In the first post, we had a walkthrough on some very basic concepts regarding malwares. Now, the next step would be to set up your own Sandbox which you can use for analyzing malware.
What is a Sandbox ?
In computer security, a “sandbox” is a security mechanism for separating running programs, usually to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. There are many famous sandboxes hosted online (Joe’s Security , Hybrid Analysis, Anyvm.Run ) as well as sandbox which can be set up on you local environments (GRR , Cuckoo Sanbox, PyREBox) as well.
Setting up the Sandbox :
Step 1: Install Virtualization Software
You should go for the virtualization software you are comfortable with configuring and troubleshooting. Here are some good ones based on my experience
| Software | Pros | Cons |
|---|---|---|
| Hyper-V | Free,Stable | Windows Only |
| VirtualBox | Free, Stable | - |
| VMWare Workstation | Stable, Great UX, Highly Configurable | Licensed |
| VMWare Player | Stable, Great UX | No snapshots |
Step 2: Install your required Windows Virtual Machine
I would go for Windows 7 or Windows 10 VM. You can download the VMs from here.
Step 3: Install the following tools
Monitoring Tools
- Process Monitor aka Procmon . This software logs all the registry, file, process and network related events in a single PML file.
- Process Hacker
- Wireshark
- ApiMon - It can detect the windows api calls (including COM)
Binary Analysis
- FileAlyzer
- HexEdit
- ResourceHacker
- strings
Debuggers and Disassemblers
- x64dbg - My Favorite !!
- IDA Pro
- OllyDbg
- GHIDRA
- WinDBG
Others
- Python
- AutoIT
- windbg
- NotePad++
- Rekall/Volatality - Can be installed outside if your VM supports taking memory dumps of host.
You can also automatically install lots of free malware analysis tools using the FLARE VM distribution provided by FireEye. Its basically a powershell script which you can run after Step 2. However, it installs lots of tools, so you may want to install tools individually(or edit the powershell script) if your VM has limited resources.
If you wish, install in the VM utilities such as VirtualBox Guest Additions and VMware Tools, which come with your virtualization software. They will make it convenient to share clipboard contents and files between your physical host and the VM. However, their presence slightly increases the chances that malware might detect the virtualized environment or manage to escape. If you dont use the file sharing methods supported by your virtualization software, decide how you’ll transfer files in and out of the VM. Accessing a USB key from within the VM is a reasonable option. Another one is SFTP: You can enable the SSH server built into Windows, then access it from your physical host or from another VM using an SFTP client, such as WinSCP.
Step 4: Isolate the Sandbox
- Consider disabling the shared folders if configured in VM.
- Change the network setting for the VM so that it does not have any network access. For instance, in VMWare Player/Workstation setting the Network Adapter to host-only will only allow communication with the host machine via the virtual adapter of your physical host. For better isolation, the sandbox should be connected to a dedicated virtual network.
- If your want to analyze malware that might need to connect to the internet , then it’s better to have a dedicated virtual network with internet access. However, in such cases you won’t be able to transfer files from the physical host to sandbox.
Step 5: Finishing steps.
- Disable windows defender AV.
- Disable windows updates (if needed)
- Disable powershell script execution policy.
- Take a snapshot !!!
Your VM is good to go and you are ready to analyze some malware. !!! To start off its a good idea to create a keylogger / ransomware yourself and analyze that.
Additionally, there are a lot of free resources with which you can start off.
If you have any questions regarding this stuff drop me an email !!!