Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Boot up malnet on a system with at least 1 or 2GB of RAM and hopefully
- a recent processor. Nesting virtualization does not work well at all,
- so don't even try.
- Pop up a terminal.
- 1) 'cp /cdrom/winxp.qcow2 .'
- 2) 'cp -r /cdrom/samples .'
- Above two commands will copy files and make sure that the VM file is
- in the cache.
- 3) Make sure your computer is connected to an Internet connected
- network; you can do the configuration from wicd, accessible via alt-N
- 4) 'malnet'
- The above command will give you a good idea of what we can do.
- 5) 'malnet fork-img winxp.qcow2 winxp-test.qcow2'
- This will create a QCOW2 copy-on-wite file derived from winxp.qcow2 --
- all changes will instead go to winxp-test.qcow2.
- 6) 'sudo malnet inject samples/12* winxp-test.qcow2'
- This will inject a malware executable sample to be executed upon boot.
- 7) 'malnet run-img winxp-test.qcow2'
- You will be seeing XP boot up, a piece of malware running.
- Screenshots will be taken along with a memory dump, finally. Hit
- enter when it prompts you to. You will see three screenshots, a
- memory dump file, and a pcap in the home directory.
- 'sudo malnet dump-reg winxp.qcow2'
- 9) 'sudo malnet dump-reg winxp-test.qcow2'
- 10) 'diff *reg* | more'
- These above commands will show you what changed in the registry. If
- you scroll down, you'll see that the malware has creaed a bunch of
- image file execution registry keys.
- 11) 'malnet dump-pe samples/12*'
- 12) ' more samples/*pe.txt'
- The above two commands will show you PE stuff. Sections along with
- what imports and exports.
- 13) 'wireshark *.pcap'
- This will load up wireshark on our pcap file captured by QEMU. We'll
- see a bunch of DNS requests. Scroll down to a HTTP request, right
- click, follow TCP stream, and we'll see it talking to a NGINX server.
- 14) 'volatility sockets -f *mem.bin'
- This will show sockets that were open at the time of memory capture.
- Of note is the pid and port.
- 15) 'volatility connections -f *mem.bin'
- This will show connections that were open at the time of memory
- access, and the pid owner. pid owner is particularly interesting.
- Take note of this.
- 16) 'volatility files -f *mem.bin | more'
- Search for the pid that was noted earlier using '/'. You'll see all
- the files that are opened by the malware in question.
- 17) 'volatility pslist -f *mem.bin'
- You'll see the process 'SAMPLE.EXE' in our process list.
- 18) 'volatility memdmp -p pid -f *mem.bin'
- Replace above with pid of SAMPLE.EXE. Congrautlations we now have a
- dump of the process in a file named pid.dmp that we can load into our
- favorite disassembler.
- 19) 'strings winxp-test.qcow2 | grep http://'
- Another neat trick -- the qcow2 file contains just the changes, so by
- doing a strings, we can search for URLs. Handy, eh?
- 20) 'gzip -9 *.bin'
- 21) 'ls -alh *.bin'
- Memory file compresses down to 42MB. Bet we could reduce this further
- using a memory based diff.
- Anyway -- this should give you a glimpse of what is possible with an
- automated sandbox.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement