Virtual Malware Analysis Lab w/ INetSim & Burp

Overview:

Ubuntu Victim 
Windows 10 Victim 
IDDD 1 
Analysis Machine 
Shared Folder 
Host Machine 
Intemet

First I want to give credit where credit is due. I am mainly updating and altering two previous guides on this subject. They can be found here:

https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
https://infosecaddicts.com/set-up-a-malware-analysis-lab-with-inetsim-and-burpsuite/

If you have questions about “Why this?” or “Why not that?” I’d refer back to Christophe Tafani-Dereeper’s Blog.

My Reason for Writing This:

When trying to follow these guides, I ran into a couple of issues, but between the two of them, I was able to get it working.  There was a couple of things that I had to do that were not covered in either of the guides.  In their defense, one was written in 2017, the other in 2018.  

Prereqs:

Things to grab before you start:

  1. VirtualBox – https://www.virtualbox.org/wiki/Downloads
  2. Burp Community Edition for Linux (64-bit) –https://portswigger.net/burp/releases/community/latest
  3. Latest LTS version of Ubuntu from osboxes – https://www.osboxes.org/ubuntu
  4. Free Windows 10 Dev VM – https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Creating Ubuntu Victim and Ubuntu Analysis Machine:

  • Install and Open VirtualBox Manager on the Host Machine
  • Navigate to Machine > New or (Ctrl + N)

New Machine
Name: Use whatever name you would like for the Ubuntu Victim Machine
Machine Folder:  Point to where you would like the VM to be stored on the Host Machine
Type: Linux
Version: Ubuntu (64-bit)

  • Next
  • Give each machine at least 2048 MB Memory if possible
  • Next
  • Select the “Use an existing virtual hard disk file” option and point it towards the Unzipped VDI from osboxes.org
Create Virtual Machine 
Hard disk 
If you wish pu can add a virtual hard disk to the nevv machine. You can 
either create a nevv hard disk fie or select one from the list or from another 
locaton using the folder icon. 
If pu need a more complex storage set-up you can skip this step and make 
the changes to the machine settngs once the machine is created. 
The recommended size of the hard disk is 10.00 GB. 
C) Do not add a virtual hard disk 
C) Create a virtual hard disk non 
@ use an existing virtual hard disk file
  • Create
  • In VirtualBox Manager, Right Click on Ubuntu Victim
  • Select Clone or (Ctrl + O)

Name: Use whatever name you would like for the Analysis Machine
Path:  Point to where you would like the VM to be stored on the Host Machine
MAC Address Policy: “Generate new MAC addresses for all network adapters”

  • Next
  • Leave as ‘Full Clone’
  • Clone

Create the Windows 10 Victim Machine:

  • In VirtualBox Manager, File > Import Appliance or (Ctrl + I)
  • Select WinDev2006Eval.ova from link in Prereqs
  • Next

Machine Base Folder: Point to where you would like the VM to be stored.
MAC Address Policy: Generate new MAC addresses for all network adapters

  • Import

Taking Virtual Machine Snapshots:

I would recommend taking a snapshot of each machine at this point in case you run into any issues with the following configuration steps.

  • Snapshots
  • Take‘ button or (Ctrl+Shift+T)

Name:  Whatever you like just make it useful to you, something like ‘Raw’ or ‘Unconfigured’ would make sense

  • OK
  • Repeat for Ubuntu Victim and Windows Victim

Configure Analysis Machine:

  • Start the Analysis Machine VM
  • Login with default account.  Password: osboxes.org

Note: This can be changed via Terminal with the command:

passwd osboxes
  • Optional: Take a moment to add any preferred tools:
sudo apt install curl
sudo apt install curl
  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

Installing iNetSim

  • Open Terminal
sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
reboot
  • Wait for VM to come back up
  • Sign in and relaunch Terminal
sudo apt install inetsim
sudo update-rc.d inetsim disable
sudo rm /var/run/inetsim.pid 

Installing Burp

  • Download Burp from the location listed in the Prereqs
  • Open Terminal
sudo bash burpsuite_community_linux_v2020_6.sh

Note: Version will change just use whatever version you have

Network Configuration

  • We need to change /etc/network/interfaces.  I will be using nano to do this, but use whatever editor you prefer.
sudo nano /etc/network/interfaces
  • /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
 address 10.0.0.1
 netmask 255.255.255.0
  • Save and Close
sudo ifup enp0s3
sudo reboot

VirtualBox Manager Network Configuration

Perform the following steps for each VM.

  • Settings > Network

Attached to:   Internal Network
Name: malware-analysis-network

  • OK

Ubuntu Victim Configuration

  • Start the Analysis Machine VM
  • Login with default account.  Password: osboxes.org

Note: This can be changed via terminal with the command:

passwd osboxes
  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

Network Configuration

  • We need to change /etc/network/interfaces again
sudo nano /etc/network/interfaces
  • /etc/network/interfaces should be changed to show:
auto enp0s3
iface enp0s3 inet static
 address 10.0.0.2
 gateway 10.0.0.1
 netmask 255.255.255.0
 dns-nameservers 10.0.0.1
  • Save and Close
sudo ifup enp0s3
sudo service networking restart
  • Test your connection to the Analysis machine.
osboxes@osboxes:—S ping 10.0.0.1 
PING 10.0.0.1 
64 bytes from 
64 bytes from 
64 bytes from 
64 bytes from 
(10.0.0.1) 56(84) bytes of data. 
10.0.0.1: ttl=64 time— 
-0.597 ms 
10.0.0.1: ttl=64 time 
—1.01 ms 
10.0.0.1: ttl=64 time— 
—1.01 ms 
10.0.0.1: tcmp_seq=4 ttl=64 time- 
-0.885 ms
  • Reboot

Windows Victim Configuration

  • Install the Guest Additions Software from VirtualBox

Devices > Insert Guest Additions CD image

  • Control Panel > Network & Internet > Network and Sharing Center > Change Adapter Settings
  • Right Click on Ethernet (Mine was Ethernet 2)
  • Properties
  • Select Internet Protocol Version 4 and click Properties
Internet Protocol Version 4 (TCP/IPv4) Properties 
You can get [P settngs assigned automatcally if pur neb,Nork supguyrts 
this capability. Otherwise, you need to ask your neb,Nork administrator 
for the appropriate [P settngs. 
C) Obtain an [P address automabcally 
• use the following [P address: 
[P addr ass: 
Subnet mask: 
Default gate nay: 
255 
255 
255 . 
Obtain DNS server address automatcally 
• use the following DNS server addresses: 
Preferred DNS server : 
Alternate DNS server: 
[3 Validate settings upon exit
  • OK
  • Open cmd and test connection
: \Users\User>ping 18.8.8.1 
Pinging 18.8.8.1 with 32 bytes of data: 
Reply from 18.8.8.1: bytes=32 time<lms TTL 
Reply from 18.8.8.1: bytes=32 time<lms TTL 
Reply from 18.8.8.1: bytes=32 time<lms TTL 
Reply from 18.8.8.1: bytes=32 time<lms TTL 
Ping statistics for 18.8.8.1: 
Packets: Sent = 4, Received = 4, Lost 
= 64 
= 64 
= 64 
= 64 
loss), 
pproximate round trip times in milli-seconds: 
minimum = Bms, maximum = Bms, Average = Bms
  • Reboot

New Round of Snapshots

Same as the Taking Virtual Machine Snapshots section above, only this time we’re creating the snapshot we’ll be returning the machines to after infecting them each time.  I’d recommend something with ‘Clean’ in the title.  

Now when you Close a machine, you will have option to restore to this snapshot:

Close Virtual Machine 
You want to: 
C) Save the machine state 
Send the shutdown signal 
@ Povver off the machine 
Z] Restore current snapshot Clean Slate'

INetSim Defaults and “New Instances”

On the Ubuntu Analysis Machine

  • In a text editor of your choosing make the following changes to /etc/inetsim/inetsim.conf:
FROMTO
#service_bind_address   10.10.10.1service_bind_address   0.0.0.0
#dns_default_ip    10.0.0.1dns_default_ip   10.0.0.1
#https_bind_port   443https_bind_port   8443
  • Save and Close

Creating a new folder for each analysis .  In this example we’ll use ‘test’ as our threat:

mkdir analysis
mkdir analysis/test
cp /etc/inetsim/inetsim.conf analysis/test
sudo cp -r /var/lib/inetsim analysis/test/data
cd analysis/test
sudo chmod -R 777 data

Test Run:

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
sudo inetsim --data data --conf inetsim.conf
sudo tnetstm - -data data - 
-conf tnetstm.conf 
INetStm 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg 
Using log directory: 
Using data directory: 
Using report directory: 
/var/log/tnetstm/ 
data/ 
/var/log/tnetstm/report/ 
Using configuration file: /home/osboxes/analysts/test/tnetstm.conf 
Parsing configuration file. 
Configuration file parsed successfully. 
INetStm main process started (PID 2180) 
Session ID: 
Listening on: 
2180 
e.o.e.e 
Real Date/Time: 2020-07-04 
Fake Date/Time: 2020-07-04 (Delta 
Forking services. 
: e seconds) 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
* 
dns 53_tcp_udp 
- started (PID 2182) 
- started (PID 2192) 
trc 6667_tcp 
sys 
- started (PID 2196) 
- started (PID 2194) 
finger_79_tcp 
echo_7_udp 
- started (PID 2202) 
echo_7_tcp 
- started (PID 2201) 
- started (PID 2197) 
time 37_tcp 
ntp_123_udp 
- started (PID 2193) 
daytime 13_tcp 
- started (PID 2199) 
ident_113 tcp 
- started (PID 2195) 
time 37_udp 
- started (PID 2198) 
chargen_19_tcp 
- started (PID 2207) 
daytime_13_udp 
- started (PID 2200) 
quotd 17_tcp 
- started (PID 2205) 
chargen_19_udp 
- started (PID 2208) 
discard_9_udp 
- started (PID 2204) 
discard_9_tcp 
- started (PID 2203) 
tftp_69_udp 
- started (PID 2191) 
dummy_l_udp 
- started (PID 2210) 
quotd_17_udp 
- started (PID 2206) 
dummy_l_tcp 
- started (PID 2209) 
- started (PID 2185) 
smtp_25_tcp 
- started (PID 2186) 
smtps_465 tcp 
- started (PID 2190) 
ftps 990_tcp 
- started (PID 2189) 
ftp_21_tcp 
- started (PID 2187) 
pop3_110 tcp 
- started (PID 2188) 
pop3s 995 tcp 
http_80_tcp 
- started (PID 2183) 
https_8443_tcp 
- started (PID 2184) 
done . 
Simulation running.

On the Windows Victim machine, try https://gamesandtheory.tech

ä INetsim default HTML 
O 
gamesandtheory.tech/ 
This is the default HTN'IL page for INetSim HTTP server fake mode. 
This file is an HTN'IL document.

Back on the Analysis Machine
Ctrl + C to stop INetSim and get the path to the log

Simulation stopped. 
Report written to ' /var/log/tnetstm/report/report.2180. txt' (87 lines) 
= INetStm main process stopped (PID 2180)

From the log:

SSL Interception with Burp

Analysis 
Масбјпе 
lNetSm 
В игр
  • Start Burp as root
sudo /home/osboxes/BurpSuiteCommunity/BurpSuiteCommunity
  • Use Burp defaults
  • Click Start Burp
  • Select ‘Proxy‘ Tab
  • Select ‘Options‘ Tab
  • Select ‘Edit‘ under ‘Proxy Listeners’
Burp Project Intruder Repeater Window 
Dashboard Target 
Proxy Intruder 
Help 
Repeater 
Sequencer 
Decoder 
Comparer 
Project options 
User options 
Intercept HIT P history WebSockets history 
Proxy Listeners 
Burp Proxy uses listeners to receive 
Incoming 
handling 
HIT P requests from your browser 
You "ill need to configure your browser to use one of thk 
Add 
Remove 
o 
Each installati 
Import/e 
Use these se 
Intercept r 
Add 
Remove 
Up 
Interface 
X: 443 
Request 
Invisible 
Redirect 
localhost:844S 
Certificate 
per-host 
TLS Protocols 
Default 
Edit proxy listener 
Certificate TLS Protocols 
These settings control how Burp binds the proxy listener 
Bind to port: 
Bind to address: 
44 S 
o 
Loopback only 
All interfaces 
o 
Specific address:

Binding Tab:
Bind to port: 443
Bind to address: All interfaces
Request handling Tab:
Redirect to host: localhost
Redirect to port: 8443
Check ‘Support invisible proxying (enable only if needed)’

  • Turn off Intercept
Burp Project Intruder Repeater Window 
Dashboard Target 
Proxy Intruder 
Help 
Repeater Sequencer 
Decoder 
cor 
HIT P history WebSockets history Options 
Intercept is off 
Hex 
Action

Test It:

  • Start InetSim
  • In a new Terminal window, run this command
curl --insecure https://localhost
osboxes@osboxes : —S 
--tnsecure https://localhost 
curl 
default HTML 
mode . 
ts the default HTML page for INetStm HTTP server fake 
align; file ts an HTML document.</p>

Importing Burp’s CA Cert on Victim Machines

Windows Victim Machine

  • Add a new Proxy Listener to Burp:
Dashboard Target 
Proxy Intruder Repeater 
Intercept HIT P history WebSockets history 
Sequencer 
Decoder 
Comparer 
Project options 
User options 
Proxy Listeners 
Burp Proxy uses listeners to receive 
Interface 
X: 443 
Incoming 
HIT P requests from your browser 
You "ill need to configure your browser to use one of t 
Invisible 
Redirect 
localhost:844S 
Certificate 
per-host 
TLS Protocols 
Default 
Remove 
Each installa 
Import/e 
Use these se 
Intercept 
Add 
Remove 
Up 
inding Request handling 
Add a new proxy listener 
Certificate TLS Protocols 
o 
These settings control how Burp binds the proxy listener 
Bind to port: 
Bind to address: 
o 
Loopback only 
All interfaces 
o 
Specific address:

Binding Tab:
Bind to port: 8080
Bind to address: All interfaces

Burp Suite Community 
O 
10.0.0.1:8080/ 
Burp Suite Community Edition 
Welcome to Burp Suite Community Edition. 
CA Certificate
  • Click on CA Certificate
  • Select Open
  • Allow
  • Install Certificate…
  • Local Machine > Next
  • Place all certificates in the following store: Trusted Root Certification Authorities
  • Next
  • Finish

HTTPS should now working:

O 
https://gamesandtheory.techm' 
SIM INetSim default HTML page 
Search... 
This is the default HTNIL page for INetSim HTTP server fake mode 
This file is an HTNIL document

Ubuntu Victim Machine

  • Save cert from http://10.0.0.1:8080
  • Open Terminal
openssl x509 -in ~/Downloads/cacert.der -inform DER -out burp.crt
sudo cp burp.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Setup Shared Folder between Analysis machine and Host

  • In VirtualBox Manager for Ubuntu Analysis Machine , Devices > Shared Folders > Shared folders settings
Devices Help 
Optical Drives 
Audio 
Network 
D USB 
Shared Folders 
Intruder Repeater Window Help 
Target ro&' Intruder Rep 
Sha

Folder Path: Path to Folder on Host
Folder Name: Folder Name
Check ‘Make Permanent’

  • Run from Terminal
mkdir ~/malware
sudo mount -t vboxsf malware ~/malware

Finally, The Demo

With your malware of choice in your shared folder, we need to get it to our victim machine.  INetSim will allow you to add this to its fakefiles in the data folder.  For my example, I’m using copy of tesla like the previous journals.

  • Copy malware sample to ~/analysis/test/data/http/fakefiles
  • Edit /analysis/test/inetsim.conf to inclue the following line under ‘http_fakefile’
http_fakefile             zip          tesla.zip                       application/zip

Switch over to the Windows Victim Machine:

  • Using IE trying any http domain with the filename
O 
https://github.com/tesla.zip 
SIM INetSim default HTML page 
Search... 
This is the default HTTvIL page for IN etSim HTTP server fake mode 
Internet Explorer 
What do you want to do with teslazip? 
Size: 393 KB 
From: gitlab.com 
Open 
The file won't be saved automatically. 
Save 
Save as 
Cancel
  • Extract and Run the Malware
  • After a few minutes, I was able to determine mine had run after I started noticing files being encrypted and receiving popups.
  • Shutdown and restore Windows Victim Machine to Clean Slate
  • Return to analysis machine, and stop INetSim to review log:
  • Review Log
05:06. 
es:es. 
es:es. 
es:es. 
es:es. 
es:es. 
es:es. 
es:es. 
948e 
es:es. 
es:es. 
es:es. 
05:06. 
2020-07-05 
2020-07-05 
2020-07-05 
2020-07-05 
2020-07-05 
2020-07-05 
2020-07-05 
2020-07-05 
2020-67-65 
2020-07-05 
2020-07-05 
2020-07-05 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
• 39 
DNS connectton, 
HTTP connectton, 
DNS connectton, 
HTTP connectton, 
DNS connectton, 
HTTP connectton, 
DNS connectton, 
HTTP connectton, 
DNS connectton, 
HTTP connectton, 
DNS connectton, 
HTTP connectton, 
type: A, 
method : 
type: A, 
method : 
type: A, 
method : 
type: A, 
method : 
type: A, 
method : 
type: A, 
method : 
class: 
IN, 
POST , 
URL : 
class: 
IN, 
POST , 
URL : 
class: 
IN, 
POST , 
URL : 
class: 
IN, 
POST , 
URL : 
class 
: IN, 
POST , 
URL : 
class: 
IN, 
POST , 
URL : 
requested name: 13343225565.com 
http://13343225565.com/mzft1e.php, file name: data/http/postdata/5b14ac4022c2a8a8044f3b23fd736ce7438begc826a972ee5c135eeee76d948e 
requested name: 4turka.com 
http://4turka.com/tmages/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e 
reques ted name: aforexvn . com 
http://aforexvn.com/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e 
requested name: atrlab.pro 
http://atrlab.pro/modules/mod_arttmagesltder/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d 
requested name: alushtadom.com 
http://alushtadom.com/mzftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e 
reques ted name: onguso . com 
http://onguso.com/tntftle.php, file name: data/http/postdata/5b14ac4e22c2a8a8e44f3b23fd736ce7438be9c826a972ee5c135eeee76d948e

Final Thoughts

In the future, I would plan to add some version of Office to the Windows Victim machine. Other than that, I think this is a pretty solid setup for the price.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *