Back again with another blog on Malware Analysis, We have already seen how to set up a sand boxing environment for Static malware Analysis and how to carry out Static Analysis in the previous posts on malware analysis, if you are new here please go thorough our previous blog posts then continue with this one.
You can read those Blogs in here
Today, in this blog we will be setting up lab for Dynamic Analysis.
In static we analysed lot of things on malware samples using FLAREVM set up.
Let’s see what we have here in Dynamic Analysis.
Hypervisor – Virtual Box or VM Ware
Operating System – Windows 7,8, or 10
Major Note :- Previously, we were working on a very hardened lab environment for static analysis because in case by mistake we don’t want our malware to get executed.
But, in here we are going to make our lab Malware Friendly
We are going to do the exact opposite things to what we did with static analysis, we are going to make everything friendly for malware so malware can propagate and execute with ease.
We need to do:
1. OS Malware Friendly
2.Internet Browser Malware Friendly
3.Installing exploitable Softwares
4.Create Enticing Files
5.Using of Fake Social media Accounts
The above mentioned to do list are to make fool of malware that we are working on a real time environment not some kind of malware analysis platform.
Let’s do this thing one by one;
Friendly OS for Malware:
For Friendly OS we need to give some administrative privileges for default users for that we need to make some changes in
User account Control,
Disabling of Auto Updates.
In here am using Windows 10
Open Run by pressing Windows key + R
Type services.msc then hit Enter
Choose windows update option
Stop the service in the left pane
You can update this by getting in to control panel–>System and Security–>Administrative tools.
Disabling User Account Control:
Click Start–>Go control Panel–>User Accounts–>User Accounts–>Change user Account Control Settings–> Lower the bar to very low.
Making Internet Browser Malware Friendly:
We should have at least 3 Browsers in it to make it more realistic.
we will use Internet Explorer,
In Internet Explorer, Open Internet Explorer.
- Right click the Start icon and select Control Panel.
- Click Programs.
- Choose Programs & Features.
- In the left sidebar, select Turn Windows features on or off.
- Uncheck the box next to Internet Explorer 11.
- Select Yes from the pop-up dialogue.
- Press OK.
In Firefox, Click Settings options at right top, then Click on options, Then uncheck block pop-up option.
We need to do the same Settings with Google Chrome too.
Next we will try to Install few Common Software packages to make it more real like Microsoft Office
Adobe Flash Player
Let’s make one by one Malware friendly:
1. Open Microsoft Word
2. Click File–>Click Options–> Trust Center–> Trusted Locations
3. Add New location where you can keep malicious Document files, here i am choosing Desktop as my location.
4. Go to ActiveX–> Enable All controls without Restrictions and without Prompting, Uncheck safe Mod.
5. Go to Macro–>Toggle radio button Enable All Macros(Not Recommended)
6. Click ok until you close all the windows.
Repeat the Same Steps for Excel, Powerpoint, Access too.
In Publisher, it is little different by having DEP settings uncheck Enable Data Execution Protection Mode
Make Adobe Reader Malware Friendly:
- Install Adobe Reader
- Open Adobe Reader
- Choose Edit–>Preferences
- Click Security(Enhanced)–>uncheck Enable Protected mode–>Uncheck Enable Enhanced Security
- Click Trust Manager on left pane
- Click Change Settings button under Internet Access from PDF files outside the Web Browser
- Click Updater on left Pane
- Toggle the Radio Button to Do not download or Install updates Automatically and click Ok
- Restart the Adobe Reader application
Create Enticing Files:
We need Enticing files in our Malware analysis Environment to make it more realistic for the malware to execute. It will look for some sensitive information and sensitive files and folders. So we have to create some enticing files and folders in the name of
Using of Dummy Social Media accounts also needed, in case your malware looks for social media accounts like Facebook, twitter and instagram.
Anonymizing and Isolating the Lab:
We need to anonymize our lab environment from malware and attackers, because at some-case if any attacker tries to take down your malware environment or your system from internet, it will be a bigger problem, So it is good to use
Isolation of your lab should be your High priority always isolate your Laboratory from production environment, it should not affect you production at any cost. It is highly preferred if you use a separate Machine for this.
RESTORING AND BACKUP:
Next we have Restoration in here, We need this every time once we finished analysing a malware, we need to bring our environment back to the normal Situation.
We need to do this regularly to avoid mis-happens with malwares and also for restoring too.
we have two methods to do this restoration
Bare metal Environment Clean State Restoration – Takes too much Time (OLD)
Here we will do this restoration with Virtualization Snapshot method using VMWare Snapshot Method.
And we have to backup our OS into an image because we don’t want to setup our environment once again from the scratch. It is more Time consuming too. Here i am using R-Drive Image, you will find multiple tools like Clonezilla and etc.
BASIC FILES TO CARRY OUT DYNAMIC ANALYSIS:
Device Drivers Monitoring Tools – Driver Booster
Port Monitoring Tools – Currport
Registry Monitoring Tools – RegShot
Windows Startup Programs Monitoring Tools – WinPatrol
Install all the above mentioned Tools, then we can go for Taking backup of your OS into an image file using R-Drive
Then we can take snapshot of our OS with Virtualization method. There is also a method of taking non persistent image which helps in very well manner, i will be explaining that along with next blog.
Now we can do Analyze our malware in Dynamic Environment. We will analyze this in Another blog post.
- Operating System Installation
- Malware Friendly laboratory
- Anonymizing and Isolating Lab
- Enticing Files and Necessary Files
- Restoring & Backup
All set to go for next blog on analysis, see you soon, Thank you!