Setting Up A Malware Analysis Environmental
This series of posts will look at setting up your own malware analysis lab. For the sake of practicality and not making this series too large i will focus the build on my lab setup and discuss other alternatives where appropriate.
Part One - What are we analyzing and what do we want from the results:
Malware comes in many different varieties from many different sources with many different delivery mechanisms. To properly configure your Lab you need to figure out what it needs.
Part Two - Setting up the Environment:
Now we know what the lab needs lets look at setting it all up. Making sure that everything is there and works the way its supposed to. Looking at hardware setups, Physical Versus Virtual and then the Tools that we can use.
Part Three - Samples where they come from and how to get them:
Ok so we are all set up and ready to analyse something. This section will discuss your sample sets. Looking at HoneyPots and Other services that share samples or results of their own analysis.
Part Four - Running the analysis and sorting through the Data:
We have the lab, we have the samples and we are ready to go. This next section will detail your first analysis. Looking at Dynamic and static analyses. The scope of this section is huge and is not intended to be a step by step guide. Instead i will look at the methodology and some of the tools to use to aid you as you go.
Finally how to interpret and more importantly collate the Data we have retrieved.
Part Five - What to do with it all now:
This final section looks at presenting the data to a wider audience. at what point do you publish results, and if do you redact any of the information? If i discover Usernames and Passwords to access The C2 servers do i include these in my results? The choice is ultimately yours but ill discuss the Pros and Cons here.