I want to look at a virus and what it does, what tools do you recommend?

[w1z4rd]

As the topic says, someone just sent me a payload that is weaponized and only 3 of my 20 filters caught it, so its recently crypted. I want to run it in a virtual machine to see what it does and whom it communicates with. What tools do you recommend?

I want to see file, registry changes, tcp/udp connections and any other useful tools you might think may assist.

 

[Necropolis]

You could fire up wireshark on the VM to watch what packets it's attempting to send.

 

[w1z4rd]

You could fire up wireshark on the VM to watch what packets it's attempting to send.

Its behind a firewall that will log everything, so that part I think I have well covered. Its more the file changes it will be doing, like where it copies itself, etc.

 

[Necropolis]

To be safe I'd run it in a VM without any connection to the wider internet - even if it is through a firewall.

 

[w1z4rd]

To be safe I'd run it in a VM without any connection to the wider internet - even if it is through a firewall.

Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc

 

[HavocXphere]

You get actual sandbox apps for this.

Don't recall names though

 

[Necropolis]

Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc

In that case it might be helpful to run wireshark just so you can log all the packets sent from the infected vm...

 

[Zyraz]

Netstat ?

 

[HibiscusTunes]

You could use sysinternals Process monitor, to view file activity, registry activity and network activity(but no actual packet content, use wireshark for raw network packets or fiddler for http/s requests assuming it uses conventional protocols).

 

[HibiscusTunes]

Im going to run it in a VM, without a doubt, but I kinda want it to chat to the internet. I want to see who it connects to, sometimes after the first connect it will change its connection to a more permanent C&C server. Often the stubs crypt will be updated at the same time. Kinda wanna track all of this. Im busy setting up my vm to look as "real" as possible. With "banking logins" etc

Remember to have at least 5 documents in your VM's recent document list. This is one way to check if the computer running on is an actual pc or a lab pc used for malware analysis. Then of course if it is half decent, there are 99 ways for it to determine if it is running under a VM, and could just do nothing in this instance.

 

[RoganDawes]

The pros use Cuckoo sandbox to analyse malware

 

[w1z4rd]

In that case it might be helpful to run wireshark just so you can log all the packets sent from the infected vm...

I will do a tcpdump to create a pcap file I can anaylize at will.

You could use sysinternals Process monitor, to view file activity, registry activity and network activity(but no actual packet content, use wireshark for raw network packets or fiddler for http/s requests assuming it uses conventional protocols).

Remember to have at least 5 documents in your VM's recent document list. This is one way to check if the computer running on is an actual pc or a lab pc used for marware analysis. Then of course if it is half decent, there are 99 ways for it to determine if it is running under a VM, and could just do nothing in this instance.

The documents idea is really good. Im going to create fake email account, documents, browsing history with cookies, etc.

The pros use Cuckoo sandbox to analyse malware

Busy downloading as we speak.... ty sir.

 

[w1z4rd]

Creating a high quality honeypot is a lot harder than I realized. If you want to create a real convincing one you basically have to invent a character, and that character has to be reflected throughout the OS for it to be convincing. A random vm will perhaps capture a poor quality hacker but a really good and "interesting" vm might bring in someone interesting. Ive never thought of applying reverse social engineering to study hackers so I want to see if I can get this right See if I can honeypot any intelligence circles

Hiding that its running in a vm is going to be another journey by itself. I dont want any of the hardware to look like virtual hardware when the hackers get sysinfo.

So what else do you think I need to consider in creating an authentic looking honeypot?

Ive created a facebook account so there are facebook login cookies, etc
I created a hotmail account
The character for this is female so the vm has a nice pink theme
Im installing all the usual programs a "gullible" female end user would, so therefore my email client is incredimail
With so far as photos, ive cloud backed up my data for a long time now so i have years of pictures. Ive just collected hundreds of pictures throughout the years and put them in the photos directory. The pictures include no personal information of mine. Unless by looking at a picture of a lion you know what game reserve it is in.
Installed itunes
Im a little stumped on how to create authentic documents. I guess i can trawl through mine looking for stuff that could possibly be used. (again, perhaps manuals, pdf books, a fake cv). However, in there I am going to put a data dump anonymous did several years back on multiple police departments (Im hoping this will get interest and theyve not looked at the data in this dump before).

Still to do: copy bieber songs and ancient aliens series to media folder.

The main point of this honey pot is to trace the C&C server, view the payload injection methods and study any activities that might be done. Should be interesting.

 

[Ares1000101]

Just let them hack your pc them start a new life.

 

[Dan C]

Sounds interesting

 

[w1z4rd]

Just let them hack your pc them start a new life.

The only person who infect my windows install is me I sometimes mess up when experimenting with code. Almost everything else of mine is pretty good, I know how to install windows defender. Its all you need (TM). For those of you who missed out the other thread, I joke.

Sounds interesting

If I get anything interesting I will try record it.

 

[jax_maxit]

Subbing. Any updates? Sounds rather interesting.

 

[MisterBigglesworth]

Any updates on this post?