Younes 186 Posted October 20, 2017 Report Share Posted October 20, 2017 In this guide we will setup a malware testing environment with VirtualBox and windows 7. Use this environment to test any files you do NOT trust to ensure your main device is not infected should it be malware you're opening. Part 1 will be covered in the video below, Part 2 can be found at the bottom of this thread. Part 1: Setting up the VM with Windows 7. Requirements - VirtualBoxVirtual Machine software. https://www.virtualbox.org/wiki/Downloads - Windows 7 ISOI expect you to be able to find your own source for that. Setup & installation process.https://www.youtube.com/watch?v=0_JdKyYGJbs Part 2: Putting together a malware analysis toolkit. Useful tools -Comodo firewallFirewall that monitors your incoming and outgoing traffic. https://personalfirewall.comodo.com/ -MalwareBytes anti-malwareAnti virus software. https://www.malwarebytes.org/antimalware/ -UnlockerUseful when removing malware, can unlock, destroy, etc.. files. http://filehippo.com/download_unlocker/ -RegshotShows system and registery chances before and after your machine has been infected. https://sourceforge.net/projects/regshot/ -IDA Freeware / OllydbgDisassembler & debugger that can help you reverse engineer compiled executeables and help you analyze their code, etc.. https://www.hex-rays.com/products/ida/support/download_freeware.shtml http://www.ollydbg.de/ -OllyDumpExMemory dumper that dumps the system's memory in a file to help you disassemble a packed executable where the instructions are encoded or encrypted. http://low-priority.appspot.com/ollydumpex/ -Process explorer / Process hackerReplacement for task manager, helps you manage malicious processes. https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx http://processhacker.sourceforge.net/ -WiresharkPopular network sniffer, useful to detect malicious network communication requests. https://www.wireshark.org/#download -ProcDOT / Process monitorA file and registry monitor useful to show you how malware plants itself on your machine. http://www.procdot.com/downloadprocdotbinaries.htm https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Useful online tools http://app.webinspector.com/ http://www.threatexpert.com/submit.aspx https://malwr.com/ http://anubis.iseclab.org/ http://virustotal.com The above websites are useful for reverse engineering malware. Final steps When you have downloaded your desired tools, install Microsoft .NET Framework 4.5.2. When that is done, take a snapshot on your VM so you have a clean VM to restore back to. 1. Go to "Machine" -> "Take Snapshot..." . 2. Name it and hit "Ok". 3. The VM will now save it's current state. When you want to restore your VM after testing malware, hit the "X" in the top right corner and select "Power off the machine" & "Restore to current snapshot (snapshot name)". As you can see it will be rolled back to your clean VM. If you're going to transfer files via a shared folder, make sure it's on READ ONLY, when you're doing testing make sure you DISCONNECT the folder. I personally use a USB drive to transfer, to prevent the malware I'm testing to escape the VM. That's the end of this guide, I hope everyone was able to setup their VM, if something went wrong or you have any questions, don't hesitate to post them below. I will do my best to answer all your questions. I welcome all critics, good or bad on my threads so feel free to leave a reply. 4 Link to comment Share on other sites More sharing options...
Zakku 172 Posted October 30, 2017 Report Share Posted October 30, 2017 (edited) Error 404 page not found on the unlocker link, overall good guide. Edited October 30, 2017 by Zakku Autocorrect Link to comment Share on other sites More sharing options...
Recommended Posts