Virtual Malware Analysis Lab w/ INetSim & Burp

Ryan Mills Malware Analysis July 6, 2020

Overview:

Ubuntu Victim Windows 10 Victim IDDD 1 Analysis Machine Shared Folder Host Machine Intemet

First I want to give credit where credit is due. I am mainly updating and altering two previous guides on this subject. They can be found here:

https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
https://infosecaddicts.com/set-up-a-malware-analysis-lab-with-inetsim-and-burpsuite/

If you have questions about “Why this?” or “Why not that?” I’d refer back to Christophe Tafani-Dereeper’s Blog.

My Reason for Writing This:

When trying to follow these guides, I ran into a couple of issues, but between the two of them, I was able to get it working.  There was a couple of things that I had to do that were not covered in either of the guides.  In their defense, one was written in 2017, the other in 2018.  

Prereqs:

Things to grab before you start:

  1. VirtualBox – https://www.virtualbox.org/wiki/Downloads
  2. Burp Community Edition for Linux (64-bit) –https://portswigger.net/burp/releases/community/latest
  3. Latest LTS version of Ubuntu from osboxes – https://www.osboxes.org/ubuntu
  4. Free Windows 10 Dev VM – https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Creating Ubuntu Victim and Ubuntu Analysis Machine:

  • Install and Open VirtualBox Manager on the Host Machine
  • Navigate to Machine > New or (Ctrl + N)

New Machine
Name: Use whatever name you would like for the Ubuntu Victim Machine
Machine Folder:  Point to where you would like the VM to be stored on the Host Machine
Type: Linux
Version: Ubuntu (64-bit)

  • Next
  • Give each machine at least 2048 MB Memory if possible
  • Next
  • Select the “Use an existing virtual hard disk file” option and point it towards the Unzipped VDI from osboxes.org
Create Virtual Machine Hard disk If you wish pu can add a virtual hard disk to the nevv machine. You can either create a nevv hard disk fie or select one from the list or from another locaton using the folder icon. If pu need a more complex storage set-up you can skip this step and make the changes to the machine settngs once the machine is created. The recommended size of the hard disk is 10.00 GB. C) Do not add a virtual hard disk C) Create a virtual hard disk non @ use an existing virtual hard disk file
  • Create
  • In VirtualBox Manager, Right Click on Ubuntu Victim
  • Select Clone or (Ctrl + O)

Name: Use whatever name you would like for the Analysis Machine
Path:  Point to where you would like the VM to be stored on the Host Machine
MAC Address Policy: “Generate new MAC addresses for all network adapters”

  • Next
  • Leave as ‘Full Clone’
  • Clone

Create the Windows 10 Victim Machine:

  • In VirtualBox Manager, File > Import Appliance or (Ctrl + I)
  • Select WinDev2006Eval.ova from link in Prereqs
  • Next

Machine Base Folder: Point to where you would like the VM to be stored.
MAC Address Policy: Generate new MAC addresses for all network adapters

  • Import

Taking Virtual Machine Snapshots:

I would recommend taking a snapshot of each machine at this point in case you run into any issues with the following configuration steps.

  • Snapshots
  • Take‘ button or (Ctrl+Shift+T)

Name:  Whatever you like just make it useful to you, something like ‘Raw’ or ‘Unconfigured’ would make sense

  • OK
  • Repeat for Ubuntu Victim and Windows Victim

Configure Analysis Machine:

  • Start the Analysis Machine VM
  • Login with default account.  Password: osboxes.org

Note: This can be changed via Terminal with the command:

passwd osboxes
  • Optional: Take a moment to add any preferred tools:
sudo apt install curl
sudo apt install curl
  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

Installing iNetSim

  • Open Terminal
sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
reboot
  • Wait for VM to come back up
  • Sign in and relaunch Terminal
sudo apt install inetsim
sudo update-rc.d inetsim disable
sudo rm /var/run/inetsim.pid

Installing Burp

  • Download Burp from the location listed in the Prereqs
  • Open Terminal
sudo bash burpsuite_community_linux_v2020_6.sh

Note: Version will change just use whatever version you have

Network Configuration

  • We need to change /etc/network/interfaces.  I will be using nano to do this, but use whatever editor you prefer.
sudo nano /etc/network/interfaces
  • /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
 address 10.0.0.1
 netmask 255.255.255.0
  • Save and Close
sudo ifup enp0s3
sudo reboot

VirtualBox Manager Network Configuration

Perform the following steps for each VM.

  • Settings > Network

Attached to:   Internal Network
Name: malware-analysis-network

  • OK

Ubuntu Victim Configuration

  • Start the Analysis Machine VM
  • Login with default account.  Password: osboxes.org

Note: This can be changed via terminal with the command:

passwd osboxes
  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

Network Configuration

  • We need to change /etc/network/interfaces again
sudo nano /etc/network/interfaces
  • /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
 address 10.0.0.2
 gateway 10.0.0.1
 netmask 255.255.255.0
 dns-nameservers 10.0.0.1
  • Save and Close
sudo ifup enp0s3
sudo service networking restart
  • Test your connection to the Analysis machine.
osboxes@osboxes:—S ping 10.0.0.1 PING 10.0.0.1 64 bytes from 64 bytes from 64 bytes from 64 bytes from (10.0.0.1) 56(84) bytes of data. 10.0.0.1: ttl=64 time— -0.597 ms 10.0.0.1: ttl=64 time —1.01 ms 10.0.0.1: ttl=64 time— —1.01 ms 10.0.0.1: tcmp_seq=4 ttl=64 time- -0.885 ms
  • Reboot

Windows Victim Configuration

  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

  • Control Panel > Network & Internet > Network and Sharing Center > Change Adapter Settings
  • Right Click on Ethernet (Mine was Ethernet 2)
  • Properties
  • Select Internet Protocol Version 4 and click Properties
Internet Protocol Version 4 (TCP/IPv4) Properties You can get [P settngs assigned automatcally if pur neb,Nork supguyrts this capability. Otherwise, you need to ask your neb,Nork administrator for the appropriate [P settngs. C) Obtain an [P address automabcally • use the following [P address: [P addr ass: Subnet mask: Default gate nay: 255 255 255 . Obtain DNS server address automatcally • use the following DNS server addresses: Preferred DNS server : Alternate DNS server: [3 Validate settings upon exit
  • OK
  • Open cmd and test connection
: \Users\User>ping 18.8.8.1 Pinging 18.8.8.1 with 32 bytes of data: Reply from 18.8.8.1: bytes=32 time<lms TTL Reply from 18.8.8.1: bytes=32 time<lms TTL Reply from 18.8.8.1: bytes=32 time<lms TTL Reply from 18.8.8.1: bytes=32 time<lms TTL Ping statistics for 18.8.8.1: Packets: Sent = 4, Received = 4, Lost = 64 = 64 = 64 = 64 loss), pproximate round trip times in milli-seconds: minimum = Bms, maximum = Bms, Average = Bms
  • Reboot

New Round of Snapshots

Same as the Taking Virtual Machine Snapshots section above, only this time we’re creating the snapshot we’ll be returning the machines to after infecting them each time.  I’d recommend something with ‘Clean’ in the title.  

Now when you Close a machine, you will have option to restore to this snapshot:

Close Virtual Machine You want to: C) Save the machine state Send the shutdown signal @ Povver off the machine Z] Restore current snapshot Clean Slate'

INetSim Defaults and “New Instances”

On the Ubuntu Analysis Machine

  • In a text editor of your choosing make the following changes to /etc/inetsim/inetsim.conf:
FROMTO
#service_bind_address   10.10.10.1service_bind_address   0.0.0.0
#dns_default_ip    10.0.0.1dns_default_ip   10.0.0.1
#https_bind_port   443https_bind_port   8443
  • Save and Close

Creating a new folder for each analysis .  In this example we’ll use ‘test’ as our threat:

mkdir analysis
mkdir analysis/test
cp /etc/inetsim/inetsim.conf analysis/test
sudo cp -r /var/lib/inetsim analysis/test/data
cd analysis/test
sudo chmod -R 777 data

Test Run:

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
sudo inetsim --data data --conf inetsim.conf
sudo tnetstm - -data data - -conf tnetstm.conf INetStm 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg Using log directory: Using data directory: Using report directory: /var/log/tnetstm/ data/ /var/log/tnetstm/report/ Using configuration file: /home/osboxes/analysts/test/tnetstm.conf Parsing configuration file. Configuration file parsed successfully. INetStm main process started (PID 2180) Session ID: Listening on: 2180 e.o.e.e Real Date/Time: 2020-07-04 Fake Date/Time: 2020-07-04 (Delta Forking services. : e seconds) * * * * * * * * * * * * * * * * * * * * * * * * * * * * * dns 53_tcp_udp - started (PID 2182) - started (PID 2192) trc 6667_tcp sys - started (PID 2196) - started (PID 2194) finger_79_tcp echo_7_udp - started (PID 2202) echo_7_tcp - started (PID 2201) - started (PID 2197) time 37_tcp ntp_123_udp - started (PID 2193) daytime 13_tcp - started (PID 2199) ident_113 tcp - started (PID 2195) time 37_udp - started (PID 2198) chargen_19_tcp - started (PID 2207) daytime_13_udp - started (PID 2200) quotd 17_tcp - started (PID 2205) chargen_19_udp - started (PID 2208) discard_9_udp - started (PID 2204) discard_9_tcp - started (PID 2203) tftp_69_udp - started (PID 2191) dummy_l_udp - started (PID 2210) quotd_17_udp - started (PID 2206) dummy_l_tcp - started (PID 2209) - started (PID 2185) smtp_25_tcp - started (PID 2186) smtps_465 tcp - started (PID 2190) ftps 990_tcp - started (PID 2189) ftp_21_tcp - started (PID 2187) pop3_110 tcp - started (PID 2188) pop3s 995 tcp http_80_tcp - started (PID 2183) https_8443_tcp - started (PID 2184) done . Simulation running.

On the Windows Victim machine, try https://gamesandtheory.tech

ä INetsim default HTML O gamesandtheory.tech/ This is the default HTN'IL page for INetSim HTTP server fake mode. This file is an HTN'IL document.

Back on the Analysis Machine
Ctrl + C to stop INetSim and get the path to the log

Simulation stopped. Report written to ' /var/log/tnetstm/report/report.2180. txt' (87 lines) = INetStm main process stopped (PID 2180)

From the log:

SSL Interception with Burp

Analysis Масбјпе lNetSm В игр
  • Start Burp as root
sudo /home/osboxes/BurpSuiteCommunity/BurpSuiteCommunity
  • Use Burp defaults
  • Click Start Burp
  • Select ‘Proxy‘ Tab
  • Select ‘Options‘ Tab
  • Select ‘Edit‘ under ‘Proxy Listeners’
Burp Project Intruder Repeater Window Dashboard Target Proxy Intruder Help Repeater Sequencer Decoder Comparer Project options User options Intercept HIT P history WebSockets history Proxy Listeners Burp Proxy uses listeners to receive Incoming handling HIT P requests from your browser You "ill need to configure your browser to use one of thk Add Remove o Each installati Import/e Use these se Intercept r Add Remove Up Interface X: 443 Request Invisible Redirect localhost:844S Certificate per-host TLS Protocols Default Edit proxy listener Certificate TLS Protocols These settings control how Burp binds the proxy listener Bind to port: Bind to address: 44 S o Loopback only All interfaces o Specific address:

Binding Tab:
Bind to port: 443
Bind to address: All interfaces
Request handling Tab:
Redirect to host: localhost
Redirect to port: 8443
Check ‘Support invisible proxying (enable only if needed)’

  • Turn off Intercept
Burp Project Intruder Repeater Window Dashboard Target Proxy Intruder Help Repeater Sequencer Decoder cor HIT P history WebSockets history Options Intercept is off Hex Action

Test It:

  • Start InetSim
  • In a new Terminal window, run this command
curl --insecure https://localhost
osboxes@osboxes : —S --tnsecure https://localhost curl default HTML mode . ts the default HTML page for INetStm HTTP server fake align; file ts an HTML document.</p>

Importing Burp’s CA Cert on Victim Machines

Windows Victim Machine

  • Add a new Proxy Listener to Burp:
Dashboard Target Proxy Intruder Repeater Intercept HIT P history WebSockets history Sequencer Decoder Comparer Project options User options Proxy Listeners Burp Proxy uses listeners to receive Interface X: 443 Incoming HIT P requests from your browser You "ill need to configure your browser to use one of t Invisible Redirect localhost:844S Certificate per-host TLS Protocols Default Remove Each installa Import/e Use these se Intercept Add Remove Up inding Request handling Add a new proxy listener Certificate TLS Protocols o These settings control how Burp binds the proxy listener Bind to port: Bind to address: o Loopback only All interfaces o Specific address:

Binding Tab:
Bind to port: 8080
Bind to address: All interfaces

Burp Suite Community O 10.0.0.1:8080/ Burp Suite Community Edition Welcome to Burp Suite Community Edition. CA Certificate
  • Click on CA Certificate
  • Select Open
  • Allow
  • Install Certificate…
  • Local Machine > Next
  • Place all certificates in the following store: Trusted Root Certification Authorities
  • Next
  • Finish

HTTPS should now working:

O https://gamesandtheory.techm' SIM INetSim default HTML page Search... This is the default HTNIL page for INetSim HTTP server fake mode This file is an HTNIL document

Ubuntu Victim Machine

  • Save cert from http://10.0.0.1:8080
  • Open Terminal
openssl x509 -in ~/Downloads/cacert.der -inform DER -out burp.crt
sudo cp burp.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Setup Shared Folder between Analysis machine and Host

  • In VirtualBox Manager for Ubuntu Analysis Machine , Devices > Shared Folders > Shared folders settings
Devices Help Optical Drives Audio Network D USB Shared Folders Intruder Repeater Window Help Target ro&' Intruder Rep Sha

Folder Path: Path to Folder on Host
Folder Name: Folder Name
Check ‘Make Permanent’

  • Run from Terminal
mkdir ~/malware
sudo mount -t vboxsf malware ~/malware

Finally, The Demo

With your malware of choice in your shared folder, we need to get it to our victim machine.  INetSim will allow you to add this to its fakefiles in the data folder.  For my example, I’m using copy of tesla like the previous journals.

  • Copy malware sample to ~/analysis/test/data/http/fakefiles
  • Edit /analysis/test/inetsim.conf to inclue the following line under ‘http_fakefile’
http_fakefile             zip          tesla.zip                       application/zip

Switch over to the Windows Victim Machine:

  • Using IE trying any http domain with the filename
O https://github.com/tesla.zip SIM INetSim default HTML page Search... This is the default HTTvIL page for IN etSim HTTP server fake mode Internet Explorer What do you want to do with teslazip? Size: 393 KB From: gitlab.com Open The file won't be saved automatically. Save Save as Cancel
  • Extract and Run the Malware
  • After a few minutes, I was able to determine mine had run after I started noticing files being encrypted and receiving popups.
  • Shutdown and restore Windows Victim Machine to Clean Slate
  • Return to analysis machine, and stop INetSim to review log:
  • Review Log
05:06. es:es. es:es. es:es. es:es. es:es. es:es. es:es. 948e es:es. es:es. es:es. 05:06. 2020-07-05 2020-07-05 2020-07-05 2020-07-05 2020-07-05 2020-07-05 2020-07-05 2020-07-05 2020-67-65 2020-07-05 2020-07-05 2020-07-05 • 39 • 39 • 39 • 39 • 39 • 39 • 39 • 39 • 39 • 39 • 39 • 39 DNS connectton, HTTP connectton, DNS connectton, HTTP connectton, DNS connectton, HTTP connectton, DNS connectton, HTTP connectton, DNS connectton, HTTP connectton, DNS connectton, HTTP connectton, type: A, method : type: A, method : type: A, method : type: A, method : type: A, method : type: A, method : class: IN, POST , URL : class: IN, POST , URL : class: IN, POST , URL : class: IN, POST , URL : class : IN, POST , URL : class: IN, POST , URL : requested name: 13343225565.com http://13343225565.com/mzft1e.php, file name: data/http/postdata/5b14ac4022c2a8a8044f3b23fd736ce7438begc826a972ee5c135eeee76d948e requested name: 4turka.com http://4turka.com/tmages/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e reques ted name: aforexvn . com http://aforexvn.com/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e requested name: atrlab.pro http://atrlab.pro/modules/mod_arttmagesltder/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d requested name: alushtadom.com http://alushtadom.com/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e reques ted name: onguso . com http://onguso.com/tntftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e

Final Thoughts

In the future, I would plan to add some version of Office to the Windows Victim machine. Other than that, I think this is a pretty solid setup for the price.

Tagged with:

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *