Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Few questions regarding malware analysis lab - how to do it properly?
Message
<blockquote data-quote="hunter44" data-source="post: 984205" data-attributes="member: 94311"><p>Got it. Will take a deeper look on these obfuscation techniques, thanks.</p><p></p><p>One more thing regarding RAT/Botnets analyze or other type of malware using C&C. I understand it is hard to analyze old samples, because probably domains for C&C servers do not exist anymore, but how do you simulate or prepare your environment to test/analyze this kind of samples? Connection with external server is "main" logic there, but probably you don't want to send direct requests to attackers domain, so what is an approach? Do you change hosts somehow to fake this connection and let malware thinks it connects to real domain?</p><p>As of now my laboratory looks like:</p><p>- HyperV with configured network</p><p>- Ubuntu VM with external and private network - external to downaload samples, private to have isolated connection between this machine and Windows machine. I use Burp and InetSim.</p><p>- Windows 10 VM (FLARE VM package) with only private network configured (totally cut off from internet), so all network requests from malware are redirected on ports to InetSim and Burp.</p><p></p><p>As I understand this configuration do not give me 100% chances to run RAT or Botnets dynamically and look what they are doing? In some point, all those malwares will sleep or wait for connection to C&C. So what should I change here to prepare environment for this type of malware?</p></blockquote><p></p>
[QUOTE="hunter44, post: 984205, member: 94311"] Got it. Will take a deeper look on these obfuscation techniques, thanks. One more thing regarding RAT/Botnets analyze or other type of malware using C&C. I understand it is hard to analyze old samples, because probably domains for C&C servers do not exist anymore, but how do you simulate or prepare your environment to test/analyze this kind of samples? Connection with external server is "main" logic there, but probably you don't want to send direct requests to attackers domain, so what is an approach? Do you change hosts somehow to fake this connection and let malware thinks it connects to real domain? As of now my laboratory looks like: - HyperV with configured network - Ubuntu VM with external and private network - external to downaload samples, private to have isolated connection between this machine and Windows machine. I use Burp and InetSim. - Windows 10 VM (FLARE VM package) with only private network configured (totally cut off from internet), so all network requests from malware are redirected on ports to InetSim and Burp. As I understand this configuration do not give me 100% chances to run RAT or Botnets dynamically and look what they are doing? In some point, all those malwares will sleep or wait for connection to C&C. So what should I change here to prepare environment for this type of malware? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
