In the above video tutorial, we analyse an Excel document for IOC’s (Indicators of Compromise). We utilise 2 VM’s (Virtual Machines) connected on a Host-Only network (Can’t connect to the internet). So the malware sample, can’t infect your own computer, this is a critical step when analysing malware in your own virtualised lab.
FlareVM Utilities
sha256sum.exe – For fingerprinting (hash value) and checking against the VirusTotal database.
md5sum.exe – For fingerprinting (hash value) and checking against the VirusTotal database.
file – To determine file type (malicious actor may hide true file type for social engineering reasons).
oleid – To determine if file is OLE (Object Linking and Embedding) format or not, so you can utilise ole tools.
oledir – To display the directory structure.
oledump – To display directory structure, streams and macros.
olevba – To display VBA Macros and even decode/decrypt.
officemalscanner – scans Microsoft Office documents for malicious artifacts
Shortcut Commands Used
Ctrl A – Places cursor at the beginning of the prompt.
Ctrl E – Places cursor at the end of your typed command/query.
Ctrl U – Deletes content preceding cursor, up to the beginning of the prompt.
Ctrl L – Clears the screen.
Up Arrow – Iterates through command history
Ctrl Alt T – Open a new Terminal.
Tools Used
Cmder – Terminal comprising both Windows/Linux commands/utilities.
Wireshark – Network analysis and Packet Capture application.
TCPView – Network connections (TCP/UDP) associated with corresponding processes.
Process Hacker 2 – Process analysis/visibility application.
Notepad – For making notes whilst performing analysis.
Sample Used
Visit:
To search for malware samples on the repository, the format used is as follows;
Hashing Algorithm(i.e. md5/sha256) followed by : Hash Value
Example;
md5:01b7e78a91adbd47c60c1d618a30df6c
or
sha256:78b739184da24c9851464eafa64e261fb53561199227993b649b1c065c9ea672
Tips/Advice
– Be inquisitive and try to figure things out for yourself.
– Conduct your own research by utlising the plethora of sources/tools available.
– Google/Youtube if you are stuck or unsure about something.
– Set up a virtualised lab enviroment to perform your own malware analysis.
– Utilise virtualisation software (VMWare/VirtualBox etc).
– Utilise pre-configure VM’s (FlareVM/Remnux etc).
– Always ensure when starting your VM’s the network adapters are set to Host-Only.
– Be brave! nothing is unattainable, if you apply yourself correctly.
When downloading/analysing malware, it’s critical to know what you are doing. If you are not confident in your abilities at this juncture, be prudent and work on your foundational knowledge (OS Systems, Networking, Security etc) instead.
Literally, it’s best to be safe than sorry.
The repository link above contains real malware samples from the wild. They all, will almost certainly, do untold damage to your systems (Computers/Network), and even yourself as an individual, if not handled correctly.
[ad_2]
source
