Ransomware Analysis Sandbox Setup Guide
In this project I constructed a sandbox environment in which dynamic ransomware analysis could take place.
Lab Architecture Overview
Although lab design can be scaled to meet the needs of malware researchers, the lab architecture used in this setup is relatively simple.
The physical machine was running windows 10
Two virtual machines were created using VirtualBox.
The first Virtual machine was running Ubuntu version 18.04.4 (From now on this will be referred to as the Host machine).
The second virtual machine was a Windows 10 machine with various programs installed to simulate a real physical machine. The malware being tested will be run on the Windows Virtual Machine. After each malware sample that is run on the Windows machine, a clean image should be loaded to ensure each malware sample is tested in the same environment.
Step 1: Configuring the Linux Host Machine
The first step in creating the lab environment is to download and setup a virtual machine running a Linux distribution. In this experiment, Ubuntu version 18.04.04 was used as it allows for quick and easy installation of packages needed using the APT package manager. Other Debian based distributions will also work for this. A direct download of the desktop version of Ubuntu can be found here.
Downloading and setting up a virtualization software is simple, follow the install instructions for the preferred applications. In this experiment VirtualBox 6.1.10 was used, however, VMware can also be used. The newest version of VirtualBox can be found here
Once VirtualBox is up and running a new machine is creating using the Ubuntu.iso file downloaded in the previous steps.
To do this in VirtualBox click “New”
Create a name for the VM
Select a location to store the VM
Choose Linux as the type
Choose Debian(64-bit) as the Version if using a Debian based distribution
Click next
Ensure enough RAM is allocated to the virtual machine. This experiment used 2Gb of RAM.
Create a virtual hard disk of 8GB
Launch the Ubuntu VM and click through the installation ensuring all the options are correct such as time zone and language settings.
Step 2: Configuring the Linux Host
A variety of tools need to be installed on the Linux host in order to provide detailed reporting statistics, most of which are written in python. To install these tools simply open a terminal in Linux and start out by typing $ sudo apt-get update. This will update the package list for Ubuntu.
After the package lists are updated Python, PIP, and some dependencies need to be installed.
sudo apt-get install python-magicsudo apt-get install upxsudo pip install pefilesudo apt-get install yarasudo pip install yara-pythonsudo apt-get install ssdeepsudo apt-get install build-essential libffi-dev python-dev libfuzzy-devsudo pip install ssdeepsudo apt-get install wiresharksudo apt-get install tshart Next, Inetsim needs to be installed. To do this a new source must be added to the sources list. This can be achieved by typing:
sudo suecho “deb http://www.inetsim.org/debian/binary/” > /etc/apt/sources.list.d/inetsim.listwget -O – http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -apt updateapt-get install inetsimThis is all the required files for the Linux Host, other desired applications or files must be downloaded now as the next step we will be disabling the internet connection. Now power off the Ubuntu VM and go to the network settings of the VM. Change the network adapter to Host-only.
Next we need to assign a static ip address to our Ubuntu machine to do this boot the VM back up and open a terminal window and type $ ip addr show
Take note of the interface name for the network. Next the interfaces file needs to be edited. To do so type $ sudo vi /etc/network/interfaces and add the following to the file then restart your VM.
auto [INTERFACE NAME]iface ens33 inet staticaddress 192.168.1.100netmask 255.255.255.0Next the Inetsim configuration file needs to be configured for this experiment. To do so type $ sudo vi /etc/inetsim/inetsim.conf Next, look for the service_bind_address portion of the file and add underneath the commented out section:
service_bind_address 192.168.1.100Next look for the dns_default_ip section and add:
dns_default_ip 192.168.1.100
After this verify that inetsim is listening on the correct IP by typing $ sudo inetsim
Step 3: Configuring the Windows Virtual Machine
The next step in the process of configuring the lab is setting up the windows virtual machine. This is the machine that will be executing the malware once everything is set up. The first step to installing the windows VM is to get a copy of a version of windows. A developer version of windows 10 can be found here. Following the same steps used to install the Ubuntu virtual machine, alter the settings to correspond with the selected version of windows. Once the Virtual Machine is up and running Python 2.7.13 is needed for this lab. While python 2.7.13 is considered end of life, it will still be fine for the purpose of this lab. Installing python 3 will result in errors in the future. Python 2.7.13 can be found here under the 2.7.13 release window. Now we need to change the IP address of the windows machine.
Click start and navigate to control panel.
Click Network and sharing center then change adapter settings
Right click the only network display, double click ‘Internet Protocol Version 4(TCP/IPv4). Fill in the following settings.
After applying these changes, restart both virtual machines. To verify network connectivity between the host machine (The Ubuntu virtual machine) and the Windows VM, attempt to ping the Host Machine by typing 192.168.1.100. To ensure no network connectivity to a real DNS server ping 8.8.8.8 (a popular Google DNS server). This ping should fail thus verifying the only reachable host is the Ubuntu VM.
Conclusion
After setting up the lab environment you will be able to install malware into your windows machine and begin testing. Using applications such as Noriben you can gather more information about how exactly malware is interacting with your machine. You can obtain malware from the following places.
https://github.com/topics/ransomware
https://bazaar.abuse.ch/browse/
Last updated
Was this helpful?