Setting up Lab Architecture for analyzing Windows Malware Samples
Updated: Mar 11, 2020
Hey all, In this post I will guide you with the lab setup required for analyzing malware samples related to windows platform.
Before you begin setting up a lab, To create a safe lab environment, you need to have a physical system running a base operating system of Linux or macOS installed with a virtualization software(such as VMware or VirtualBox). This is to avoid malware from escaping the virtualized environment and infecting your physical(host) system. While analyzing the malware , if you dont want the malware to reach out to Internet, then you should switch the network settings of the virtual machine to host-only mode.Also do not connect removable media such as USB drives.
The lab architecture I use consists of a physical machine running ubuntu Linux with ubuntu and windows virtual machines in the virtualization software.Windows VM is where the malware will be executed while analysis, and the linux is used to moniter the network traffic where it will be configured to simulate the Internet services(DNS,HTTP etc) to provide appropriate respone to malware requests.
Once the Ubuntu operating system and the virtualization tools are installed, start the ubuntu vm and install the following tools and packages
1.) Install pip; pip is a package management system used to install and manage packages written in python language. The following are the tools and Python packages used in malware analysis.
2.) INetsim is a powerful utility that helps us to stimulate internet services such as DNS,HTTP that malware frequently expects to interact with.
Now that we installed all required utilities and softwares, we can isolate the vm from using the internet by changing the network to host-only mode. On vmware goto Network Adapter Settings and select Host-only mode as shown in the below image
Now lets assign a static IP address of 192.168.1.108 to the Ubuntu Linux VM. To do that first notedown the interface name by typing the ifconfig command. In my case its ens33. Open the file /etc/network/interfaces and add the following entries at the end and restart the vm.
Post reboot check the ifconfig and you should be able to setup a static ip address
The next step is to configure INetSim so that it can listen to and stimulate all the services on the configured IP address 192.168.1.108. By default, software listens on loopback address(127.0.0.1) and resolves to loopback address which needs to be changed to 192.168.1.108. To do that add the below lines to /etc/inetsim/inetsim.conf file.
Run the Inetsim by typing sudo inetsim and verify all services are running.Check whether the inetsim is listening on 192.168.1.108. If you get process already running, delete the /var/run/inetsim.pid and relaunch the command.On successful launch you should see the below output.
INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas Hungenberg
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
=== INetSim main process started (PID 2640) ===
Session ID: 2640
Listening on: 192.168.1.108
Real Date/Time: 2017-07-08 07:26:02
Fake Date/Time: 2017-07-08 07:26:02 (Delta: 0 seconds)
* irc_6667_tcp - started (PID 2652)
* ntp_123_udp - started (PID 2653)
* ident_113_tcp - started (PID 2655)
* time_37_tcp - started (PID 2657)
* daytime_13_tcp - started (PID 2659)
* discard_9_tcp - started (PID 2663)
* echo_7_tcp - started (PID 2661)
* dns_53_tcp_udp - started (PID 2642)
* http_80_tcp - started (PID 2643)
* https_443_tcp - started (PID 2644)
At this point, the Linux VM is configured to use Host-only mode, and INetSim is set up to simulate all the services. The last step is to take a snapshot (clean snapshot) and give it a name of your choice so that you can revert it back to the clean state when required.
Setting Up And Configuring Windows VM
1.)Download and install python 2.7.x version
2.) Setup the network configuration to Host-only mode and configure the ip address to 192.168.1.x(any IP address other than 192.168.1.108) set up your Default gateway and the DNS server to the IP address of Linux VM (that is, 192.168.1.108)
3.) Ping each other and make sure you are able to communicate with each other.
4.) Windows Defender Service needs to be disabled on your Windows VM as it may interfere when you are executing the malware sample. To do that, press the Windows key + R to open the Run menu, enter gpedit.msc, and hit Enter to launch the Local Group Policy Editor. In the left-hand pane of Local Group Policy Editor, navigate to Computer Configuration | Administrative Templates | Windows Components | Windows Defender. In the right-hand pane, double-click on the Turn off Windows Defender policy to edit it; then select Enabled and click on OK
5.) Take a clean snapshot so that you can revert back after every analysis.
At this point, your lab environment should be ready. The Linux and Windows VMs in your clean snapshot should be in Host-only network mode and should be able to communicate with each other. In future posts, I will be covering various malware analysis tools.