WEBVTT

00:00.800 --> 00:01.360
And.

00:01.400 --> 00:02.200
Hello everyone.

00:02.240 --> 00:03.480
I'm Tiffany here again.

00:03.800 --> 00:09.080
Now that we understand the fundamentals of reverse engineering and its analysis techniques, let's roll

00:09.080 --> 00:12.760
up our sleeves and set up our own basic analysis lab.

00:12.880 --> 00:19.760
Now this lab will be your digital battleground, a contained, secure environment where we will poke

00:19.800 --> 00:26.840
and prod potentially dangerous files without endangering our actual system or network.

00:27.040 --> 00:31.400
Now, first let's define what this lab actually needs to accomplish.

00:31.600 --> 00:36.040
So it must safely run malware or suspicious programs.

00:36.040 --> 00:43.080
It must isolate these programs from affecting your real machine or external networks, and it should

00:43.080 --> 00:49.160
allow controlled internet access or no access at all, depending on your analysis case.

00:49.200 --> 00:55.880
And finally, it should be easily reset to a clean state after every analysis session.

00:56.080 --> 00:59.880
And to achieve all of this, virtualization is your best friend.

01:00.080 --> 01:02.740
Tools like VMware.

01:05.740 --> 01:16.300
Or VirtualBox allows us to run entire operating systems as isolated virtual machines inside our main

01:16.300 --> 01:22.940
host computer, and each virtual machine can be configured, cloned, reset, and even destroyed without

01:22.940 --> 01:24.820
any impact on the host machine.

01:25.380 --> 01:29.980
Now here's what lab setup will include.

01:30.020 --> 01:31.620
Now, this is not the best practice.

01:31.620 --> 01:34.220
To be honest, this is not the safest way to run.

01:34.260 --> 01:41.740
The safest way would be to use a separate computer, uh, from with separate network access.

01:42.140 --> 01:47.340
But considering what the what malware we will analysis, it is good.

01:48.460 --> 01:56.140
So we will have the host system, uh, which is your real machine?

01:56.540 --> 02:04.840
Uh, and here inside this real machine, we will have a, uh, we were a virtual machine inside this,

02:05.160 --> 02:09.600
uh, which is, this is basically a sandbox environment for analysis.

02:10.600 --> 02:21.480
And, uh, we also need the Wireshark installed on both the, the host machine and on the virtual machine

02:21.480 --> 02:22.040
as well.

02:24.480 --> 02:30.520
Uh, now we are installing packet Wireshark for man in the middle, uh, or packet sniffing.

02:30.880 --> 02:38.840
And we will also need a virtual switch or physical switch in some cases if you are, uh, seeing something

02:39.000 --> 02:41.760
funky on your host machine, just pull the cable.

02:41.800 --> 02:49.040
But again, I am against, uh, like, as I said, I'm against using your host like a daily machine

02:49.040 --> 02:56.520
for malware analysis and the best practice to just use another, uh, system and install the virtual

02:56.520 --> 02:57.440
machine inside it.

02:57.680 --> 03:03.740
But as I said, considering the malware types and the program times, we will try to reverse engineer

03:03.740 --> 03:05.100
and analyze.

03:05.660 --> 03:07.100
Uh, this is enough.

03:08.660 --> 03:09.580
And yeah.

03:10.860 --> 03:15.180
So also, of course, this will have the internet access.

03:16.980 --> 03:18.260
I will try to.

03:19.020 --> 03:22.420
And internet again.

03:22.820 --> 03:35.740
Uh, the best practice is add a switch inside this internet so you can turn it on or off, depending

03:35.740 --> 03:36.540
on your needs.

03:36.540 --> 03:47.860
Also you can use the switch here as well and here as well to turn your internet access on or off.

03:48.740 --> 03:56.220
Now we are going to use VMware in this course, but feel free to substitute with VirtualBox and if you

03:56.220 --> 03:57.940
prefer open source solutions.

03:57.940 --> 04:09.760
And just remember uh, virtual machine image formats differed First, VMware uses that v d k and v m

04:09.760 --> 04:18.480
x, while VirtualBox uses that over and uh VDI.

04:19.400 --> 04:24.240
Now choose the right format when downloading the prebuilt virtual machines or setting up your own.

04:24.360 --> 04:27.520
Now let's talk about your guest host.

04:27.520 --> 04:34.760
So we will be using Windows 11 uh, for our analysis environment.

04:34.760 --> 04:41.360
Uh, now it is modern, compatible with most tools and still represents the what many malware samples

04:41.400 --> 04:42.320
target today.

04:42.560 --> 04:51.640
And also in the virtual machine, we will, uh, set up another, uh, Kali Linux machine, uh, to,

04:53.480 --> 05:03.100
to do more advanced analysis since, uh, Kali Linux is the best machine for this kind of, uh, pen

05:03.100 --> 05:04.660
testing works.

05:05.540 --> 05:09.900
This is this is going to of course, also virtual machine.

05:11.420 --> 05:12.020
Uh, now.

05:12.340 --> 05:13.180
Uh, yes.

05:13.220 --> 05:19.620
Now you will need to download the official Windows 11 ISO file from the Microsoft and install it inside

05:19.620 --> 05:21.460
your virtual machine.

05:21.660 --> 05:28.300
For the Linux side, you can just download uh, from the offensive security website, the Kali Linux

05:28.340 --> 05:32.820
Vmdk file for the VMware or VirtualBox.

05:32.820 --> 05:36.500
And you can just extract it from the zip file and you are ready to go.

05:36.980 --> 05:40.180
The Linux is more easier than windows.

05:40.260 --> 05:43.260
Windows is uh, also VMware.

05:43.620 --> 05:47.620
VMware has automatic installation, uh, tool for the windows.

05:47.620 --> 05:53.980
So you just import the ISO file and VMware just skips the installation process for you.

05:53.980 --> 05:57.660
I don't know if the VirtualBox has the same, but it is not a big deal.

05:58.620 --> 05:59.900
Um, yeah.

06:00.700 --> 06:06.440
And uh, our setup will resemble the diagram I'm driving right now.

06:06.560 --> 06:14.600
The host machine runs Wireshark as well and controls the virtual switch.

06:14.760 --> 06:18.680
The virtual machines runs the suspicious executable.

06:18.680 --> 06:22.480
And, uh, we will also have the Kali Linux virtual machine.

06:22.480 --> 06:27.480
So we will not mainly use, uh, to execute our, uh, windows machine.

06:27.640 --> 06:30.040
Uh, malwares on Linux.

06:30.040 --> 06:32.320
Uh, because it is, uh, not done.

06:32.800 --> 06:39.360
Uh, so the most malwares are intended for windows, since this is where the most users, uh, use their

06:39.360 --> 06:41.520
computer for daily users.

06:41.520 --> 06:51.520
But yeah, there's also almost 90% of the almost over the 90% of the machines today as a servers use

06:51.520 --> 06:55.040
Linux and consider your Android phone as Linux too.

06:55.480 --> 07:02.800
Uh, but yeah, we will also might use Linux for the malware.

07:04.700 --> 07:05.980
Analysis process as well.

07:06.020 --> 07:11.740
But in that case we will use just another Linux, since this is our operation.

07:11.980 --> 07:15.060
Uh, operation, uh, Linux is our Kali Linux.

07:15.060 --> 07:18.860
So we will just analyze the files from the Windows 11.

07:19.580 --> 07:20.620
If we need to.

07:24.340 --> 07:31.020
And yes, um, also the virtual switch here allows us to toggle internet connectivity.

07:31.340 --> 07:36.020
Uh, we can also use the bridged or nat uh, versus no network.

07:36.380 --> 07:43.900
Uh, so the best, best case for this kind of, uh, jobs is to use nat, um, or, uh, no network

07:43.940 --> 07:44.420
at all.

07:44.580 --> 07:48.500
And now this setup forms what we call a sandbox.

07:48.500 --> 07:54.580
So this is a self-contained system where we analyze software behavior, and after each test, uh, we

07:54.580 --> 08:00.100
can revert to previous clean state by using virtual machine snapshots or cloning features.

08:00.100 --> 08:07.680
You can also use just copy the entire folder of the win v 11 to another place before executing malware,

08:07.840 --> 08:13.520
and then revert it back and delete the contained one.

08:14.680 --> 08:15.160
Yes.

08:15.200 --> 08:23.120
Um, and at every malware execution, uh, delete your old, uh, VMware and start a new one.

08:23.120 --> 08:28.000
It is just it will take just seconds to do that.

08:28.640 --> 08:30.200
Um, yes.

08:30.240 --> 08:37.040
Once the virtual machine is infected or modified, you should never trust it again unless it is reverted.

08:37.240 --> 08:38.440
As I said here.

08:38.800 --> 08:39.600
And, uh.

08:39.600 --> 08:41.320
But we want some advanced malware.

08:41.360 --> 08:47.280
Can detect that it's running inside a virtual machine and will behave differently or refuse to execute.

08:47.720 --> 08:52.440
And in those rare cases, you might need a physical machine for analysis.

08:52.440 --> 09:02.160
Now to restore it between test use the imaging tools like Clonezilla, fog, Deep Freeze or Hdclone.

09:02.200 --> 09:07.820
Now this allows you to took a snapshot and restore entire physical hard drives.

09:08.060 --> 09:09.980
Now let's emphasize a key point.

09:10.380 --> 09:12.340
Encapsulation is not optional here.

09:12.380 --> 09:18.980
So even if you are, even if you are not working with known malware, I strongly recommend always using

09:19.180 --> 09:21.100
virtual machine for analysis.

09:21.300 --> 09:28.500
Mistakes happen and seemingly benign executable can still modify system settings, uh, phone home to

09:28.540 --> 09:31.380
suspicious domains or cause instability.

09:31.380 --> 09:34.820
And you want your your real system safe of course.

09:36.740 --> 09:43.340
Now regarding to internet access in early stages of analysis, it's been keep the, uh, it's best to

09:43.340 --> 09:45.780
keep the VM virtual machine offline.

09:45.780 --> 09:51.860
So if a malware sample requires internet communication to fully activate or reveal behavior, or wait

09:51.860 --> 09:57.180
until you have tight control over your environment, that's where Wireshark comes in.

09:57.460 --> 10:01.220
And now you will use it to monitor what malware is trying to do.

10:01.660 --> 10:03.180
You may ask the questions here.

10:03.180 --> 10:04.460
Is it reaching out?

10:05.080 --> 10:07.320
to known command and control servers.

10:07.320 --> 10:10.760
It is attempting DNS lookups for suspicious domains.

10:10.760 --> 10:13.680
Is it uploading data or downloading pilots?

10:15.720 --> 10:16.480
Uh, yes.

10:16.480 --> 10:21.600
We will explore this in depth in the next lectures, but for now, understanding the networks monitoring

10:21.640 --> 10:22.640
is crucial.

10:22.680 --> 10:28.160
You can learn a lot about the suspicious file just by seeing what is trying to connect to.

10:28.960 --> 10:37.560
Now, to summarize your initial lab setup, uh, VMware or VirtualBox for virtualization, Windows 11

10:37.560 --> 10:39.080
ISO installed on the guest.

10:39.440 --> 10:42.960
Uh, Wireshark on both the host and guest.

10:43.280 --> 10:45.280
Uh, the snapshot clone tools.

10:45.280 --> 10:50.520
Uh, to easily revert changes a virtual switch or adapter for network control.

10:53.360 --> 10:57.120
And you are now ready to build your secure reverse engineering sandbox.

10:57.120 --> 11:02.520
And in the next lecture, we will start interacting with this environment and explore static and dynamic

11:02.520 --> 11:03.720
malware behaviors.

11:03.720 --> 11:04.600
Hands on.

11:04.880 --> 11:05.520
Let's go.