In this article, we will build a Malware lab to analyse a malware.
I am going to start a Malware Analysis Series, where I will take up different Malwares (Like Malicious Docs, Excel Files, and Some well known executables) and analyse them step-by-step, understanding how the malware works.
What we will do?
Download and install Windows 7 OS into virtualbox or vmware.
Install all the necessary tools step bu step, and understand what the tool does
You can download all the tools listed here individually, or you can use the script flarevm by fireye which is a poweshell script and it istalls most of these tools and along with it various other tools automatically. To look at the Procedure to install flarevm jump to the end of the post
Setting up Windows 7
Download a Windows 7 ISO image and install it into the virtualbox,
To create virtual machine in virtual box:
1
2
3
4
5
6
7
→ Click New
→ Enter the name of machine, type and version and then Click Continue
→ Enter the RAM you want to allot, 2GB of Ram is Recommended then Click Continue
→ Select Create a Virtual Hard Disk Now and then Click Create
→ Select VDI and then Click Continue
→ Select Dynamically Allocated then Click Continue
→ Enter the Path where you want to store the disk and Size of the disk then Click Create
Now a new Virtual Machine with all the configuration is created, To install Windows 7
1
2
3
4
→ Select the Newly created machine and click Start
→ VirtualBox will propmpt for an ISO image, Select the Downloaded Image and Continue
→ Now The Windows 7 will boot up and the Installation will start
→ Follow along the on screen instruction to install the OS
Install Microsoft Office on the machine, This will be useful in scenarios where we need to analyze malicious Word Docs, Excel Files, PPTs etc. which are quite commonly used in phishing campaigns as a way to deliver a malware.
By Now we have a freshly installed Windws 7 VM with Microsoft Office installed, Prior to installing other tools lets disable firewall in order to make windows 7 more vulnerable, and letting the malware run easily.
To do so
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
→ Click On Start and Open Control Panel
→ Click on System and Security
→ Click on Windows Firewall
→ From the Left Panel Click on Turn Windows Firewall On or Off
→ Selcet Turn Windows Firewall Off and then click OK
→ Go Back and Click on Advance Settings
→ This will open a new windows, From the right panel click on properties
→ And Set Firewall State to off, Click Apply
→ Now we need to disable windows update and windows defender as well
→ Start Run by typing `win+R` command, or by going to start menu and click on Run
→ type services.msc and press enter
→ This will open a window with all the services listed, search for Windows Defender service
→ Right Click on it, go to properties, and select disabled option from the dropdown menu in startup
→ Click Apply and press OK
→ Similarly Disable Windows Update as well
Now we are ready to move forward with installing various tools:
PE Studio
Download and Install PE Studio from, here
This tool helps in intial assesment of malware, It helps in easily identifying artifacts of executable like, Imported Functions, Strings, Executable Hashes, Entropy and so on.
To analyse simply drag the executable to PE Studio,
Here as we can see we get basic information like hash of file, imphash i.e. hash of all imported files, signature, entry point all these information can be used to identify the weather the malware is discovered earlier or not by searching these on virustotal or any[.]run.
PE studio also identified various indicators identifying weather it could be malicious, like other files Embedded within it which might suggest that the malware will unpack itself and save at a different location for persistence.
It also identified the windows functions which were imported by the malware, hinting on to what the malware is upto for example if there is a import to a CreateFileA function it hints that the malware is creating a file, or if there is a call to VirtualAlloc function it suggests that the malware is injecting code into memory, in order to create a new process.
PE Studio also lists the strings that were used in the executable file, these may lists some url’s or domains that the malware might be connecting to, however these strings may be encrypted or obfuscated.
HXD:
Download and Install HxD from, here
This tool is a hex editor, To open a executable in HxD, open it then drag and drop the file onto the app, then it presents us with the Hex Dump of the file, and on the right side the decoded ascii text is shown.
This can also be used to identify the type of file by the signature, for example executable file starts with a signature of 4D 5A or ascii MZ.
WinSCP
Download and Install WinSCP from, here
WinSCP is used to access or copy files within systems using scp(secure copy) protocol comes with SSH suite.
WinSCP can be used to connect to any remote machine by entering the IP address and credentials, you need to run SSH Daemon on the remote machine, WinSCP presents us with an explorer like window where the left panel shows the local files, and right panel shows Remote file it also supports drag and drop to copy files between systems
Autorun
Download and Install autorun from, here
Autoruns is a tool from the sysinternal suite, which scan for all the Registery Keys and Services to present us with all the files or programes that are enabled to run automatically on startup, this is useful to identify weather a malware is making any registery changes for persistence.
Hash My Files
Download and InstallHashMyFile from, here
HashMyFIles is a tool used to find various types of hash of a file,
The Tools shows various hashes like MD5, SHA256, SHA512 etc.
Process Hacker
Download and Install Process Hacker from, here
Process Hacker tool helps in identifying various processes running realtime, it shows all the process, if there is a child spawned by the process, User Who ran the process and also provides us with a description.
Process Hacker is a powerful replacement for Windows Task Manager, and serves to provide both information and a way to shut down unwanted processes. It provides multiple displays of what’s going on in your system.
Process Monitor (Procmon)
Download and Install procmon from, here
This is an advance monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. These captures all the process and activity along with thread, The output from this can then be later used to generate graphs by using another tool called procdot the graph show what all the malware did, from creating and deleting files to creating Registry Keys and any Network request
RegShot
Download and Install Regshot from, here
RegShot is used to capture the current state of the system, and then after running a malware again capture the state of the system, after that both the states are compared and a report is generated which lists all the changes, from created files to created registry
Before running the malware click on the 1st Shot button, it will start capturing the state, once done.
Run the Malware and then Click on the 2nd Shot button to capture the state again. and then when done click on the compare button to generate a report based on the captured states.
Fiddler
Download and Install fiddler from, here
Fiddler is used to capture any network traffic, generated from the malware. This tool captures all the requests from DNS Requests to HTTP requests, thus Helping in identifying IOC(Indicator of Compromise) which can be used to find if other systems are affected by the malware by checking against the IOC’s
x32 dbg
Download and Install x32dbg from, here
This is a debugging tool used to dynamically analyse malware, by running it in the debugger
The debugger has various sections, the main panel consist of all the disassembled code, on the rightside of it is List of all registers, Below the main panel we have a memory section which shows all the data that is contained in the memory, and at the bottom right section we have a stack.
Security Tips
- Set the Network Configuration to Host-Only, when you are executing a malware.
- Always Download compressed and password protected malware samples, in order to prevent accidental execution
- Disable Shared Folder settings, before starting the analysis
- Take the Snapshot of the VM in a cleaned state and then Reset the VM to the cleaned state after analysing the malware.
- Don’t Store any Personal data on the VM
FlareVm by Fireye
Download flarevm from here
1
2
3
4
5
6
7
8
→ Once Downloaded, Move the flarevm folder to Windows machine
→ Unzip the folder
→ Open a powershell window and, move to flarevm folder
→ Set the execution policy unrestricted in order to run the powershell script by typing `Set-ExecutionPolicy unrestricted` into the window
→ Make sure the Internet connection is working
→ Run the script by typing `./install.ps1`
→ Enter your password
This post was an introductory section to these tools, We will discuss about these tools in depth in later posts, where we would be analyzing malwares practically, for know download the tools and get acquainted with the functionalities of these tools.
Thanks for Reading, Stay tuned for more ❤︎
If you enjoyed reading the article do follow me on: