bmurr's Blog

Build your own #malware #analysis #sandbox!

Build your own #malware #analysis #sandbox!

bmurr's photo
bmurr
·

2 min read

An overview of what it takes to build your own #malware #analysis #sandbox! The core steps are (but not limited to):

1 — Virtualize

Start with a #freeware #hypervisor like #Oracle #VirtualBox. For a malware #analysis lab, you’ll want a #free #Windows10 test target VM (where you detonate the malicious payload) and an examiner VM (ideally #REMnux #Linux)

- Windows Test OS download: buff.ly/2rfniX7

- Linux download: buff.ly/3rNstzR.

2 — Trick the Malware

Malware meticulously examines the configuration of your devices. So, we must trick malware into thinking the target machine is a legit and NOT a sandbox testing environment. Therefore, allocate at least 8GB of #RAM and 4 #CPU cores and 100GB of disk space for the Windows VM. The Linux VM can be min. specs.

3 — Lived in OS

The OS needs to look lived in. We want to BAIT the malware into action. If X isn’t installed then it may change the malware’s behavior. For example, Excel is a key attack vector for #macroviruses. Install daily driver apps like VLC, M$ apps, etc.

4 — Fake Internet Connection

Some malware run a ping test to see if there’s a live internet connection (likely for #exfiltrating #stolendata to a #C2server). So, we need to fake an internet connection to trick it into thinking it's online. Thankfully, tools like #INetSim and #FakeNet can be our malware-tricking magicians here! Learn more about connection magicians here: buff.ly/3OxlCDt

5 — SOC Analyst Tool Belt

By having the right set of tools at your disposal, you can confidently dive into analyzing potentially malicious #software and uncover any hidden #threats. See the toolset below (or, even better, user #FlareVM Tools buff.ly/3KlwPoe)

- Debuggers: #x64dbg - so, basically, what happens is that this tool go all Sherlock Holmes on stuff to see what it's up to.

- Disassemblers: #Ghidra buff.ly/3OlI3KG to #reverseengineer and #debug.

- Traffic checkers: #Wireshark - checks the communication between #networks to identify any suspicious requests made by malware.

- File checkers: #ProcessMonitor, #ProcDOT - comprehends how files are processed and handled.

- Process checkers: #ProcessExplorer, #ProcessHacker - assist you in monitoring malware behavior.

6 — #VLANs are your friend

Use VLANs or modify the hypervisor network settings to ensure that both VMs are completely segregated or else suffer the consequences of #malware moving laterally into your #production network. Idea: Use #Pfsense or #OPNSense and/or point the #DNS to the Linux machine.

7 — Backups!

You need to have a malware-free restore point for your VMs pre-configured BEFORE you inject a potentially #maliciousfile into the sandbox. Take a hypervisor-level snapshot before proceeding.

Always room for improvement, so please comment what you would do differently or share your fav tool~

cybersecurityblueteamincident responseanalysisMalware