Intro to basic malware analysis

Intro

First : thanks for coming to the class if you come.

Second : If you want to work along and do the examples in the class, plan on bringing a laptop capable of running 3 VMs, with CPU Intel VT-x or AMD-V "virtualization extensions" enabled in BIOS.

VMs include a windows VM with 2 cores and 4 gigs of ram. A linux VM with 1 core and 4 gigs of ram. A *bsd VM with 1 core and 512 megs of ram. You can probably dial down the ram a little if you really need to.

Tested on

  • Linux Mint + virtualbox on a refurb i7 laptop and desktop

  • windows 10 + virtualbox on a refurb I5 desktop

  • windows 10 + virtualbox on an older I7

  • variety of desktops and laptops in a college class

Please

To save time on the day of class, please try to get these VMs downloaded and imported, and test the networking pieces (ping each VM from each VM).

This mini-lab is entirely built for VirtualBox (v6.1.2 is what i used at the time) but might work in Vmware.

Keep all the MAC addresses during import otherwise you will likely have to configure NICs inside the VMs. During import, keep the MACs!

VMs


OPNSense Router/Firewall VM (512 MB .ova file)

Download from one of these :

  • https://drive.google.com/open?id=15FLVioAJTZkJb5WYcJmIk-eW0cv4Aqdp

  • https://threatactorsguild.info/router-vm-v4.ova

LAN IP : 192.168.99.1

user: root pass: opnsense123


Analysis VM (4.1 GB .ova file)

Download from one of these :

  • https://drive.google.com/open?id=18PrZPTSkGFLJRKOcLXk3pk3OooMBfQi9

  • https://threatactorsguild.info/analysis-vm-v4.ova

LAN IP : 192.168.99.10

user: analyst pass: analyst123


Sandbox VM (12.4 GB .ova file)

Download from one of these :

  • https://drive.google.com/open?id=1iasJvEM77eHccV5yDKAQhJ7wwrT8h0NW

  • https://threatactorsguild.info/sandbox-vm-v4.ova

LAN IP : 192.168.99.100

user: timmy pass: timmy123

Networking scheme of maneuver

The malware network is entirely "internal networking."

A router/firewall VM provides access to the internet thru a "NATed" virtualbox interface.

The opnsense router/firewall VM's WAN interface expects to get a DHCP address, which Virtualbox's NAT network should provide.

Traffic from the sandbox VM should be seen by the analysis VM due to the "promiscuous" setting on the analysis VM virtualbox network.

The analysis VM should be able to browse normal internet websites. All VMs should be able to ping eachother.

OK!

Everything working?

Cool. Shut each VM down and take snapshots of each VM called something like "clean-fresh-working" or whatever.

Questions / problems ?

threatactorsguild@gmail.com