Languages and Environment:
| Tool | Description |
|---|---|
| exiftool.exe | |
| imhex.exe | A hex editor for reverse engineering and learning the PE structure: https://github.com/WerWolv/ImHex |
| HxD | a standard hexeditor |
| PE Bear | |
| hashmyfiles | |
| CFFExplorer | Provides basic information about PE files, e.g. hash, file type, creation timestamp etc. |
| strings.exe | Sysinternals tool that allows you to extract strings from a process |
| ShellExt.exe | Strings GUI |
| floss.exe | Tool by Mandiant (flare-floss) - helps to identify obfuscated strings. https://github.com/mandiant/flare-floss |
| StringSifter | |
| Detect it Easy (DiE) | Provides information on PE files, including section and header information, as well as possible packer analysis |
| PE Studio | |
| Resource Hacker | Tool that allows you to inspect the resource section of a PE, and easily make modifications to the resource section |
| yara.exe | |
| Resource Hacker | RH allows you to inspect the resources section of a PE and easily export from it, as well as add contents to it |
| Tool | Description |
|---|---|
| Procmon | Sysinternals tool that allows you to monitor and filter system operations |
| Process Hacker | Process hacker is like an enhanced version of task manager that provides additional capabilities, e.g. inspect strings during runtime for processes |
| Netstat | Built-in command-line tool that allows you to inspect inbound and outbound traffic |
| TCPView | Monitor tcp traffic - filter for HTTP(S) and DNS |
| Wireshark | Network sniffing tool, useful to inspect outbound http and DNS traffic |
| Fiddler | Web Proxy |
| RegShot | Allows you to perform registry and baseline checks. E.g. Snapshot of registry state before malware execution, and compare registry after malware execution |
| noriben.py | wrapper for procmon that collects malware specific info from executed process |
| ncat.exe |
| Tool | Description |
|---|---|
| CAPA.exe | Static analysis tool created by Mandiant. https://github.com/mandiant/capa |
| Cutter | Free static analysis tool. Has Graphs, disassem tab, decompiler tab and more! |
| Ghidra | A Java based static analysis tool - ghidra is a disassembler that attempts to break down the logic of a program's code |
| IDA Pro | Like ghidra, IDA is a disassembler which has some debugging capabilities |
| SCDBG | Shellcode decompiling tool (requires you to be in possession of shellcode .bin file) |
| Tool | Description |
|---|---|
| API Monitor | API Monitor allows you to set breakpoints on win API functions and run a process against it. This helps identify function calls and their arguments. https://rohitlab.com/downloads |
| x64Dbg | A Java based static analysis tool - ghidra is a disassembler that attempts to break down the logic of a program's code |
You can customise the environment further once all tools have been installed. Modify the context menu (right click menu) with a software called "Easy Context Menu" from https://www.sordum.org/7615/easy-context-menu-v1-6/
Once you have this tool installed, it is handy to set some of the frequently used tools to be added to the context menu. In my setup I like to add:
Hosts file
Sometimes it may be useful to modify the hosts file on your analysis box so that it can accommodate requests that are being made by the sample. Modify the file: C:\Windows\System32\drivers\etc\hosts
e.g.
127.0.0.1 super.specific.subdomain.com
From here on out, when the sample attempts to connect to super.specific.subdomain.com, it will go through the hosts file first and resolve that domain to localhost ON THE WINDOWS ANALYSIS BOX
DNS Setting to the Simulator VM
In order for us to successfully set up an internet service simulator, we need to set the DNS up to point to the Simulator linux box..
defeat Heap based anti-debugging checks
system variable: _NO_DEBUG_HEAP
value: 1
HOST-ONLY
INetSim Server / FakeDNS Server
Bind IP & DNS IP set to the Host's IP addr
HOST-ONLY
DNS SERVER: <IP OF UBUNTU VM>
| Tool | Description |
|---|---|
| inetsim | internet service simulator for HTTP(S), DNS, FTP and more (https://www.inetsim.org/downloads.html) |
| fakeDNS | DNS service simulator tool |
| wireshark | Network sniffing tool, useful to inspect outbound http and DNS traffic |
| Suricata | PCAP ingestor that disaplys indicators based on a rule-sets http://suricata.io |
| ncat | ncat allows the --ssl option |
| ssdeep | tool to produce fuzzy hash of a given file |
| dex2jar | |
| jadx | |
| mobsf |
Note
Remnux comes preinstalled with a variety of mlwr analysis tools, including inetsim.
If you're using remnux run the following commands in sequence:
sudo accept-all-ips start // remnux script: auto intercept
sudo inetsim // starts inetsim
sudo fakedns // start fakedns
// start fakedns if DNS service not uncommented in inetsim conf
IF the above sequence does not automatically work (as in, connectivity is unsuccessful to the inetsim instance from the client), then make manual modifications to the inetsim configuration file.
runsudo accept-all-ips startand then modify the config file as shown below:
start_service dns // uncommented
start_service http // uncommented
start_service https // uncommented
etc.
...
service_bind_address <remnux IP>
dns_default_ip <remnux IP>
dns_default_hostname www
dns_default_domainname <malwr.lab>
sudo inetsim
Detailed setup guide can be found here: https://medium.com/@xNymia/malware-analysis-first-steps-creating-your-lab-21b769fb2a64
echo "deb http://www.inetsim.org/debian/ binary/" >> /etc/apt/sources.list
wget -O — http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
sudo apt install inetsim
2.1. modify inetsim.conf
ip addr or ifconfigsudo nano /etc/inetsim/inetsim.conf
start_service dns
start_service http
start_service https
etc.
...
service_bind_address <ubuntu IP>
dns_default_ip <ubuntu IP>
dns_default_hostname www
dns_default_domainname <malwr.lab>
2.2 modify /etc/default/inetsim
sudo nano /etc/default/inetsim
ENABLED=1sudo inetsim
The internet simulation service should now be running.
At this stage, if the DNS server on your main mlwr box is set to the IP of the inetsim box, then your internet traffic from the mlwr box should hit your inetsim service