VM and Malware Lab

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 21 minutes
Video Transcription
Hello, My name's David. Welcome to analyzing attacks. Now. In our last episode together, we talked about the Indian red Line, which is a very good to have in your two bucks,
especially when it comes to memory analysis and capturing them. What was another tool?
Uh, there we talked about
yes, very good at P K imager, which can also be used to capture memory. However, it's not necessarily in memory analysis tool. And we talked about the wave of future. Remember what the wave of the future Waas,
right? Live memory friends sweats with that decay that really get hello with red Line. You do
now. What we did in our last
episode together was recreated a standard elector movie clicked on this with the edit our script. And we looked at all the different varieties of things that we can add Strains, Shaw's and five disc information system, information network, information and other.
And we changed it slightly.
And then we created
our script and we saved it
out here on our guest. Stop
Now you may have done it. It's like the effort that I did him in the
really world, not in the lab. You would run this from an external months. Uh, a lot of people, like have a gun
with several different tools and scripts in it actually fracture
the bullet. Heil data from system that's being investigated. So you would have red line burns. You have P s list that you have a Siri's of the Microsoft provided P s tools that you could run against a system, capture the volatile data that you're you're looking for. And then you would
bring it back
here, lad to do your analysis. But since we're doing things a little bit differently here in this lab, this isn't going to be run on a thumb drive. We could easily put this on and they come driving run it.
But for the purpose of our lab, we're actually going to be running it in a Windows virtual machine. Now there's a document on the course that walks you through the process of downloading and getting Windows 10 or B m.
The EMS. Only one tool that you could use. This virtual box is hyper be.
There's a series of different kinds of tools that are available to you
to do this kind of work. If you're working in the corporate environments. Definitely worth talking to your manager about purchasing a license for the M where it you're just doing this on your own and training port Virtual box is free on very similar to the M.
Where, um,
I personally invested my own money into getting the M where just because it's a little more robust.
Yeah, I can.
They allow you to do a little bit more than virtual locks does. And that's my penny. Take it for what it's worth,
also, we talked about a painting and downloading malware or your exam. Uh, and
whenever some cautions, so remember,
the the website that I gave you is live now where once you get it downloaded on and moved to install it, of course it's going to be live, So you don't want to accidentally infect your system now, uh, moving into our virtual machine. What I did for this case
was I went to my desktop Oh, my
host system on. I copied my red line lab and then brought it over into my virtual machine on, and here I downloaded the Zip folder.
It's mostly open. It contains
the information about the Mauer and this right here would actually be the malware itself. Cold her there.
The malware analysis dot net site has indicators, compromise and other information for this particular piece of malware, which review would be probably good and download is to explore and learn more.
But for the purpose of this lab,
um, we're not going to be delving that deep. And editors compromises for time issues currently. Now,
one thing that we want to do is actually infect our Windows machine with this this particular malware and one thing that I always like to double check. But where I do this is my network, after is you can see our connect on. And I don't want to be connected.
I want to be her, Stanley. And do you know why?
Right, Very good, because I am going to be infecting this system
with a real piece of malware. Um, and I don't want
it to escape my virtual operating system and get into my hose network or my corporate network if I'm working on it. So this is always a very good step to remember is ensure that your own host only, and that you are not
cannot did
be a your network adapter. Now you can see there's a USB controller. If I wanted up the USB up this intricate for my red line over to it, I could do that as well. I just did share and pulled it in. You can see I've got my memories set at eight gigs on this machine, so it's relatively low.
as we talked about one of our other episode, you could actually seconds higher, uh, and use it more similarly to a real system.
So I want to do when I'm getting ready to run. This is only the start process hacker. Well, I said that I can kind of monitor what's going on on the system when I actually
execute her, and that is what I'm going to do now. So I remember all the cautions.
Everything's in place and I am going to run it. So when I started it,
we jump back over here and process hacker. We can see that something started to change.
Uh, kind of jumped a little bit.
Couple red lives appear here and there.
No, it's extracted. Red line Must have been nothing.
I need to extract all my data from the Zip folder, and it's taking its good old time.
How it's running. There it is. Her e x e gives a description called darkest monitor. So now we know that is running on my system. We'll let it run for a few seconds here, just allow it to sort of make itself at home. Um, do it's being
now, another little caveat here before I move over. Redline is I started this from a clean machine. S O V m gives you the ability to actually do snapshots. So, as you can see, I've used a variety of different snapshots. So I started off with a clean snapshot here
and moved to hear. So I restarted the entire system. If I want to move back to where I affected myself with something great, I can do that. But I did start from a clean install, uh, to allow me to infected and get maybe hopefully some good, decent information.
Now, if this was set upon the USB drive, I just access my used to drive. I come over here to run red line
right here. Double click it.
Yes, I do. Won't allow it to make changes and I get my pop up telling me that it is working and is cooling the information that I wanted to pull off. Now for the rest of this video, we could sit here together and let's just run. However, that's not really serving a purpose.
So when we come back together,
we will have our red line analysis ready to go. And who will walk through the next step in the process. You have any questions? I'm old Davy. 135 Cyber Happy to talk to you. Have a great day. Be careful out there.
Up Next