Quick Malnet 2 Tutorial

1. Boot up malnet on a system with at least 1 or 2GB of RAM and hopefully
2. a recent processor. Nesting virtualization does not work well at all,
3. so don't even try.
4.  
5. Pop up a terminal.
6. 1) 'cp /cdrom/winxp.qcow2 .'
7. 2) 'cp -r /cdrom/samples .'
8.  
9. Above two commands will copy files and make sure that the VM file is
10. in the cache.
11.  
12. 3) Make sure your computer is connected to an Internet connected
13. network; you can do the configuration from wicd, accessible via alt-N
14.  
15. 4) 'malnet'
16.  
17. The above command will give you a good idea of what we can do.
18.  
19. 5) 'malnet fork-img winxp.qcow2 winxp-test.qcow2'
20.  
21. This will create a QCOW2 copy-on-wite file derived from winxp.qcow2 --
22. all changes will instead go to winxp-test.qcow2.
23.  
24. 6) 'sudo malnet inject samples/12* winxp-test.qcow2'
25.  
26. This will inject a malware executable sample to be executed upon boot.
27.  
28. 7) 'malnet run-img winxp-test.qcow2'
29.  
30. You will be seeing XP boot up, a piece of malware running.
31. Screenshots will be taken along with a memory dump, finally. Hit
32. enter when it prompts you to. You will see three screenshots, a
33. memory dump file, and a pcap in the home directory.
34.  
35. 'sudo malnet dump-reg winxp.qcow2'
36. 9) 'sudo malnet dump-reg winxp-test.qcow2'
37. 10) 'diff *reg* | more'
38.  
39. These above commands will show you what changed in the registry. If
40. you scroll down, you'll see that the malware has creaed a bunch of
41. image file execution registry keys.
42.  
43. 11) 'malnet dump-pe samples/12*'
44. 12) ' more samples/*pe.txt'
45.  
46. The above two commands will show you PE stuff. Sections along with
47. what imports and exports.
48.  
49. 13) 'wireshark *.pcap'
50.  
51. This will load up wireshark on our pcap file captured by QEMU. We'll
52. see a bunch of DNS requests. Scroll down to a HTTP request, right
53. click, follow TCP stream, and we'll see it talking to a NGINX server.
54.  
55. 14) 'volatility sockets -f *mem.bin'
56.  
57. This will show sockets that were open at the time of memory capture.
58. Of note is the pid and port.
59.  
60. 15) 'volatility connections -f *mem.bin'
61.  
62. This will show connections that were open at the time of memory
63. access, and the pid owner. pid owner is particularly interesting.
64. Take note of this.
65.  
66. 16) 'volatility files -f *mem.bin | more'
67.  
68. Search for the pid that was noted earlier using '/'. You'll see all
69. the files that are opened by the malware in question.
70.  
71. 17) 'volatility pslist -f *mem.bin'
72.  
73. You'll see the process 'SAMPLE.EXE' in our process list.
74.  
75. 18) 'volatility memdmp -p pid -f *mem.bin'
76.  
77. Replace above with pid of SAMPLE.EXE. Congrautlations we now have a
78. dump of the process in a file named pid.dmp that we can load into our
79. favorite disassembler.
80.  
81. 19) 'strings winxp-test.qcow2 | grep http://'
82.  
83. Another neat trick -- the qcow2 file contains just the changes, so by
84. doing a strings, we can search for URLs. Handy, eh?
85.  
86. 20) 'gzip -9 *.bin'
87. 21) 'ls -alh *.bin'
88.  
89. Memory file compresses down to 42MB. Bet we could reduce this further
90. using a memory based diff.
91.  
92. Anyway -- this should give you a glimpse of what is possible with an
93. automated sandbox.