I want to look at a virus and what it does, what tools do you recommend?

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
As the topic says, someone just sent me a payload that is weaponized and only 3 of my 20 filters caught it, so its recently crypted. I want to run it in a virtual machine to see what it does and whom it communicates with. What tools do you recommend?

I want to see file, registry changes, tcp/udp connections and any other useful tools you might think may assist.
 

Necropolis

Executive Member
Joined
Feb 26, 2007
Messages
8,401
You could fire up wireshark on the VM to watch what packets it's attempting to send.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
You could fire up wireshark on the VM to watch what packets it's attempting to send.

Its behind a firewall that will log everything, so that part I think I have well covered. Its more the file changes it will be doing, like where it copies itself, etc.
 

Necropolis

Executive Member
Joined
Feb 26, 2007
Messages
8,401
To be safe I'd run it in a VM without any connection to the wider internet - even if it is through a firewall.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
To be safe I'd run it in a VM without any connection to the wider internet - even if it is through a firewall.

Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc :D
 

Necropolis

Executive Member
Joined
Feb 26, 2007
Messages
8,401
Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc :D

In that case it might be helpful to run wireshark just so you can log all the packets sent from the infected vm...
 

HibiscusTunes

Expert Member
Joined
May 13, 2008
Messages
1,619
You could use sysinternals Process monitor, to view file activity, registry activity and network activity(but no actual packet content, use wireshark for raw network packets or fiddler for http/s requests assuming it uses conventional protocols).
 

HibiscusTunes

Expert Member
Joined
May 13, 2008
Messages
1,619
Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc :D

Remember to have at least 5 documents in your VM's recent document list. This is one way to check if the computer running on is an actual pc or a lab pc used for malware analysis. Then of course if it is half decent, there are 99 ways for it to determine if it is running under a VM, and could just do nothing in this instance.
 
Last edited:

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
In that case it might be helpful to run wireshark just so you can log all the packets sent from the infected vm...

I will do a tcpdump to create a pcap file I can anaylize at will.

You could use sysinternals Process monitor, to view file activity, registry activity and network activity(but no actual packet content, use wireshark for raw network packets or fiddler for http/s requests assuming it uses conventional protocols).

Remember to have at least 5 documents in your VM's recent document list. This is one way to check if the computer running on is an actual pc or a lab pc used for marware analysis. Then of course if it is half decent, there are 99 ways for it to determine if it is running under a VM, and could just do nothing in this instance.

The documents idea is really good. Im going to create fake email account, documents, browsing history with cookies, etc.

The pros use Cuckoo sandbox to analyse malware

Busy downloading as we speak.... ty sir.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
Creating a high quality honeypot is a lot harder than I realized. If you want to create a real convincing one you basically have to invent a character, and that character has to be reflected throughout the OS for it to be convincing. A random vm will perhaps capture a poor quality hacker but a really good and "interesting" vm might bring in someone interesting. Ive never thought of applying reverse social engineering to study hackers so I want to see if I can get this right :D See if I can honeypot any intelligence circles :D

Hiding that its running in a vm is going to be another journey by itself. I dont want any of the hardware to look like virtual hardware when the hackers get sysinfo.

So what else do you think I need to consider in creating an authentic looking honeypot?

Ive created a facebook account so there are facebook login cookies, etc
I created a hotmail account
The character for this is female so the vm has a nice pink theme
Im installing all the usual programs a "gullible" female end user would, so therefore my email client is incredimail :D
With so far as photos, ive cloud backed up my data for a long time now so i have years of pictures. Ive just collected hundreds of pictures throughout the years and put them in the photos directory. The pictures include no personal information of mine. Unless by looking at a picture of a lion you know what game reserve it is in.
Installed itunes
Im a little stumped on how to create authentic documents. I guess i can trawl through mine looking for stuff that could possibly be used. (again, perhaps manuals, pdf books, a fake cv). However, in there I am going to put a data dump anonymous did several years back on multiple police departments (Im hoping this will get interest and theyve not looked at the data in this dump before).

Still to do: copy bieber songs and ancient aliens series to media folder.

The main point of this honey pot is to trace the C&C server, view the payload injection methods and study any activities that might be done. Should be interesting.
 

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
49,747
Just let them hack your pc them start a new life.

The only person who infect my windows install is me :D I sometimes mess up when experimenting with code. Almost everything else of mine is pretty good, I know how to install windows defender. Its all you need (TM). For those of you who missed out the other thread, I joke.

Sounds interesting :)

If I get anything interesting I will try record it.
 
Top