Virtual Malware Analysis Lab w/ INetSim & Burp
Overview:

First I want to give credit where credit is due. I am mainly updating and altering two previous guides on this subject. They can be found here:
https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
https://infosecaddicts.com/set-up-a-malware-analysis-lab-with-inetsim-and-burpsuite/
If you have questions about “Why this?” or “Why not that?” I’d refer back to Christophe Tafani-Dereeper’s Blog.
My Reason for Writing This:
When trying to follow these guides, I ran into a couple of issues, but between the two of them, I was able to get it working. There was a couple of things that I had to do that were not covered in either of the guides. In their defense, one was written in 2017, the other in 2018.
Prereqs:
Things to grab before you start:
- VirtualBox – https://www.virtualbox.org/wiki/Downloads
- Burp Community Edition for Linux (64-bit) –https://portswigger.net/burp/releases/community/latest
- Latest LTS version of Ubuntu from osboxes – https://www.osboxes.org/ubuntu
- Free Windows 10 Dev VM – https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Creating Ubuntu Victim and Ubuntu Analysis Machine:
- Install and Open VirtualBox Manager on the Host Machine
- Navigate to Machine > New or (Ctrl + N)
Name: Use whatever name you would like for the Ubuntu Victim Machine
Machine Folder: Point to where you would like the VM to be stored on the Host Machine
Type: Linux
Version: Ubuntu (64-bit)
- Next
- Give each machine at least 2048 MB Memory if possible
- Next
- Select the “Use an existing virtual hard disk file” option and point it towards the Unzipped VDI from osboxes.org

- Create
- In VirtualBox Manager, Right Click on Ubuntu Victim
- Select Clone or (Ctrl + O)
Name: Use whatever name you would like for the Analysis Machine
Path: Point to where you would like the VM to be stored on the Host Machine
MAC Address Policy: “Generate new MAC addresses for all network adapters”
- Next
- Leave as ‘Full Clone’
- Clone
Create the Windows 10 Victim Machine:
- In VirtualBox Manager, File > Import Appliance or (Ctrl + I)
- Select WinDev2006Eval.ova from link in Prereqs
- Next
Machine Base Folder: Point to where you would like the VM to be stored.
MAC Address Policy: Generate new MAC addresses for all network adapters
- Import
Taking Virtual Machine Snapshots:
I would recommend taking a snapshot of each machine at this point in case you run into any issues with the following configuration steps.
- Snapshots
- ‘Take‘ button or (Ctrl+Shift+T)
Name: Whatever you like just make it useful to you, something like ‘Raw’ or ‘Unconfigured’ would make sense
- OK
- Repeat for Ubuntu Victim and Windows Victim
Configure Analysis Machine:
- Start the Analysis Machine VM
- Login with default account. Password: osboxes.org
Note: This can be changed via Terminal with the command:
passwd osboxes
- Optional: Take a moment to add any preferred tools:
sudo apt install curl
sudo apt install curl
- Install the Guest Additions Software from VirtualBox
Devices > Insert Guest Additions CD image
Installing iNetSim
- Open Terminal
sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
reboot
- Wait for VM to come back up
- Sign in and relaunch Terminal
sudo apt install inetsim
sudo update-rc.d inetsim disable
sudo rm /var/run/inetsim.pid
Installing Burp
- Download Burp from the location listed in the Prereqs
- Open Terminal
sudo bash burpsuite_community_linux_v2020_6.sh
Note: Version will change just use whatever version you have
Network Configuration
- We need to change /etc/network/interfaces. I will be using nano to do this, but use whatever editor you prefer.
sudo nano /etc/network/interfaces
- /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
address 10.0.0.1
netmask 255.255.255.0
- Save and Close
sudo ifup enp0s3
sudo reboot
VirtualBox Manager Network Configuration
Perform the following steps for each VM.
- Settings > Network
Attached to: Internal Network
Name: malware-analysis-network
- OK
Ubuntu Victim Configuration
- Start the Analysis Machine VM
- Login with default account. Password: osboxes.org
Note: This can be changed via terminal with the command:
passwd osboxes
- Install the Guest Additions Software from VirtualBox
Devices > Insert Guest Additions CD image
Network Configuration
- We need to change /etc/network/interfaces again
sudo nano /etc/network/interfaces
- /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
address 10.0.0.2
gateway 10.0.0.1
netmask 255.255.255.0
dns-nameservers 10.0.0.1
- Save and Close
sudo ifup enp0s3
sudo service networking restart
- Test your connection to the Analysis machine.

- Reboot
Windows Victim Configuration
- Install the Guest Additions Software from VirtualBox
Devices > Insert Guest Additions CD image
- Control Panel > Network & Internet > Network and Sharing Center > Change Adapter Settings
- Right Click on Ethernet (Mine was Ethernet 2)
- Properties
- Select Internet Protocol Version 4 and click Properties

- OK
- Open cmd and test connection

- Reboot
New Round of Snapshots
Same as the Taking Virtual Machine Snapshots section above, only this time we’re creating the snapshot we’ll be returning the machines to after infecting them each time. I’d recommend something with ‘Clean’ in the title.
Now when you Close a machine, you will have option to restore to this snapshot:
![Close Virtual Machine
You want to:
C) Save the machine state
Send the shutdown signal
@ Povver off the machine
Z] Restore current snapshot Clean Slate'](https://gamesandtheory.tech/wp-content/uploads/2020/07/image-9.png)
INetSim Defaults and “New Instances”
On the Ubuntu Analysis Machine
- In a text editor of your choosing make the following changes to /etc/inetsim/inetsim.conf:
FROM | TO |
#service_bind_address 10.10.10.1 | service_bind_address 0.0.0.0 |
#dns_default_ip 10.0.0.1 | dns_default_ip 10.0.0.1 |
#https_bind_port 443 | https_bind_port 8443 |
- Save and Close
Creating a new folder for each analysis . In this example we’ll use ‘test’ as our threat:
mkdir analysis
mkdir analysis/test
cp /etc/inetsim/inetsim.conf analysis/test
sudo cp -r /var/lib/inetsim analysis/test/data
cd analysis/test
sudo chmod -R 777 data
Test Run:
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
sudo inetsim --data data --conf inetsim.conf

On the Windows Victim machine, try https://gamesandtheory.tech

Back on the Analysis Machine
Ctrl + C to stop INetSim and get the path to the log

From the log:

SSL Interception with Burp

- Start Burp as root
sudo /home/osboxes/BurpSuiteCommunity/BurpSuiteCommunity
- Use Burp defaults
- Click Start Burp
- Select ‘Proxy‘ Tab
- Select ‘Options‘ Tab
- Select ‘Edit‘ under ‘Proxy Listeners’

Binding Tab:
Bind to port: 443
Bind to address: All interfaces
Request handling Tab:
Redirect to host: localhost
Redirect to port: 8443
Check ‘Support invisible proxying (enable only if needed)’
- Turn off Intercept

Test It:
- Start InetSim
- In a new Terminal window, run this command
curl --insecure https://localhost

Importing Burp’s CA Cert on Victim Machines
Windows Victim Machine
- Add a new Proxy Listener to Burp:

Binding Tab:
Bind to port: 8080
Bind to address: All interfaces
- On the Windows Victim Machine navigate to http://10.0.0.1:8080 with IE:

- Click on CA Certificate
- Select Open
- Allow
- Install Certificate…
- Local Machine > Next
- Place all certificates in the following store: Trusted Root Certification Authorities
- Next
- Finish
HTTPS should now working:

Ubuntu Victim Machine
- Save cert from http://10.0.0.1:8080
- Open Terminal
openssl x509 -in ~/Downloads/cacert.der -inform DER -out burp.crt
sudo cp burp.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Setup Shared Folder between Analysis machine and Host
- In VirtualBox Manager for Ubuntu Analysis Machine , Devices > Shared Folders > Shared folders settings

Folder Path: Path to Folder on Host
Folder Name: Folder Name
Check ‘Make Permanent’
- Run from Terminal
mkdir ~/malware
sudo mount -t vboxsf malware ~/malware
Finally, The Demo
With your malware of choice in your shared folder, we need to get it to our victim machine. INetSim will allow you to add this to its fakefiles in the data folder. For my example, I’m using copy of tesla like the previous journals.
- Copy malware sample to ~/analysis/test/data/http/fakefiles
- Edit /analysis/test/inetsim.conf to inclue the following line under ‘http_fakefile’
http_fakefile zip tesla.zip application/zip
Switch over to the Windows Victim Machine:
- Using IE trying any http domain with the filename

- Extract and Run the Malware
- After a few minutes, I was able to determine mine had run after I started noticing files being encrypted and receiving popups.
- Shutdown and restore Windows Victim Machine to Clean Slate
- Return to analysis machine, and stop INetSim to review log:
- Review Log

Final Thoughts
In the future, I would plan to add some version of Office to the Windows Victim machine. Other than that, I think this is a pretty solid setup for the price.