Automated Malware Analysis - Part 4

After preparing OSX host in Part 1, Part 2, and Part 3 we are ready to install our victim guest operating system. For this I’m using a MS Windows 7 host with Adobe Reader, Flash, and MS Office.

This should allow me to pass exploits for most business environments. Let’s get started… Windows guest machine - The Machine to be infected!

  1. Using VMWare, create a new virtual machine selecting the approtiate drive size and operating system. Mount your windows iso file and finish the install.

  2. Once the system is booted up install the following:

  • Pil python library
  • Office apps
  • Reader
  • Flash
  • Winzip
  • Guest virtualization tools

Once the system is rebooted make sure the following settings are modified:

  • disable firewall
  • disable iac
  • disable updates

At this point, you should have a working windows guest operating system. It’s a good idea at this point to create a snapshot. Open terminal on your OSX host device and type the following commands:

$ VBoxManage snapshot Win7-Cuckoo take Malware-Analysis --pause
$ VBoxManage controlvm Win7-Cuckoo poweroff
$ VBoxManage snapshot Win7-Cuckoo restorecurrent

Additionally when that is completed you might want to modify some settings to peoperly enable communications between all the different systems and virtual applainces:

disable firewall - mac

sudo sysctl -w net.inet.ip.forwarding=1
sudo natd -interface en0
sudo ipfw add divert natd ip from any to any via en0

Enable the application firewall via - (0 to disable)

defaults write /Library/Preferences/com.apple.alf globalstate -int 1

Restart the services

$ launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
$ launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

The application firewall can be controlled with the /usr/libexec/ApplicationFirewall/socketfilterfw binary.

At this point your ready to submit malware to your victim machine and have a snapshot to resort to.

comments powered by Disqus