Malware Analysis Bootcamp - Setting Up Our Environment

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome back to the malwa analysis boot camp in this video i'm going to be showing you how to set up your mall analysis environment and all the tools we'll be using as well as some security guidelines to keep in consideration when setting your model analysis lab so let's get started so uh talking about the tools we'll be using uh first of all we have a hypervisor so you can use either virtualbox or vmware i'll personally be using virtualbox secondly you need a windows 7 vm uh so that is a 32-bit or 64-bit uh if you can a 64-bit is preferable because we do have some tools that require 64-bit architecture and thirdly we'll be using flare vm now you don't have to use flair vm for those of you who already know what it is it essentially is a windows model analysis distribution that you can set up if you remember quite a while ago i made a video on commando vm and it was by fire and they make the same uh the same script but of course this is for malware analysis so it comes pre-packaged with all the tools that we'll need for malware analysis and it will automate the entire process of setting it up so i really recommend using flare vm you just need to set it up once and then take a snapshot and you'll be good for a long time all right now one important thing to keep into consideration is on your windows 7 vm you uh you must disable windows update and of course windows the windows defender right so of course that will avoid any potential uh discovery by any of these antivirus programs and as a result they'll they'll get rid of the malware so we don't want any of that so i'll show you how to disable that as well now for some security guidelines uh when dealing with setting up and maintaining your environment right so the first thing is to obviously keep your hypervisor updated so either using virtualbox or vmware it's really important that you keep them updated in case of any potential exploits that some pieces of malware have in regards to busting your vm software secondly is when executing malware ensure that your network configuration is set to host only this is very important as it will avoid any accidental infection or any accidental execution on your host operating system so the next one is do not plug in any usb devices into the vm so again that will avoid any infection of your usb devices especially hard drives just avoid doing that at all costs uh we we go to the next one which is make sure your you download compressed uh and password protected samples to avoid accidental uh accidental execution so this is very important and it usually is the standard in malware uh when dealing with malware is to obviously compress the binary or the executable and password protected to avoid accidental execution so usually uh the zip of the zip file password will be infected or something like that that's something to take into consideration make sure you only download samples that have been compressed and secured appropriately the next one is to take snapshots it's very very important you want to make sure you always have clean snapshots to avoid any uh you know the fact that you have to reinstall flare vm again so again i'll show you how to do that in a second and the next one is of course do not store any valuable data on your analysis vm that's something very very important make sure that your documentation is done outside of your analysis vm vm therefore again you you prevent any any data spilling over onto your host operating system um and of course lastly is to disable your shared folders uh before execution or analysis so when transferring over binaries you can make use of the shared folders functionality with your hypervisor but make sure make sure you disable them before your execution or analysis as we have seen many times before some pieces of malware uh do have the ability to mutate through the network so again keep that in mind uh that being said these that is pretty much all that will be requiring and those are the security guidelines to keep in mind as i mentioned before in the previous video these slides are available in the description section you can check them out if you want to and let's get started with setting up the environment all right so we are ready to start setting up our environment and as you can see i'm using ubuntu as my host operating system i would recommend you do the same reason being is you never want your host and your guest operating system to be having the same operating system of course therefore you know if there is any accidental accidental execution you can avoid that if possible however if you are on windows that's perfectly fine you just need to take a bit more of a secure approach that being said let us check out the tools we'll be using as i said we'll be using or we'll be needing a windows vm windows 7 vm i will then be taking a look at the flair vm script right over here so let's get started let me explain a few things when downloading some windows virtual machines so uh part of the new policy that we have attack exploit is of course um we are going to have to be going through the legal channels and as part of youtube's new guidelines we need to uh we need to make things as clear as possible in regards to the legalities of software and you know et cetera et cetera so uh when downloading or when using a windows vm uh you want to download it from the developer.microsoft.com and these are the uh the edge the microsoft edge or internet explorer version so you they essentially are vms that you can use to test uh internet explorer or edge as they call it edge html uh so you can download uh internet explore internet explorer version 10 9 and 8 both on windows 7 and also 11. you then have the uh the ability to download internet explorer 11 on windows 8.1 essentially these are all legitimate operating systems with a trial period so you can see that these virtual machines expire after 90 days we recommend setting a snapshot when you first install the virtual machine which you can roll back to later so you can use this for a long period of time and the password for the user and for the zip file is going to be password right over here so uh by default i've downloaded the internet explorer 10 on windows 7 not for no particular reason again if you do have a legitimate windows 7 license you you may want to consider using that as well you then specify your platform or hypervisor here you can see you have the option for virtualbox vagrant and vmware so i'm going to go with virtualbox and you can download that zip right over here i already have it on my desktop here so we can actually uh skip that part and then now let's talk about flare vm right so uh you can check out the links will all be in the description section uh so flair vm is developed by fireeye you can check them out as well so this is a fully customizable uh windows-based security distribution for malware analysis incident response and penetration testing but more so for malware analysis and i'll be showing you how to use it so uh you want to download your uh you want to download this folder here or the zip file or you can clone it and copy it onto your vm but for now uh let's just do that i've already downloaded it to my desktop and then we have the fireeye installation page where it will guide you through the installation right so we'll be using this as well it's a very very simple installation um so the first thing we want to do is we want to extract the windows 7 vm zip file here i've already done that and we have the ova file right over here so you just want to double click on that once you have virtualbox installed it's probably going to tell me that i already have it installed but i'll give it a different name i'll just call it windows 7 and we'll just call it a 32-bit or something generic again you can call it whatever you want i'll give this two cpus uh one gigabyte of ram is perfect and for my network adapter that's perfectly fine i'll set the settings right now if you want to increase the the vmdk disk size you can do that as well but i'm not going to be doing that because it has enough space as it is it's about 40 gigabytes so i'll hit import and uh we'll wait for this to import it's going to take a while so i'll get back to you when this is done all right so the ova file has completed importing and you can see it right over here it's windows 7 32-bit as we set the name uh you can see all my other vms and this is my the vm that i'll be using for this course i've already set it up with flair vm but the purpose of this video again is to show you how to set it up yourself all right so let's take a look at a few settings here uh the only settings i want to configure you can configure the system resources you know to your liking or to your specification and nothing special there i'll go with two cpus and one gigabyte of memory that's perfectly fine for me uh for display i'll set this to let's see 64 megabytes and i'll enable 3d acceleration um for my network uh this is where things uh you need to actually configure the host only adapter now by default on um on virtualbox you need to set this up yourself so you want to go into global tools and as you can see i've already created my uh so if you click on this dropdown it will tell you you have your virtual media manager and your host only network manager so you want to click on that and right over here by default you'll have no host only adapters and i've created two i've already created one that i currently use for my uh for my primary malware analysis vm which you just saw and that is vboxnet0 and i created one for this video so i can remove this one and i'll show you how to create one yourself so you can just click on create and it'll create one for you right over here and you can take a look at the properties uh you can configure it automatically or you can do it manually i like leaving it manually so you can give it your any ipv4 address within your subnet you then have your ipv4 network mask and you then can configure it as a dhcp server which is great and i'll be showing you how to do this one will be using a linux vm for behavioral analysis but that's for another video so now that we've set it up we'll just leave it as it is and we can go back to the machine tools and go into settings right and within the settings we'll go to host only adapter and set the name of the adapter to vbox net one all right now for shared folders you can enable them right over here i've already set mine up to be the desktop that's where i've saved my flair vm script which i'll be copying over shortly so we'll hit ok now i have used this vm more than once and it's likely that my trial period has ended so uh in any case if you if you see it giving me the message that windows has expired that's perfectly fine i'll just show you how to set everything up so i'll hit start right over here and we'll give this a few seconds to load up it should just only take a few seconds and it should log us in directly that's if you're using the vms from the microsoft website right over here um so we'll wait for this to start up and there we are log us in directly and it should give us the background info so there we are it's giving us the prompt to activate and this is because i'm using it more than once uh so i'm just going to show you how to set it up so immediately you can see it tells us that the our username is internet explorer user and your password is your is written right over here so you want to keep that in mind because the uh flair vm script will prompt us to to enter this password so let us check where we have our shared folder here which is right over here and we have the flare vm master zip right over here so we're just going to copy that over and i'm done with the shared folder so i'll just go into machine settings and i'll just get rid of this right over here so i'll get rid of that shared folder and hit ok and as you can see we do not have an active internet connection because it's a host only adapter so we will extract here we'll extract all of this here and just hit extract uh by the way you can install any other programs you want uh those could be uh winrar uh another browser like firefox any other utilities that you like using that's perfectly fine uh before you actually begin with the analysis so uh now that we have the files on one of the important things you need to do is you need to take a snapshot now of course it's important that you take the snapshot before you actually start the machine because you're good then going to be working with the activation already uh already on so make sure you take a snapshot before you begin so after you've copied the file so before you do it i just take a snapshot of the original windows 7 vm without flare vm installed alright so once you've taken your snapshot we're ready to go again right so within the flare vm folder you're going to have the flare vm powershell script which is install.ps1 right over here and we need to execute this using the powershell so um the first thing you need to do is type in powershell and you want to run this as administrator all right so now that we have the powershell window opened up we now need to disable uh the windows defender windows update uh so that it doesn't interfere with the installation right so for this we can just type in services dot msc and we can just hit enter right and we'll give that a few seconds to load up and we are looking for windows update and windows defender which are all at the bottom so we have windows update and we want to uh disable this or keep it to disabled and we want to stop the process and there we are so we're going to hit apply and hit ok so that should prevent us from ever having to deal with windows update again now you're going to go to windows defender and you want to disable this and hit stop again we're going to wait for that to stop it and hit apply and hit ok and there we are all right fantastic so now we can get started with installing the script so uh what you want to do of course is you want to browse onto the directory so we're going to say cd if we uh we are currently in system 32 so we're just going to take a step back and if we list the directories here we still need to take a step back and we want to go into users uh users so cd users uh we can then say internet ie user and we are on the desktop right so there we are and hopefully i've zoomed this in in post processing so you can see exactly what's going on all right so when we are ready to begin the installation all we need to do is first of all enable a flag here and that is that the flag is to essentially allow uh any files or any scripts to be executed automatically without any any privileges being granted to it so to do that we can type in set so we're going to type in set let me just get in here so we're going to say set and we're setting the execution policy so set execution policy uh to unrestrict it so unrestricted there we are and we then want to hit enter all right and it's going to ask you to confirm this option by typing in y for yes and i'm going to hit enter and we are good to go so now we want to just let me just clear this out and if we list the files in here we want to execute so we're going to browse into the directory here and we now want to execute the uh the install.the the powershell script so again directory here there we are and we are looking for the install.ps1 script alright so we want to install this so i'm going to say install.ps1 now before installing it do note that you do need an active internet connection so again you want to go into machine and you want to go into settings and you're going to network and we'll just change this to bridged adapter because we do need an internet connection uh to allow the script to download all the necessary files so we'll wait for this to automatically configure here and hopefully it will give us an ip address so we'll just wait for this to configure so now we can get started so we can type in install uh the ps1 or powershell and we can then hit enter all right now the important thing to take into consideration is we need to enter the correct password because it is going to require to sign back in so make sure you type it in correctly so the password is password so and we hit enter and it's now going to start the installation process now the installation process can take uh from 30 minutes all the way to up up to two hours depending on the speed of your internet connection so it is going to restart automatically i would recommend just letting it do its thing you can do something else while it's installing so i'm just going to skip through this process and i'll get back to you when it's done installing anywhere fresh back into the flare vm all right so the installation is complete and i'm back in my current malware analysis box and this is exactly what you'll get with a few exceptions the exceptions are that i installed firefox uh and winrar so these are just utilities that i like having on board uh otherwise apart from that the everything should be exactly the same as you can see we have the flare folder here which has a list of all the tools and we also have the tool list here that has all the disassemblers so we have gear as well which is awesome so in regards to the tools you have your debuggers so in regards to your debuggers you have only dbg or early debugger we have the x32 dbg or debugger and x64 debugger which is great again x64 debuggers will only be will only work on a 64-bit uh operating system so that's something to take into consideration uh in regards to utilities like peid we already have that here we also have cff explorer which is great we have all the utilities here so there we are we have peid we have pe studio so it has a list of all the tools you'll ever need for malware analysis uh you have all you also have some pen testing tools like the kali windows binary so you can take a look at all of that um so that's pretty much it uh in regards to the installation uh you may you need to uh keep everything uh backed up and you need to take a snapshot of your analysis vm uh before you actually begin uh analyzing any piece of malware which you can see right over here this is a clean vanilla install yeah so i usually have this to revert back to uh whenever i want to perform a fresh analysis so that's pretty much gonna be it for this video guys uh i'll be seeing you in the next video we'll get started uh with static analysis so i'll see you then

Info

Channel: HackerSploit

Views: 48,607

Rating: 4.98914 out of 5

Keywords: hackersploit, malware analysis lab, malware analysis and reverse engineering, malware analysis tools, malware analysis course, malware analysis with ghidra, malware analysis wireshark, malware analysis live, malware analysis tutorial playlist, malware analysis assembly, malware analysis and reversing, malware analysis and reverse engineering course, malware, reverse engineering, ransomware, reverse engineering malware, hacking tutorial, how to hack, exploit tutorial, hacking

Id: F1LE56QQ7iA

Channel Id: undefined

Length: 18min 42sec (1122 seconds)

Published: Sat Aug 10 2019