API tools faq
paste
Advertisement
moshsrv

pafish vm proof

moshsrv
Nov 20th, 2017
100
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.10 KB | None | 0 0
raw download clone embed print report
  1. https://secvision22.wordpress.com/2017/01/19/installing-and-running-cuckoo-malware-analysis-platform-part-2/
  2.  
  3.  
  4. At least 60 GB HD;
  5. At least 2 GB RAM Memory;
  6. At least 2 processor cores;
  7. Set up the “Pointing Device” as “PS/2 Mouse” (this may cause malfunction with the mouse while operating the VM on the Linux machine through xRDP);
  8. Set up the processor execution cap at 100%;
  9. Set up the extended feature “PAE/NX”;
  10. Set up the hardware virtualization “VT-x/AMD-V” and “Nested Paging”;
  11. No video acceleration is required;
  12. Set up the network to “Host-only adapter”.
  13.  
  14. After setting up the characteristics for the VM, it is time to install your Windows 7 image. It’s optimal to install a fully up to date image, since your sandbox should look like a real machine. After doing the steps above, your VM should look something like this:
  15.  
  16. Note that my VM has only 40 GB HD, this is something that I came across while creating it and running some tests on it. It is widely advised that you build yours with at least 80 GB HD, since this is something that malware nowadays look after. So, when Windows finishes installing, there’s some steps you’ll need to take to keep up with the setup of your sandbox, here they are:
  17.  
  18. Do not install Virtual Box Guest additions. Some malware look for registry entries and they may find those. If you do, my guide will cover you up lately;
  19. Fully update the system via Windows update;
  20. Turn off Windows update after the step above;
  21. Turn off Windows firewall;
  22. Turn off Windows defender;
  23. Turn off Security Center;
  24. Turn off UAC;
  25. Turn off all the notifications you will get by disabling these services;
  26. Set the “Adjust for Better Performance” option on System Properties
  27. Set a fixed IP address, Cuckoo default network is 192.168.56.x, so you can set up yours with something like 192.168.56.7. This address must be placed on the virtualbox.conf file on the Cuckoo conf folder (check this out on part 1);
  28. Set video resolution to 1024×768;
  29. Put some garbage on users folders like images and music, also surf the web a bit for browser history.
  30.  
  31. Now that you’re done tweaking Windows, it’s time to install all the software and tools you will be needing to run the vast majority of malware you will find. You have basically 3 ways to do so:
  32.  
  33. First is to setup an ISO image with all the software you need inside it and open it up on the VM;
  34. Second is to make a network share between your host machine and the VM, then move the files to the VM;
  35. Third and the least recommended is to install Virtual Box guest additions and transfer all the files;
  36.  
  37. The third way is the least recommended because, as I already stated above , it leaves traces on the machine that it is a virtual machine. You can still install it and remove all the registry entries that relate to Virtual Box, I’ve done that. So, about the software you need to install, here’s the list:
  38.  
  39. Microsoft Office 2013 x86 (32 bits)
  40. Microsoft .NET Framework 4.6 and 4.6.1
  41. Microsoft Visual C++ 2005, 2008, 2010, 2012, 2013, 2015
  42. Adobe Reader v9.0
  43. Flash Player v11
  44. Java RE 6 (I’ve installed v6u22)
  45. Python 2.7
  46. Pillow 2.9.0
  47. 7zip
  48. Cuckoo agent “agent.pyw”
  49. PaFish – Paranoid Fish (tool used to check whether the VM is well obfuscated or not)
  50.  
  51. After every installation, be sure to run the software for the first time and accept any terms it may pop up, also leave it maximized and then close it. Cuckoo won’t be able to run every single software that exists, it has compatibility with some software at specific versions. Be sure to check out Cuckoo documentation for details about this.
  52.  
  53. You can find all this software around the web with a few clicks but I know how boring it would be to get all this stuff. Knowing that, I will soon put a link on this post with all the stuff you need in a single ISO file, stay tuned. x64 versions or most recent versions of some software’s such as Office and Adobe Reader, may not work properly with Cuckoo, you can try them out if you want.
  54.  
  55. Going forward, there’s still some things you need to do before you can fire Cuckoo up. There’s a piece of software from Cuckoo platform that we need to put on the VM so it starts every time the VM runs, it’s the “agent.pyw”. You can find the file on the Cuckoo dir that you’ve downloaded before. Here are the steps:
  56.  
  57. On the Windows VM, navigate to “C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”;
  58. Put the agent.pyw file on the folder;
  59.  
  60. All right, we now need to add a file I made myself which does some changes to Windows every time you start it up. Since Cuckoo will run a snapshot of the live VM, as soon as the VM fires up when analyzing a sample, this script will clear some stuff that may be used by malware for tracking, such as the registry entries from Guest Additions.
  61.  
  62. Open up a notepad;
  63. Type in the following:
  64.  
  65. Windows Registry Editor Version 5.00
  66.  
  67. [HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM]
  68. "SystemBiosDate"="06/12/10"
  69. "SystemBiosVersion"="BC1.05"
  70. "VideoBiosVersion"="VC1.20"
  71.  
  72. [-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__]
  73. [-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__]
  74. [-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__]
  75. [-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]
  76. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBox*]
  77. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
  78. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
  79. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
  80. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Enum]
  81. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
  82. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
  83. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
  84. [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
  85. [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
  86. [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
  87. [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
  88. [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxGuest\Enum]
  89.  
  90. Save the file as any name you want with the extension “.reg”
  91. Put it or create a shortcut to it in the startup folder “C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”
  92.  
  93. This file will erase a few registry lines and rewrite some Bios data about the machine.
  94.  
  95. The next step is to delete a device that is installed by the Virtual Box, it gets there every time the machine starts up. I couldn’t find any other way to prevent it from being installed or removing it with a script. If you find out any way to do that in a more automated way, please let me know!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!