[MALWARE LAB SETUP]
MALWARE THEORY
THEORY //HASHING// hash = signature - hashing collision: refers when two different files generate the same hash. - common malware hashing functions: ''''''''''''''''''''''''''''''' ' MD5 | 128 bits | 32 Hex ' ' SHA1 | 160 bits | 40 Hex ' ' SHA256 | 256 bits | 64 Hex ' ''''''''''''''''''''''''''''''' - fuzzy hashing: used to compare hash files to check for similitudes. //STRINGS// - last character in a sequence of characters or index is called "escape sequence" which means the end of the string. terminators: x0 or NUL | 00 --> ASCII 7 bits, which means 128 characters. represented nowadays by 1-byte (8 bits) - printable: every character - non-printable: the ones we normally do not see, ex: enter or spaces LineFeed, LF | "\n" or CarriageReturn, CR | "\r" --> UNICODE represented by 2 bytes, UTF-16 valid info gathered running strings: > functions invoked > internal or external messages > sections used > IP addresses or domain names associated > error handling //PE FILE FORMAT// PE "portable executable" derived from COFF "common object file format" .dll | .exe | .acm | .ax | .cpl | .drv | .efi | .mui | .ocx | .scr | .sys | .tsp linker = helps to add libraries to the final executables - static linking = resolve requirements and embbed the library to the final .exe - dynamic linking - implicit = it reference the library into the executable, however are loaded once it is executed. (not embbeded) - explicit = it not require to be linked, it is done by the developer on the code itself, nothing to load. //PE File Structure// '''''''''''''''''''' ' MS-DOS Header ' ' File Header ' ' Optional Header ' ' Section Header ' '__________________' ' Sections ' ' .text ' ' .data ' ' .idata ' ' .rsrc ' ' .reloc ' '''''''''''''''''''' MS-DOS header = start with signature: "MZ" or e_lfanew: "0x5A4D". COFF file header / machine types desc | constant | value x64 | IMAGE_FILE_MACHINE_AMD64 | 0x8664 inter 386 or later | IMAGE_FILE_MACHINE_I386 | 0x14c ARM little endian | IMAGE_FILE_MACHINE_ARM | 0x1c0 ARM64 little endian | IMAGE_FILE_MACHINE_ARM64 | 0xaa64 Power PC little endian | IMAGE_FILE_MACHINE_POWERPC | 0x1f0 characteristics flags :::file IMAGE_FILE_EXECUTABLE_IMAGE | for image only, file valid can be run IMAGE_FILE_LARGE_ADDRESS_AWARE | app can handle >2-GB addresses IMAGE_FILE_32BIT_MACHINE | 32 bit arch IMAGE_FILE_SYSTEM | system file, not user program IMAGE_FILE_DLL | dynamic link library :::dll IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | dll could be realocated at load time IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | code integrity checks are enforcedBEST PRACTICES - MALWARE HANDLING
1. run always on virtual machines 2. remember to isolate the environment creating a internal network, "host only mode" 3. change the extension of the sample file to avoid execution properties 4. encrypt the sample with passwordSETTING NETWORKING
Requirements: - REMnux host - Virtual Box Hypervisor used: Virtual Box 1. Create the network adapter to simulate the internal network (isolate hosts to a private network) 1.1 Tools > network > create 1.2 Adapter tab: - Set the IPv4 address to 10.10.10.1/24 (or any other network different than your private network) 1.3 DHCP server tab: - Set the server address as 10.10.10.2/24 - Set the lower address bound: 10.10.10.3 [REMnux IP Address] - Set the upper address bound: 10.10.10.254 2. Configure INetSim 3. Set the DNS on windows host to 10.10.10.3 [REMnux IP Address]LINUX MALWARE
Starting Points: collect this info always for initial baseline info - CPU Process: (top) (apply filter shift + C) - Mem Process: (top) - Percentage of used disk space on /dev/xvda1: (df -hP) - Remote username for active connections: (sudo w) - Remote IP of active connections: (netstat -a)
©® - 2023/2024.