There’s nothing like the feeling of having a good tool in your hand, which is why when we’re doing broke ass malware analysis with 0 skills, we should start with the basics of what to use. Now, when I say ‘basics’ I don’t mean the basics that the pros would use. I’m talking about the free shit you can use even when you’re literally #brokesec.
I have a few personal favorites that I’ll reach for whenever I’ve got something new to look at regardless of where the code originated from. In future posts to this blog I hope to take a more episodic approach to the content, but for this introductory post, (one of possibly a few) I’ll be outlining some of my basic methodologies.
0.0 Setting Up A Safe Analysis Space
Before you even do something stupid like playing with malware (seriously, why are you even reading this blog? This is a dumb thing to do.) You should at least make sure you’re not doing analysis in a workspace prone to get infected. Or if you take the approach that any environment where malware inhabits is technically “prone” to get infected
(first of all, fuck you) then at least make sure you’re using an expendable endpoint for anything your malware touches.
A guy told me one time, ‘Don’t let yourself get attached to anything you are not willing to walk out on in 30 seconds flat if you feel the heat around the corner.’Neil McCauley
A part of this depends on how you plan on working with the malware, but the best advice for this is to try to maintain space between working endpoints you care about, and which are expendable. Ultimately, you have to remember that you are responsible for all of your endpoints, so make sure you’re taking care to avoid malware execution on anything you care about.
The above topology is the layout I use for malware interchange. It’s not perfect, but it maintains a level of OPSEC that I’m comfortable when collecting and handling malware. This is probably something else I’ll go over in greater detail in a future post. (Sidenote: People are going to criticize you no matter how you setup your endpoints and networking, but the fact of the matter is that you’re already doing something pretty dumb, and as long as you’re comfortable with holding yourself accountable for the consequences of the worst case scenario, that’s what matters most.
0.5: Choosing A VPS
It might seem trivial, but choosing a Virtual Private Server service is an item that you should take seriously. There are a lot of choices in this realm, many which are heavily used and pretty popular, but I’ll talk about a few that I’ve worked with before and give my impressions.
The reason we need to be judicious about our choices of VPS is that we will be setting up machines with the intent of getting them infected, and also in part for the purpose of securely transferring binaries between hosts that don’t live within our own safe analysis range. We want these boxes to be disposable, quick & easy to deploy and most importantly, cheap.
- Vultr – This is my preferred service because Vultr has a number of deployability options, hardware, software & geographically that you just don’t get in other services, especially when it comes to ease of deployment. They’re also cheap, running you about $5 for a monthly deployment of a beat-down ubuntu box which is more than enough to run our vulnerable box later on.
- Amazon Lightsail/AWS – Everyone knows this service and you’re probably already comfortable and familiar with these services. I find them to be a bit annoying to deploy and maintain, but that’s just my personal taste. U do U.
- Digital Ocean – I used to be a big fan of Digital Ocean. They have good services and they certainly meet the “quick & easy to deploy” requirement, they just tend to be a little more expensive and also more limited on geographic deployment options.
One last note on what VPS you choose to use here, not everyone you get a VPS from is going to be overly thrilled that you’re buying their service to get boxes infected so don’t be an idiot and do something super stupid like talk about what you intend to do publicly or
1.0: Online Sandboxing Tools
So you’ve got some binaries you think are bad, but you’re like me and you have no fucking clue what you’re doing? Cool, but what can you do with them? Well one thing you can do is “sandbox” the tools, or execute them in an environment that will allow you to observe what happens “post boom” (after execution). There are a lot of ways to accomplish this, but since we don’t have any money, and don’t know what we’re doing, it’s probably best to find some free, preferably online tools to use for this purpose.
Of course everyone who has done any form of SOC work can name VirusTotal as a go-to binary and URL research tool, but it’s far from the only one out there. There are a lot of options for tools that can be used to research with, and depending on who you ask you’ll get a different answer for what the best tool is. Personally, when I have executables in hand, hybrid-analysis is one of my first stops.
Hybrid-analysis will track what files you upload, and it has a great API for auto-submitting items you find, which will be helpful in terms of security later on when we have findings on one of our honeypots that we want to submit without the messiness of having to download archives and manually submit. Instead, we can submit from a more secure network location. In the future, I may do a deep-dive on Hybrid Analysis, but not today.
Here’s a few other sandboxing-ish tools that you can use and see what you like:
- Joe Sandbox – I’ve used Joe Sandbox before, but the service has changed a little over the last year or two. It’s a bit more limited than I remember it being before and their business model seems to have moved more in the direction of sales than expanding open analysis
- VirusTotal – The old standby, and while it does sandbox tools as a part of its features, VirusTotal doesn’t let you get as up-close-and-personal with your uploads as hybrid-analysis does (at least in my opinion). The upshot to VT is that they have a deeper set of hashes to compare to which is what the VT devs have put the bulk of their effort into. Still a good tool for cross-referencing
- Cukoo Sandbox – Oh, I see. You’re a bougie bitch who has some extra compute to throw at this hellish enterprise. Well then Cukoo might be what you want to use. Especially helpful if you want to host a solution yourself for sensitive binaries, Cukoo is powerful, but only if you have spare cycles and/or duckets in your pocket.
This is the end of the first basics post, so stick around and see what happens in part II.