3 hours 41 minutes
Okay, so now that we've taken a few minutes to review our malware analysis and reverse engineering, Tool said, Let's look at malware handling and our lab set up.
So I wanted to take a few minutes and talk about now we're handling because typically, this is a step that I find is quite overlooked as we're performing investigations.
Now, I fall into this routine as well sometimes. But as analysts will just take malware samples and put them on our machine and we'll start analyzing them, which is not the best way to perform analysis
now, Usually I like to treat malware handling just as I would treat a forensics investigation.
This is where I'm tracking the chain of custody, and I'm making sure the now our sample I need to analyze is in fact, the one I've received now to do that, I can verify it using a hashing program. But before I even get to that stage, I want to make sure I take proper precautions
as a moving the sample in and out of my lab
so that it doesn't execute him compromised my system in some way. Typically, malware is placed in ZIP files, which are password protected so that you don't risk infecting your machine through mistakenly executing the malware.
Now, once you move the file properly and have unzipped it in your lab environment, you can verify the hash using the MD five sum Command similarly to what I'm doing here in my Seguin terminal environment or by using another hashing program that you prefer, in addition to verifying the malware hash.
There's some other handling procedures that I recommend implementing,
such as renaming the file extension of the mall wearing question. And lastly, you should take even further precautions, such as making sure that your lab is isolated from any production networks and you should disconnect any network interfaces so that if your malware does call out to an external device, second stage payloads aren't downloaded
now, as far as our malware lab is concerned in this course, most of the binaries will be analyzing our Windows related. So I have ah Mac OS host operating system with two virtual guest machines running inside. One is a Windows 10 VM, and the other is Remnick's.
Now, if you aren't familiar with Remnick's, I would definitely go check it out by looking at the links that I'm going to provide you. Remnick's is a malware analysis platform running on Lenox created by Lenny Zeltzer, and it includes a nice set of tools for you to perform your malware analysis.
Now, hopefully, as this is a review, of course, you've had some exposure to room next in the past, But if you haven't, don't worry. Go ahead and download the virtual o b F and get it loaded into your environment. Now the two machines running as virtual guests, windows and room next thes air connected via host only network
and the Windows Machine serves as the sandbox to run them. Our binaries
and Remnick's serves as an analysis host to provide fake Internet services and provide additional tools support if required.
Now, when it comes thio Malware analysis labs. I encourage you to take the time to to fund architecture. Er, that works best for you in your investigations.
As we move throughout the course, though, keep in mind that my Mauer Analysis lab may look a little bit different than yours. However, in general, the same principles of isolation, connectivity and handling should be observed.
Lastly, keep in mind that during your investigations to complete them. You may need toe let now we're call out to malicious domains to get a clear understanding of what the Mauer's doing.
In these instances, you want to make sure that you exercise caution when enabling Internet adapters.
Now, one advantage to this particular type of set up is that by using virtual machines, we have the ability to create snapshots so that we can revert to a clean environment every time we perform a new our investigation,
as well as go back to a snapshot if we've executed the malware in error or simply need to run our sample again now, as far as the Mac OS is concerned, I typically don't do any analysis on the host. Typically, I only use the host operating system to record any analysis notes as I'm moving throughout my investigation
or as a data store to move artifacts in and out of the lab isolation environment.
All right, so now that we've reviewed malware handling procedures and we've looked at our malware lap architecture, er, let's recall some malware characteristics as it runs in our environment