Shot from the unseenMary Jo Salter
launching pad, and so from nowhere,
a flame-tipped arrow—no, an airborne
pen on fire, its ink a plume
of smoke which, even while zooming
upward, stays as oddly solid
as the braided tail of a tornado,
and lingers there as lightning would
if it could steal its own thunder.
I started this post with a poem to prove how bad I am at blogging. Just accept that you’ll never be as bad at this as I am at this so don’t even try. In any event, we got the honeypot setup the way we like it, and we’re starting to get malware. So let’s see what we got and see if it was worth all the effort.
0.0 Using Hybrid-Analysis
We’ve already talked about some basic things we can do before we upload any of the binaries to a sandbox, so let’s take the first sample and throw it at Hybrid-Analysis.com to see if there’s any sweet sweet Indicators Of Compromise (IOCs) we can pull out.
0.1 Where Da Malware At???
We’re going to start with binaries that we found in the binaries directory (blow me right the fuck away, right?). Depending on where you installed Dionaea, the full path may have a different root folder. My installation was done in /opt, so my path is /opt/dionaea/var/lib/dionaea/binaries/. This directory will start to accumulate binaries over time, so check it every once in a while and make sure there’s nothing new. Checking this directory does become kind of a chore after a while, so it might not be a bad idea to write a script to deal with it if you don’t want to.
Now that you know where some malware may be chilling, waiting for you to collect it like the badass, poor listening skills, amateur-hour malware collector you are, you can upload it to a sandbox!
After I do all of my local analysis on the malware I get, the next thing I do is put the malware into a sandbox for analysis. Now, I don’t have a ton of money to throw into a hot sandboxing lab, so I have to use free shit. If you can afford a box to run all the necessary components of Cuckoo sandbox, hey, go for it captain. Not all of us can afford golden toilets, but if you can, then more power to you.
Either way, you’re going to have a challenge to overcome. How can you safely get the malware off of your honeypot and into a sandbox? Well, there are a few options from most discreet “This End Toward Enemy” strategy to “oh my god, run ! that monkey has a gun!” Again, this is your experience. You figure out how fucked up and infected you want your own machines. Here at Brokesec, we (I) believe in personal responsibility, so if you want to inadvertently join a botnet because you had accidental self infection on account of you being a noob, you do you.
1.1 Malware Transfer Options
However, if you want to be a little smarter about how to transfer your files, here are a few options available to you:
The API method (smartest option)
The API method is probably the best option for getting your malware onto a sandboxing platform. Transferring over an API to put the malware directly into the sandbox queue will keep your malware from touching anything you care about, and you can do the transfers rapidly. Luckily, Hybrid-Analysis provides a handy API just for this purpose called VxAPI.
While github has plenty of tools that you can use pre-written to help you transfer your malware to hybrid-analysis and many other sandboxing options, it’s more fun to write your own API script, right? Most sandboxing options worth their salt these days has an API, so be bold and try writing your own script for this. You’ll be glad you did if you need the coding practice.
You’d think that if this was the smartest option, I’d be giving you a complete walkthrough of the API and everything it does. Nope. It’s all written down in the API documentation, so read through it and decide which options are best for you as you learn how to navigate it.
Manual transfer (Dumber option)
Another option that you have is to zip the malware, then transfer the zip to a local machine (do NOT unzip this archive…) and then upload the whole archive to Hybrid-Analysis. As an added precaution is to at least make sure that the machine you’re transferring through isn’t prone to execute the malware accidentally.
In other words, don’t transfer a Unix executable format across a Unix machine, same for Windows, etc. Okay? The important thing is that hybrid-analysis can handle zipped files, which is helpful in keeping us off the front pages of all the papers in stupid town, but if you choose this method, you should take care to avoid malware execution locally at all costs. If that means uploading from a machine you don’t care about at all, that’s even just a little better.
This is stupid though, so really just do everything you can to avoid this option. Even if it means just using VxAPI as a standalone command and manually running each upload with an individual command instead of a script. Even including this as an option makes me feel gross, but it wouldn’t be Brokesec if I weren’t giving you bad advice, so do whatever the F you want I guess.
1.2 Manually Uploading A Zip To Hybrid-Analysis
Okay, cool, so you’ve managed to download the zip file from your honeypot and have chosen the “dumber option” to get your malware to the sandbox. Congrats on being insolent and careless! This is the landing page when you get to hybrid-analysis.com and as you can see, there are a few different offerings in terms of how to begin your malware misadventure.
I’ve mentioned before that my main sandbox is Hybrid-Analysis.com. That’s what I use, it’s what I’m comfortable with, and if you don’t like it then frankly, why are you even reading this blog? If you have a strong enough opinion on which free sandboxes to use, you’re probably too advanced for this site anyway.
Hybrid Analysis is pretty straight forward. You have a few options to get the badness into the sandbox, you can drop it in directly, or you can give it a URL to pull the binary from. Either way generally works just fine as long as you’re giving it a piece of actual malware.
Once you’ve uploaded the sample, you’ll be asked to enter a little bit of information about the sample you want to analyze. The most important thing to get right is to make sure you’re running the sample in the right sandbox. Again, this is pretty straight forward. If you have a Portable Executable, or a .EXE file, just make sure you’re putting it into a windows sandbox that matches the type of architecture your malware was compiled for. It’s so simple, Michael Reeves could probably do it. After that, it’s just a matter of seeing what your samples do.
2.0 Reviewing The Results
Now that we’ve walked through how to get samples onto hybrid-analysis, let’s look at something I scraped out of the binaries tank. If you’d like to follow along on your own, here’s a link to the malware I submitted.
After the sample is done being submitted, you’ll get a full readout of what the sandbox discovered, which in our case, you can see in that image over there.
The first place my eyes go to is to the upper right corner to see how the AV engines marked it and labeled the sample. For this one, we got a piece of malware marked as “Zusy.Generic” which is about as common as the over 60 crowd at a Bob Evans. So there you have it. It’s your average, run-of-the-mill, generic brand of adware. Pretty boring, but we can still learn a lot about how sandboxing works from this.
3.0 Take Aways
This is what I do with malware when I find it. You may find that you have a different taste and hey, that’s perfectly okay. I’m not your mother, and I already told you not to do any of this stuff, so knock yourself out with whatever option you decide fits your needs best.
Being able to review the results of our sandboxed malware will tell us a lot about what’s targeting our honeypot, and just generally what kinds of threats are out there today. Uploading a piece of malware with a brand new, unseen hash, to me is like opening a present. You never know what’s on the inside, but you know that this particular instantiation of malware hasn’t been analyzed yet. The kinds of data we can get of a new piece of malware can be fascinating though, even for amateurs like us.