VM and Malware Lab

00:00

Hello, My name's David. Welcome to analyzing attacks. Now. In our last episode together, we talked about the Indian red Line, which is a very good to have in your two bucks,

00:15

especially when it comes to memory analysis and capturing them. What was another tool?

00:21

Uh, there we talked about

00:24

yes, very good at P K imager, which can also be used to capture memory. However, it's not necessarily in memory analysis tool. And we talked about the wave of future. Remember what the wave of the future Waas,

00:43

right? Live memory friends sweats with that decay that really get hello with red Line. You do

00:51

now. What we did in our last

00:54

episode together was recreated a standard elector movie clicked on this with the edit our script. And we looked at all the different varieties of things that we can add Strains, Shaw's and five disc information system, information network, information and other.

01:14

And we changed it slightly.

01:15

And then we created

01:19

our script and we saved it

01:22

out here on our guest. Stop

01:26

Now you may have done it. It's like the effort that I did him in the

01:30

really world, not in the lab. You would run this from an external months. Uh, a lot of people, like have a gun

01:41

with several different tools and scripts in it actually fracture

01:46

the bullet. Heil data from system that's being investigated. So you would have red line burns. You have P s list that you have a Siri's of the Microsoft provided P s tools that you could run against a system, capture the volatile data that you're you're looking for. And then you would

02:05

bring it back

02:06

here, lad to do your analysis. But since we're doing things a little bit differently here in this lab, this isn't going to be run on a thumb drive. We could easily put this on and they come driving run it.

02:17

But for the purpose of our lab, we're actually going to be running it in a Windows virtual machine. Now there's a document on the course that walks you through the process of downloading and getting Windows 10 or B m.

02:37

The EMS. Only one tool that you could use. This virtual box is hyper be.

02:40

There's a series of different kinds of tools that are available to you

02:46

to do this kind of work. If you're working in the corporate environments. Definitely worth talking to your manager about purchasing a license for the M where it you're just doing this on your own and training port Virtual box is free on very similar to the M.

03:05

Where, um,

03:07

I personally invested my own money into getting the M where just because it's a little more robust.

03:13

Yeah, I can.

03:15

They allow you to do a little bit more than virtual locks does. And that's my penny. Take it for what it's worth,

03:23

um,

03:24

also, we talked about a painting and downloading malware or your exam. Uh, and

03:31

whenever some cautions, so remember,

03:36

the the website that I gave you is live now where once you get it downloaded on and moved to install it, of course it's going to be live, So you don't want to accidentally infect your system now, uh, moving into our virtual machine. What I did for this case

03:55

was I went to my desktop Oh, my

03:59

host system on. I copied my red line lab and then brought it over into my virtual machine on, and here I downloaded the Zip folder.

04:14

It's mostly open. It contains

04:16

the information about the Mauer and this right here would actually be the malware itself. Cold her there.

04:26

The malware analysis dot net site has indicators, compromise and other information for this particular piece of malware, which review would be probably good and download is to explore and learn more.

04:38

But for the purpose of this lab,

04:41

um, we're not going to be delving that deep. And editors compromises for time issues currently. Now,

04:50

one thing that we want to do is actually infect our Windows machine with this this particular malware and one thing that I always like to double check. But where I do this is my network, after is you can see our connect on. And I don't want to be connected.

05:10

I want to be her, Stanley. And do you know why?

05:14

Right, Very good, because I am going to be infecting this system

05:19

with a real piece of malware. Um, and I don't want

05:25

it to escape my virtual operating system and get into my hose network or my corporate network if I'm working on it. So this is always a very good step to remember is ensure that your own host only, and that you are not

05:40

cannot did

05:42

be a your network adapter. Now you can see there's a USB controller. If I wanted up the USB up this intricate for my red line over to it, I could do that as well. I just did share and pulled it in. You can see I've got my memories set at eight gigs on this machine, so it's relatively low.

06:01

Um,

06:01

as we talked about one of our other episode, you could actually seconds higher, uh, and use it more similarly to a real system.

06:15

So I want to do when I'm getting ready to run. This is only the start process hacker. Well, I said that I can kind of monitor what's going on on the system when I actually

06:27

execute her, and that is what I'm going to do now. So I remember all the cautions.

06:32

Everything's in place and I am going to run it. So when I started it,

06:39

we jump back over here and process hacker. We can see that something started to change.

06:46

Uh, kind of jumped a little bit.

06:49

Couple red lives appear here and there.

06:55

No, it's extracted. Red line Must have been nothing.

07:01

I need to extract all my data from the Zip folder, and it's taking its good old time.

07:14

How it's running. There it is. Her e x e gives a description called darkest monitor. So now we know that is running on my system. We'll let it run for a few seconds here, just allow it to sort of make itself at home. Um, do it's being

07:32

now, another little caveat here before I move over. Redline is I started this from a clean machine. S O V m gives you the ability to actually do snapshots. So, as you can see, I've used a variety of different snapshots. So I started off with a clean snapshot here

07:53

and moved to hear. So I restarted the entire system. If I want to move back to where I affected myself with something great, I can do that. But I did start from a clean install, uh, to allow me to infected and get maybe hopefully some good, decent information.

08:13

Now, if this was set upon the USB drive, I just access my used to drive. I come over here to run red line

08:18

right here. Double click it.

08:24

Yes, I do. Won't allow it to make changes and I get my pop up telling me that it is working and is cooling the information that I wanted to pull off. Now for the rest of this video, we could sit here together and let's just run. However, that's not really serving a purpose.

08:43

So when we come back together,