xanhacks/workshop-malware-hack2g2

Malware homelab & analysis automation

Workshop Malware Hack2g2

Slides: https://slides.com/xanhacks/workshop-malware-hack2g2/

1. Setup MWDB & Karton using docker-compose

Install docker & docker-compose

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
docker --version

sudo curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose
docker-compose --version

Documentation:

• https://docs.docker.com/engine/install/debian/#install-using-the-convenience-script
• https://docs.docker.com/compose/install/linux/#install-the-plugin-manually

Run the docker-compose file

git clone https://github.com/xanhacks/workshop-malware-hack2g2.git
cd workshop-malware-hack2g2/mwdb/
bash gen_vars.sh
sudo docker-compose up -d

MWDB is now running at http://localhost:8888/. The username is admin and the password is saved inside the file mwdb-vars.env under the MWDB_ADMIN_PASSWORD environment variable.

Troubleshooting

You have some problems with your MWDB instance and you want to restart to a fresh install. You can execute the following commands:

cd mwdb/
sudo docker-compose down
sudo rm -rf minio-samples mwdb-uploads postgres-data
bash gen_vars.sh
sudo docker-compose up -d

Documentation:

• https://github.com/CERT-Polska/mwdb-core

2. Create a Python script to add samples on MWDB from a well-known database (like MalwareBazaar)

Download samples of the NjRAT family from MalwareBazaar and upload it to your MWDB instance. To do that, complete the given python script named add_samples.py.

You need to install some python3 libraries: python3 -m pip install requests mwdblib pyzipper

Documentation:

• https://bazaar.abuse.ch/browse/tag/NjRAT/
• https://bazaar.abuse.ch/api/
• https://mwdblib.readthedocs.io/en/latest/mwdblib.html

3. Reverse the given malware using dnSpy or ILSpy

The malware is inside the Invoice.pdf.exe.zip archive (password: infected).

This is a real malware, do not run it on your host!!!

Documentation:

• https://github.com/dnSpy/dnSpy/releases/
• https://github.com/icsharpcode/ILSpy/releases/
• https://github.com/icsharpcode/AvaloniaILSpy/releases/ (Linux/Mac version of ILSpy)
• https://github.com/de4dot/de4dot

4. Create a Python script to extract the malware's configuration with dnlib

Extract the following information from the malware's configuration:

• C2 Host & Port
• Install directory & filename
• Version
• Campaign name/ID
• Network communication splitter/separator

To do that, complete the given python script named extractor.py. You need to install the following python3 library to add the .NET integration to Python: python3 -m pip install pythonnet and .NET: sudo apt-get install -y dotnet-sdk-7.0

Documentation:

• https://github.com/0xd4d/dnlib
• https://learn.microsoft.com/en-us/dotnet/core/install/linux

5. Embed the Python script to a Karton task to auto-extract the malware's configuration on new upload

To do that, you can embed your extractor script inside the Karton process template in mwdb/karton/confext-njrat-dnlib/. Then, uncomment the karton-confext-njrat-dnlib service inside the mwdb/docker-compose.yml file and restart the docker-compose.

You want to go further, you can solve the following challenge: MalNET.

Workshop

Workshop for Hack2G2.

Thanks to Alol for helping me creating this workshop.

Finishers

• WooT
• Tek
• \`
• Shaym