andresMen1274/Malware-Analysis-Threat-Investigation-Environment
GitHub: andresMen1274/Malware-Analysis-Threat-Investigation-Environment
Stars: 0 | Forks: 0
# Malware-Analysis-Threat-Investigation-Environment
Isolated malware analysis environment using REMnux, FlareVM, Procmon, ProcDOT, Sysmon, and PEstudio to perform static and dynamic malware analysis. Investigated suspicious processes, persistence mechanisms, registry modifications, executable behavior, and Windows system activity within virtualized environments.
## Key Findings
- Built an isolated malware analysis environment using FlareVM and REMnux.
- Compared packed and unpacked executables using PEstudio.
- Used Regshot and Procmon to observe registry, file system, and process activity.
- Generated ProcDOT visualizations from captured process activity.
## Configuration
First we will have to download Virtual Box and then download Windows 10 Enterprise edition. This is done by navigating to the Windows website and creating a free account which allows one to download Windows 10 Enterprise editions. I will be using the United States 64 bit version.
After it has finished downloading then we will create the Virtual Machine. The Virtual Machine is named windows10 and was given 4 processors and 11 GB of memory.
Since, when the Virtual Machine was created a ISO image was not mounted a error message appears when the Virtual Machine is started.
To fix this error we choose the Windows 10 Enterprise ISO image that was previously downloaded. Then we mount and reboot the system to allow the ISO image to take effect.
Now the installation for Windows 10 has started. To finish configuring the machine we download Windows 10 on the Virtual Hardisk space that we have previously allocated 100 GB on.
Then after the installation process is done the Winodws 10 Virtual Machine is now configured. Next we want to download FlareVM to do this we open the Virtual Machine and go to microsoft edge. Then go to google and search Flare vm github repo and download the repository. Next we will extract it
The extracted contents should be as shown in the image.
Next we will shut off Windows Defender by turning off all virus and threat protection settings. Then we will disable all of the Winodws Firewall settings and apply them. This is all down so, FlareVM will be installed.
Next we turn off all antivirus protection in the Windows settings and then disable the Winodws firewall. Then we go into group policy and find Microsoft Defender Antivirius and enable it.
Then we download the files into a zip and extract all of its contents. Next we open windows powershell as an administrator and open the FlareVM directory. We run three scripts in this directory. They are given as
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1
Then after hours of installation the Virtual Machine is now a Flare VM. After the download we quickly change the network to host only network to not allow internet connections and take a snapshot of the current state of the Virtual Machine.
Now we will install REMnux to do this we go to the offical REMnux website and choose the VirtualBox OVA download. Then allow it to download and import it into VirtualBox. After this has been done we will update REMnux by running the script sudo apt update. After everything has been updated we will upgrade all of the applications by running sudo apt upgrade and allowing all applications to upgrade. Now that the REMnux machine has been updated we will create the network. To do this we go to the VirtualBox menu and select tools and Network Manager. We create a new host-only network and give it an IP address.
To make sure that the network is running correctly I will check the IP addresses of both of the Virtual Machines and make them ping eachother.
Since both pings were successful we know that the Virtual Machines can communicate to one another. To make sure that Virtual Machines are not connected to the internet we will try to ping Google and if unsuccessful then we know that we are not connected to the internet.
Then we will take a snapshot of each of the Virtual Machines and this is done, so we can revert to the original state of the Virtual Machine after the Malware is deployed. To simulate a network connection we will use inetsim. To do this we will navigate to the REMnux Virtual Machine and type inetsim.
To make sure that this is successfully working we will type in the IP address of the REMnux Virtual Machine.
Now we will configure a fake DNS server and this is done by going to REMnux and typing the command sudo nano /etc/inetsim/inetsim.conf and changing the IP address to 10.0.0.3. Then naviagte to FlareVM and in the network settings change the IPv4 DNS server to the IP address of the REMnux machine which is 10.0.0.3. Then to test this we will check the connection of google and a fake webpage should be displayed.
## Static Malware Analysis
In this lab I will statically analyze malware on FlareVm and REMnux.
Before the maleware is downloaded I will create a shared folder between my host machine and the Virtual Machine FlareVM. To do this I create a folder called shared on the host machine and then download the malware zip file from github to that folder. Then navigate to settings then shared folder and add the folder that contains the zip file of malware.
After this has been done open FlareVM and open file manager. Then copy the given file to FlareVM.
After this has been done remove the share folder from FlareVM because malware has the capability to modify this folder.
To make sure that the shared folder is gone go to file manager and select vboxuser. Then the folder should be empty because there is no shared folder.
After this is done go into FlareVM and unzip the file. Then we will take a snapshot of the current state of the Virtual Machine and start the malware analysis.
The malware that we will be analiyzing is Crypto Locker Ransomware. It was introduced in 2023 and arrives through a zip attachment or as an invoice. After it is executed it beigns encrypting files rapidly and gives a message that the files are encrypted and the only way to release them is through payment.
To release the malware I naviagte to TrialStroke and then unzip the ransomware. After this is donw now I will execute the malware. This is the result of the executed malware and now since I took a snapshot of my preconfigured machine I will now restore it.
I will now detonate a different malware that can by analysized. First I unzip the file and the way this malware is executed is if it's renamed. After renaming the malware it will become a executable. There are two files that I will analysize using pestudio. I will be anayliszing malware packing. This is when maleware is packed. Essentially malware is wrapped in encryption and anti-virus will not be able to detect it. A indicator that a file is packaged is when it is unusally small.
I open two windows of pestudio and analysize to analysize the malware.
Unpackaged File
Packaged File
The first indicator that a file is packaged is when the size of it is much smaller than its counter part. In this example the unpackaged file has much more bytes and a smaller entropy size. While the unpackaged file contains a lower amount of bytes and a higher entropy. Which is a clear indicator of a packaged file.
Unpackaged File
Packaged File
In the unpackaged file we can see that the entry point location of the file is in the text editor. On the packaged file we can see a different entry point on the system. This is another indicator that the file is packaged and can contain malware.
Unpackaged File
Packaged File
In this photo we can see that the unpackaged file has the correct sections that are text and data sections. Furthermore, it only has read and write permission. On the packaged file we can see that the sections are UPX0 and UPX1 which are indicators of a packaged file. Moreover, the persmissions are different and include execute and self-modifying permissions.
## Dynamic Malware Analysis
In this project I will be analyzing how malware can be infecting systems in real time. Furthermore, I will learn about tools and the lifecycle of malware.
I will be doing this on FlareVM and REMnux.
After the malware has been successfully transfered through the shared folder in the previous lab. Make sure the shared folder is then removed from the Virtual Machine and unzip the malware folder. In this tutorial I will be analyzing a malware named Koreplug. Before executing the malware I will be using the tool Regshot. This is a utility tool that logs all of the changes made by malware in a specified directory. I will be using this before the malware is deployed to see all files that are changed.
Another tool that I will be using to analyze malware is called process explorer. This tool shows all of the running processes in the windows system in a tree like structure. Furthermore, it allows one to see the properties of the running process like the image file, performance, and check and TCP/IP connections the process has made.
Now that I have introduced the tools I will now take a snapshot using regshot.
This is the result of the snapshot.
Now we will execute the malware as an administrator, so it has full privlages in the system. After this is done we will now check process explorer. We can now see that the malware is running as a process.
Now we will take another snapshot using regshot to check if files have been altered.
After the snapshot has been taken we will compare the first and second snapshot. To do this select compare and it will display the changes that happened. To see the changes that were made we will select compare and select output and it will display all of the keys added and deleted. Furthermore, the files added and deleted.
To check that the malware is executing we will navigate to file explorer. Then select local disk and program data to see what programs are currently running. We can see a new folder has been added and it contains the malware. After this is done we know that the malware did infect the windows files system.
Now we will use procmon which is a tool that registers the changes of all processes in windows subsystem. To see the changes we will start the malware again to see changes in the system. Now we will navigate to to procmon and filter the logs by process name(AvastSwc.exe). Now we can see all of the changes that the malware has made.
We can see that the malware created a file called intel. We are going to create a .csv file to see everything that has occured. navigate to options and select column. Then select thread IDS and select ok. After this is done select save and make sure it is saving the events displayed with the current filter and format it to a .csv file.
After this is done we will use procdot. Procdot is software that creates interactive graphs to analysize system and network activity. First select the .csv file we created and also selecte the malware that was delpoyed. Then a interactive graph will be created.
After it has finished downloading then we will create the Virtual Machine. The Virtual Machine is named windows10 and was given 4 processors and 11 GB of memory.
Since, when the Virtual Machine was created a ISO image was not mounted a error message appears when the Virtual Machine is started.
To fix this error we choose the Windows 10 Enterprise ISO image that was previously downloaded. Then we mount and reboot the system to allow the ISO image to take effect.
Now the installation for Windows 10 has started. To finish configuring the machine we download Windows 10 on the Virtual Hardisk space that we have previously allocated 100 GB on.
Then after the installation process is done the Winodws 10 Virtual Machine is now configured. Next we want to download FlareVM to do this we open the Virtual Machine and go to microsoft edge. Then go to google and search Flare vm github repo and download the repository. Next we will extract it
The extracted contents should be as shown in the image.
Next we will shut off Windows Defender by turning off all virus and threat protection settings. Then we will disable all of the Winodws Firewall settings and apply them. This is all down so, FlareVM will be installed.
Next we turn off all antivirus protection in the Windows settings and then disable the Winodws firewall. Then we go into group policy and find Microsoft Defender Antivirius and enable it.
Then we download the files into a zip and extract all of its contents. Next we open windows powershell as an administrator and open the FlareVM directory. We run three scripts in this directory. They are given as
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1
Then after hours of installation the Virtual Machine is now a Flare VM. After the download we quickly change the network to host only network to not allow internet connections and take a snapshot of the current state of the Virtual Machine.
Now we will install REMnux to do this we go to the offical REMnux website and choose the VirtualBox OVA download. Then allow it to download and import it into VirtualBox. After this has been done we will update REMnux by running the script sudo apt update. After everything has been updated we will upgrade all of the applications by running sudo apt upgrade and allowing all applications to upgrade. Now that the REMnux machine has been updated we will create the network. To do this we go to the VirtualBox menu and select tools and Network Manager. We create a new host-only network and give it an IP address.
To make sure that the network is running correctly I will check the IP addresses of both of the Virtual Machines and make them ping eachother.
Since both pings were successful we know that the Virtual Machines can communicate to one another. To make sure that Virtual Machines are not connected to the internet we will try to ping Google and if unsuccessful then we know that we are not connected to the internet.
Then we will take a snapshot of each of the Virtual Machines and this is done, so we can revert to the original state of the Virtual Machine after the Malware is deployed. To simulate a network connection we will use inetsim. To do this we will navigate to the REMnux Virtual Machine and type inetsim.
To make sure that this is successfully working we will type in the IP address of the REMnux Virtual Machine.
Now we will configure a fake DNS server and this is done by going to REMnux and typing the command sudo nano /etc/inetsim/inetsim.conf and changing the IP address to 10.0.0.3. Then naviagte to FlareVM and in the network settings change the IPv4 DNS server to the IP address of the REMnux machine which is 10.0.0.3. Then to test this we will check the connection of google and a fake webpage should be displayed.
## Static Malware Analysis
In this lab I will statically analyze malware on FlareVm and REMnux.
Before the maleware is downloaded I will create a shared folder between my host machine and the Virtual Machine FlareVM. To do this I create a folder called shared on the host machine and then download the malware zip file from github to that folder. Then navigate to settings then shared folder and add the folder that contains the zip file of malware.
After this has been done open FlareVM and open file manager. Then copy the given file to FlareVM.
After this has been done remove the share folder from FlareVM because malware has the capability to modify this folder.
To make sure that the shared folder is gone go to file manager and select vboxuser. Then the folder should be empty because there is no shared folder.
After this is done go into FlareVM and unzip the file. Then we will take a snapshot of the current state of the Virtual Machine and start the malware analysis.
The malware that we will be analiyzing is Crypto Locker Ransomware. It was introduced in 2023 and arrives through a zip attachment or as an invoice. After it is executed it beigns encrypting files rapidly and gives a message that the files are encrypted and the only way to release them is through payment.
To release the malware I naviagte to TrialStroke and then unzip the ransomware. After this is donw now I will execute the malware. This is the result of the executed malware and now since I took a snapshot of my preconfigured machine I will now restore it.
I will now detonate a different malware that can by analysized. First I unzip the file and the way this malware is executed is if it's renamed. After renaming the malware it will become a executable. There are two files that I will analysize using pestudio. I will be anayliszing malware packing. This is when maleware is packed. Essentially malware is wrapped in encryption and anti-virus will not be able to detect it. A indicator that a file is packaged is when it is unusally small.
I open two windows of pestudio and analysize to analysize the malware.
Unpackaged File
Packaged File
The first indicator that a file is packaged is when the size of it is much smaller than its counter part. In this example the unpackaged file has much more bytes and a smaller entropy size. While the unpackaged file contains a lower amount of bytes and a higher entropy. Which is a clear indicator of a packaged file.
Unpackaged File
Packaged File
In the unpackaged file we can see that the entry point location of the file is in the text editor. On the packaged file we can see a different entry point on the system. This is another indicator that the file is packaged and can contain malware.
Unpackaged File
Packaged File
In this photo we can see that the unpackaged file has the correct sections that are text and data sections. Furthermore, it only has read and write permission. On the packaged file we can see that the sections are UPX0 and UPX1 which are indicators of a packaged file. Moreover, the persmissions are different and include execute and self-modifying permissions.
## Dynamic Malware Analysis
In this project I will be analyzing how malware can be infecting systems in real time. Furthermore, I will learn about tools and the lifecycle of malware.
I will be doing this on FlareVM and REMnux.
After the malware has been successfully transfered through the shared folder in the previous lab. Make sure the shared folder is then removed from the Virtual Machine and unzip the malware folder. In this tutorial I will be analyzing a malware named Koreplug. Before executing the malware I will be using the tool Regshot. This is a utility tool that logs all of the changes made by malware in a specified directory. I will be using this before the malware is deployed to see all files that are changed.
Another tool that I will be using to analyze malware is called process explorer. This tool shows all of the running processes in the windows system in a tree like structure. Furthermore, it allows one to see the properties of the running process like the image file, performance, and check and TCP/IP connections the process has made.
Now that I have introduced the tools I will now take a snapshot using regshot.
This is the result of the snapshot.
Now we will execute the malware as an administrator, so it has full privlages in the system. After this is done we will now check process explorer. We can now see that the malware is running as a process.
Now we will take another snapshot using regshot to check if files have been altered.
After the snapshot has been taken we will compare the first and second snapshot. To do this select compare and it will display the changes that happened. To see the changes that were made we will select compare and select output and it will display all of the keys added and deleted. Furthermore, the files added and deleted.
To check that the malware is executing we will navigate to file explorer. Then select local disk and program data to see what programs are currently running. We can see a new folder has been added and it contains the malware. After this is done we know that the malware did infect the windows files system.
Now we will use procmon which is a tool that registers the changes of all processes in windows subsystem. To see the changes we will start the malware again to see changes in the system. Now we will navigate to to procmon and filter the logs by process name(AvastSwc.exe). Now we can see all of the changes that the malware has made.
We can see that the malware created a file called intel. We are going to create a .csv file to see everything that has occured. navigate to options and select column. Then select thread IDS and select ok. After this is done select save and make sure it is saving the events displayed with the current filter and format it to a .csv file.
After this is done we will use procdot. Procdot is software that creates interactive graphs to analysize system and network activity. First select the .csv file we created and also selecte the malware that was delpoyed. Then a interactive graph will be created.