need to worry about tricking smart malware equipped with anti-virtualisation techniques into running. As a drawback, you’d have to reinstall the system pretty often 😊.
Linux
REMnux is a Linux distribution that was specifically designed for malware analysis. It has a lot of useful tools installed. However all (or most of them) will run on other versions of Linux. So, for me, for example, it’s easier to user a Kali or Ubunti VM and install required tools when needed. Besides, there is no ARM version of REMnux anyway, so I don’t have a choice really.
Steps
No matter what setup you are going to use, there are several settings that are required for any of them.
- Configure network
- Create a separate host-only interface that is isolated from the host
- Add this interface to the VMs that will be used for analysis (usually 2)
- Create VMs.
- Victim. Windows, Linux, macOS
- Fake server (Kali or REMnux)
- Enable DNS server (it could be iNetSim or some real DNS server running)
-
- Separate the host from the VMs
- Disable clipboard sharing
- Disable drag-n-drop between the host and the guest
- Disable shared folders (this one can be configured to share malware files and disabled once the analysis has begun)
- Separate the host from the VMs
- Take a snapshot of all the VMs before use.
Host
Network Config
Create a separate host-only interface that is isolated from the host. Note the IPs that are used. For example:
10.0.0.2
DHCP10.0.0.3-10.0.0.254
for range255.255.255.0
netmask
iNetSim
Using the above configs for the network interface:
service_bind_address 0.0.0.0
dns_default_ip 10.0.0.3
- run with
inetsim
If the malware tries to download something, iNetSim has a feature to support this fake request. It has a precomiled binary that will be downloaded.
FakeNet.exe
Similar to iNetSim but for Windows.
Victim machine
- Set the DNS server address to the machine’s that runs iNetSim (
10.0.0.3
in the example above). - macOS
- ProcMon (Sysinternals) for Windows and Glances for macOS https://nicolargo.github.io/glances/, osquery, Instruments, vtop. Also try
opensnoop
, but with SIP off.
- ProcMon (Sysinternals) for Windows and Glances for macOS https://nicolargo.github.io/glances/, osquery, Instruments, vtop. Also try
- Windows
- ProcMon (Sysinternals) to analyse API calls (file, registry and network activity)
Safety Tips
- VM separated
- malware has rogue extention
- malware password protected
Main Tools
malwoverview
malwoverview.py -x 2 -X 211027 -q45laaehd2 -o 0
malwoverview.py -d /home/remnux/malware/windows_2/
malwoverview.py -v 1 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe
malwoverview.py -v 2 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe
malwoverview.py -v 3 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe
malwoverview.py -v 4 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe,
malwoverview.py -v 5 -V http://jamogames.com/templates/JLHk/
malwoverview.py -v 6 -V 185.220.100.243
malwoverview.py -v 7 -V xurl.es
malwoverview.py -v 8 -V ab4d6a82cafc92825a0b88183325855f0c44920da970b42c949d5d5ffdcc0585
malwoverview.py -v 9 -V cc2d791b16063a302e1ebd35c0e84e6cf6519e90bb710c958ac4e4ddceca68f7.exe
malwoverview.py -v 10 -V /home/remnux/malware/hash_list_3.txt
malwoverview.py -v 11 -V /home/remnux/malware/hash_list_3.txt
malwoverview.py -v 12 -V 9d26e19b8fc5819b634397d48183637bacc9e1c62d8b1856b8116141cb8b4000
malwoverview.py -v 13 -V /largefiles/4b3b46558cffe1c0b651f09c719af2779af3e4e0e43da060468467d8df445e93
malwoverview.py -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8
malwoverview.py -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8.exe
malwoverview.py -a 2 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8
malwoverview.py -a 3 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8
malwoverview.py -a 4 -A malware1.apk
malwoverview.py -a 4 -A 82eb6039cdda6598dc23084768e18495d5ebf3bc3137990280bc0d9351a483eb
malwoverview.py -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46
malwoverview.py -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46.elf
malwoverview.py -a 6 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe
malwoverview.py -a 7 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe
malwoverview.py -a 8 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe
malwoverview.py -a 9 -A malware_7.apk
malwoverview.py -a 10 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2.elf
malwoverview.py -a 11 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e
malwoverview.py -a 12 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e
malwoverview.py -a 13 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e
malwoverview.py -a 14 -A d90a5552fd4ef88a8b621dd3642e3be8e52115a67e6b17b13bdff461d81cf5a8
malwoverview.py -a 15 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2
malwoverview.py -l 1 -L d3dcc08c9b955cd3f68c198e11d5788869d1b159dc8014d6eaa39e6c258123b0
malwoverview.py -l 2
malwoverview.py -l 3
malwoverview.py -l 4
malwoverview.py -l 5
malwoverview.py -l 6
malwoverview.py -j 1 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6
malwoverview.py -j 2 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6
malwoverview.py -j 3 -J https://unada.us/acme-challenge/3NXwcYNCa/
malwoverview.py -j 4 -J Qakbot
malwoverview.py -j 5 -J Emotet
malwoverview.py -j 5 -J Icedid
malwoverview.py -j 6
malwoverview.py -j 7
malwoverview.py -p 1 -P 1999ba265cd51c94e8ae3a6038b3775bf9a49d6fe57d75dbf1726921af8a7ab2
malwoverview.py -p 2 -P 301524c3f959d2d6db9dffdf267ab16a706d3286c0b912f7dda5eb42b6d89996.exe
malwoverview.py -p 3 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306
malwoverview.py -p 4 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306.exe
malwoverview.py -p 5 -P 188.40.75.132
malwoverview.py -p 6 -P covid19tracer.ca
malwoverview.py -p 7 -P http://ksahosting.net/wp-includes/utf8.php
malwoverview.py -p 8 -P Qakbot
malwoverview.py -y 1
malwoverview.py -y 2
malwoverview.py -y 3
malwoverview.py -y 4 -Y com.spaceship.netprotect
malwoverview.py -y 5 -Y com.mwr.dz
malwoverview.py -v 1 -V 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792.apk
malwoverview.py -n 1 -N 10
malwoverview.py -n 2 -N 176.57.215.100
malwoverview.py -n 3 -N threesmallhills.com
malwoverview.py -n 4 -N 6d1756aa6b45244764409398305c460368d64ff9 -o 0
malwoverview.py -n 5 -N http://ksahosting.net/wp-includes/utf8.php
malwoverview.py -m 1 | more
malwoverview.py -m 2 | more
malwoverview.py -m 3 | more
malwoverview.py -m 4 -M apt41 | more
malwoverview.py -m 5 | more
malwoverview.py -m 6 -M win.qakbot
malwoverview.py -m 7 -M 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d
malwoverview.py -m 8 -M win.qakbot
malwoverview.py -b 1 -B c9d7b5d06cd8ab1a01bf0c5bf41ef2a388e41b4c66b1728494f86ed255a95d48
malwoverview.py -b 2 -B Revil | more
malwoverview.py -b 3 -B f34d5f2d4577ed6d9ceec516c1f5a744
malwoverview.py -b 4 -B 100
malwoverview.py -b 4 -B time | more
malwoverview.py -b 5 -B bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a
malwoverview.py -b 6 -B 10 | more
malwoverview.py -b 7 -B 193.150.103.37:21330
malwoverview.py -b 8 -B Magecart | more
malwoverview.py -b 9 -B "Cobalt Strike"
malwoverview.py -b 10 | more
malwoverview.py -x 1 -X score:10 | more
malwoverview.py -x 1 -X 71382e72d8fb3728dc8941798ab1c180493fa978fd7eadc1ab6d21dae0d603e2
malwoverview.py -x 2 -X 220315-qxzrfsadfl
malwoverview.py -x 3 -X cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e
malwoverview.py -x 4 -X http://ztechinternational.com/Img/XSD.exe
malwoverview.py -x 5 -X 220315-xmbp7sdbel
malwoverview.py -x 6 -X 220315-xmbp7sdbel
malwoverview.py -x 7 -X 220315-xmbp7sdbel
YARA
📚 Medium article 📚 SeaDuke_Sample 📚 Github repo
## All PE files
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
## SeaDuke Malware
rule SeaDuke_Sample
{
meta:
description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d"
author = "Florian Roth"
reference = "http://goo.gl/MJ0c2M"
date = "2015-07-14"
score = 70
hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e"
strings:
$s0 = "bpython27.dll" fullword ascii
$s1 = "email.header(" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "LogonUI.exe" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Crypto.Cipher.AES(" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "mod is NULL - %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and all of them
}
You can run YARA against a file using a single rule or multiple rules against one file, or multiple rules against many files. When running several rules, compiling them first is recommended to improve performance.
capa
This tool automates a lot of static basic and advanced reversing techniques, speeding up the initial triage process. It can spot deviations in the file headers, API calls, strings, constants, and disassembly features. It can analyse communication, persistence and other techniques used in the piece of malware. The output shows the TTPs from MITRE, malware capabilities, AV hits, etc.
sigcheck
DensityScout
Reversing
There are several options for reversing malware:
- IDA Pro (free for x86 only)
- radare2 + plugins (https://www.google.com/search?q=radare2+ghidra+decompiler&rlz=1C5CHFA_enGB1016GB1016&oq=radare2+ghidra+decompiler&aqs=chrome..69i57.26829j0j1&sourceid=chrome&ie=UTF-8) all archs and free, but CLI
- Cutter (radare2 + GUI)
Useful - scdbg. Windows ❗️
Python, Powershell for decrypting stuff.
📚 Edicational
- https://malwareunicorn.org/#/
- https://azeria-labs.com/writing-arm-assembly-part-1/ (for the newest MacBooks, with ARM processor and mobile device)
Windows
- 🔥 https://malapi.io/ - Windows API functions and their usage in malicious payloads.
macOS
- 🔥 One of the main projects out there - https://objective-see.org/blog/blog_0x0E.html
Mobile
- frida + objection (see docs for the tools and Telegram channel to ask questions: https://t.me/fridadotre)
Automation
Jupyter - https://github.com/mttaggart/blue-jupyter. Cool stuff, but nothing macOS or Cloud relevant. Would be very useful to create my own notebook for Cloudtrail, access.log etc analysis and for macOS triage in future as well. Combining Michael Leclair’s script with this technque (+ adjusting for macOS instead).
YARA
Sandboxing
Any.Run https://academy.tcm-sec.com/courses/1547503/lectures/35516326. Windows only (free - W7 and 32 bit). No macOS or 64 Windows. Cuckoo