Good Afternoon Guys,
Back again with a new blog, today we are going to see how to setup a Sandboxing environment for Malware analysis.
Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor………. Nothing much got it from Wikipedia Guys……. Rofl.
As a cyber security professional or organization, we need to work on Malware analysis to keenly look for Malwares to know how it behaves and how it proceeds further.
For that Sandboxing is the very first step to do Malware analysis.
Here we will be using Windows 10, many people felt windows 7 is convenient, I leave it upto them.
Let’s See what we got here today,
First of all, do not use your main computer which you use for work, its all risky if something happens, we know that human mind tends to do mistake, so I said Do Not.
If you have only one computer, don’t worry we have Virtual Box with us…
Here comes the Major Part, Setting up of Virtual environment
Every Modern Malware is designed with the aspect of anti-analysing features in mind, it will analyse the environment to look up for any strange activities of analysing things.
It will check up your active internet connection, it will Check your Computer resources
So, it is mandatory to setting up your Virtual environment as Real as possible
If your computer has 512MB or 1GB of RAM or 20GB of hard disk definitely it will find that you are working in a virtual environment.
So, I recommend you to have at least 2 or 4 GB of allotted RAM, and 80 or 100GB of Hard Disk Space. And atleast 2 processor of CPU.
The Main goal is to mimic your virtual environment look alike into a Real Environment with real resources.
Have some third-party Software like Chrome, Win amp, DVD burner, VLC player, made it look like real time MISC applications are in use.
Do not install virtual box guest additions, it is very prone to detection by the malwares, so remove it before you proceed with the malware analysis.
If you have already installed uninstall it by navigating to the directory where you installed virtual box, then guest additions folder, then uninstall it…….
It will reveal our virtual environment to the malwares.
Next step is we need to trick the Malware that we are really online, that we have real internet connectivity over world wide web.
We need to be updated with Operating System and patches, then switch of your Windows defender, it will trigger the anti-malware so it may trigger malware too, disable firewall too so that we will be looking a system which is vulnerable to malware threat.
Install all the Third-party tools, Reverse Engineering tools, Malware analysis tools.
NOTE: Take snapshots of your base operating system before proceeding with the malware analysis, because snapshots always helps when we are playing with the Malwares.
We will be using Fake net tool https://sourceforge.net/projects/fakenet/
This tool will trick malware that we are in internet connected system.
Always have your network mode in VirtualBox Host only ethernet adapter.
Remember Fake net should be run as administrator,
If we want to save the logs then we need to change some information in FakeNet.cfg file, open that cfg file then change xxx to Yes.
So, the log files will be saved as .PCAP files in the fake net folder for further investigations.
We need some malware analysis tools to analyse the Sample malwares in the upcoming blogs, so we need to install a small package which will download all the necessary files for that.
Download FlareVm from Github you can download it from here(https://github.com/fireeye/flare-vm)
After you downloaded the FlareVM Navigate to the Folder using PowerShell, (Run as Administrator) then set the execution policy to be unrestricted using the below command
Set-Execution Policy unrestricted thenGive Y for Yes
Then .\install.ps1 hit Enter then start downloading the package
You will be needing the internet connection for this, then you can change the adapter to the host only adapter later before the malware analysis.
That’s it, everything is Done, we can start doing the malware analysis in the upcoming days.
Comment down your views and ideas to made up our environment more isolated. It will be good to know more Ways, right?
Ok buddies, that’s all for today, see you soon with the hands on Static Malware analysis blog, Practical one this time.