aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-19 07:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cdab89253a61ec963d1f37758b31e421b48447eb
securedorg.github.io/fundamentals.md
SECURED.ORG 9e1cb4c37c Update fundamentals.md
2017-08-10 22:45:48 -07:00

4.3 KiB
Raw Blame History

layout, permalink, title
layout permalink title
default /RE101/section1/ Fundamentals

Go Back to Reverse Engineering Malware 101

Section 1: Fundamentals

Environment Setup

In this section you will be setting up a safe virtual malware analysis environment. The virtual machine (VM) that you will be running the malware on should not have internet access nor network share access to the host system. This VM will be designated as the Victim VM. On the other hand, the Sniffer VM will have a passive role in serving and monitoring the internet traffic of the Victim VM. This connection remains on a closed network within virtualbox.

Installing VirtualBox

For windows and osx, follow the instructions in the install binary.

Windows Mac OSX Linux
alt text alt text alt text

Download Victim and Sniffer VMs

Please use the utility 7zip. Unzip the files with 7zip below and in VirtualBox File->Import Appliance targeting the .ova file.

Victim VM

  • MD5sum: 7d4f2ff359cd74eec3cae7b16a916939 Updated 6/30/2017
  • OS: Windows 7 Service Pack 1
  • Architecture: Intel 32bit
  • Username: victim
  • Password: re1012017
  • IP Address: 192.168.0.2
  • Gateway: 192.168.0.1
  • Zip size 3.7G, Final size required 10G

Note: If the VM is rebooting on you, open a command prompt with admin privileges and run "slmgr /rearm", then reboot. It should reset the VM's trial version.

Sniffer VM

  • MD5sum: f9c9214475560ab0b019654560e9d3b8 Updated 6/30/2017
  • OS: Ubuntu 16.04.2 LTS Desktop
  • Architecture: Intel 64bit
  • Username: sniffer
  • password re1012017
  • IP Address: 192.168.0.1
  • Gateway: 192.168.0.1
  • Zip size 1.9G, Final size required 6G

Post Install Instructions

Note: If you are having problems getting the VM to run, revert to the AnalysisReady snapshot, then right-click on the VM and select discard the saved state.

  1. Install VirtualBox CD on both VMs: Devices->Insert Guest Additions CD Image
  • If it doesn't auto appear, navigate to the CD Drive to install
  • Follow install directions from the Guest Additions Dialog
  • Note: it will require install privileges so insert passwords for each VM
  • Shutdown Both VMs after you have installed the Guest Additions CD.
  1. Victim VM: Devices->Drag and Drop->Bidrectional
  2. Victim VM: Devices->Shared Clipboard->Bidirectional
  3. Both VMs: Devices->Network->Network Settings
  • Select Attached to Internal Network
  • Name should mirror both VMs. Default is intnet
  1. Run/Play both VMs to verify network connectivity
  • Important While running, take a snapshot of each VM and name each "Clean". This will save a clean slate for you to revert the VM image back to.
  1. Sniffer VM: Ensure inetsim is running
  • Open terminal and run: ps -ef | grep inetsim
  • If no output, run: /etc/init.d/inetsim start
  • Run the ps command again to confirm it's running.
  • Expected output: alt text
  1. Victim VM: test connection to Sniffer VM
  • In the search bar, type cmd.exe to open terminal
  • Run command: ping 192.168.0.1
  • Expected output: alt text
  1. Sniffer VM: Devices->Shared Folders->Shared Folders Settings
  • On your Host, create a folder called sniffershare
  • In virtual box select Add New Shared Folder icon and navigate to the folder you just created (sniffershare)
  • In Sniffer VM, open the terminal and run command:mkdir ~/host; sudo mount -t vboxsf -o uid=$UID,gid=$(id -g) sniffershare ~/host

Intro <- Back | Next -> Anatomy of PE