An overview of what it takes to build your own #malware #analysis #sandbox! The core steps are (but not limited to):
1 — Virtualize
Start with a #freeware #hypervisor like #Oracle #VirtualBox. For a malware #analysis lab, you’ll want a #free #Windows10 test target VM (where you detonate the malicious payload) and an examiner VM (ideally #REMnux #Linux)
- Windows Test OS download: buff.ly/2rfniX7
- Linux download: buff.ly/3rNstzR.
2 — Trick the Malware
Malware meticulously examines the configuration of your devices. So, we must trick malware into thinking the target machine is a legit and NOT a sandbox testing environment. Therefore, allocate at least 8GB of #RAM and 4 #CPU cores and 100GB of disk space for the Windows VM. The Linux VM can be min. specs.
3 — Lived in OS
The OS needs to look lived in. We want to BAIT the malware into action. If X isn’t installed then it may change the malware’s behavior. For example, Excel is a key attack vector for #macroviruses. Install daily driver apps like VLC, M$ apps, etc.
4 — Fake Internet Connection
Some malware run a ping test to see if there’s a live internet connection (likely for #exfiltrating #stolendata to a #C2server). So, we need to fake an internet connection to trick it into thinking it's online. Thankfully, tools like #INetSim and #FakeNet can be our malware-tricking magicians here! Learn more about connection magicians here: buff.ly/3OxlCDt
5 — SOC Analyst Tool Belt
By having the right set of tools at your disposal, you can confidently dive into analyzing potentially malicious #software and uncover any hidden #threats. See the toolset below (or, even better, user #FlareVM Tools buff.ly/3KlwPoe)
- Debuggers: #x64dbg - so, basically, what happens is that this tool go all Sherlock Holmes on stuff to see what it's up to.
- Disassemblers: #Ghidra buff.ly/3OlI3KG to #reverseengineer and #debug.
- Traffic checkers: #Wireshark - checks the communication between #networks to identify any suspicious requests made by malware.
- File checkers: #ProcessMonitor, #ProcDOT - comprehends how files are processed and handled.
- Process checkers: #ProcessExplorer, #ProcessHacker - assist you in monitoring malware behavior.
6 — #VLANs are your friend
Use VLANs or modify the hypervisor network settings to ensure that both VMs are completely segregated or else suffer the consequences of #malware moving laterally into your #production network. Idea: Use #Pfsense or #OPNSense and/or point the #DNS to the Linux machine.
7 — Backups!
You need to have a malware-free restore point for your VMs pre-configured BEFORE you inject a potentially #maliciousfile into the sandbox. Take a hypervisor-level snapshot before proceeding.
Always room for improvement, so please comment what you would do differently or share your fav tool~