Differences
This shows you the differences between two versions of the page.
|
cdci:labs:2 [2024/03/15 13:14] mihai.chiroiu [06. [10p] Custom rules for automated analysis] |
cdci:labs:2 [2024/03/15 18:07] (current) mihai.chiroiu [01. [10p] Virtual machine setup] |
||
|---|---|---|---|
| Line 18: | Line 18: | ||
| You will need to have Linux VM (we have tested with Ubuntu 20.04) and then install the [[https://cuckoo.readthedocs.io/en/latest/installation/host/installation/ | Cuckoo sandbox on top of it]]. You can access Cuckoo sandbox from a browser, and to limit the impact of the malware analysis process please do so from the same VM (i.e. install a graphical server and a browser on the Linux VM). | You will need to have Linux VM (we have tested with Ubuntu 20.04) and then install the [[https://cuckoo.readthedocs.io/en/latest/installation/host/installation/ | Cuckoo sandbox on top of it]]. You can access Cuckoo sandbox from a browser, and to limit the impact of the malware analysis process please do so from the same VM (i.e. install a graphical server and a browser on the Linux VM). | ||
| + | |||
| + | <code> | ||
| + | $startx (to start the graphical interface) | ||
| + | </code> | ||
| After the installation you need to power on the cuckoo sandbox system using the following commands. To verify that cuckoo sandboxing is running open the [[http://127.0.0.1:8000 | hxxp://127.0.0.1:8000]] into a browser. | After the installation you need to power on the cuckoo sandbox system using the following commands. To verify that cuckoo sandboxing is running open the [[http://127.0.0.1:8000 | hxxp://127.0.0.1:8000]] into a browser. | ||
| Line 63: | Line 67: | ||
| Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github [[https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_MS17-010_Wannacrypt.yar | repository]]. Just copy them in the yara configuration directory and re-run the analysis. | Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github [[https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_MS17-010_Wannacrypt.yar | repository]]. Just copy them in the yara configuration directory and re-run the analysis. | ||
| - | ==== 06. [10p] Custom rules for automated analysis ==== | + | ==== 06. [Bonus 10p] Custom rules for automated analysis ==== |
| Redo the analysis using the https://any.run/ platform. | Redo the analysis using the https://any.run/ platform. | ||
| <solution> | <solution> | ||
| + | For any.run use the student.cdci@totococo.fr.nf / "2YGt@pS5TtqUEkS" account | ||
| </solution> | </solution> | ||
