MISP Exercise 3

MISP LAB03: Malware Sandbox

1. Introduction

In this Lab you are going to analyse different infected files with a sandbox. You will then feed that information into MISP.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

LAB URL: http://misp.localhost

User: investigator@misp-lab3.com Password: compass

3. Download Malware samples

git clone https://github.com/fabrimagic72/malware-samples.git cd malware-samples

This repository contains malware samples of different kinds. We are going to use these sample for testing purposes. Please DO NOT EXECUTE these files!

4. Uploading Malware to sandbox

In this step you are going to use an online sandbox. There are many different kinds, in this exercise we are working with https://www.hybrid-analysis.com because it is free and there is no registration required. Hybrid Analysis also gathers information from different sources, like Virus Total and others.

cd malware-samples/Ransomware/Wannacry 7z x smb-z7uhqxx6.zip

Enter the password infected to successfully extract the malware. You should now find an exe file called smb-z7uhqxx6.exe in your working directory.

Now, go to https://www.hybrid-analysis.com and upload the extracted malware.

Make sure to check the following boxes.

  • Check: Do not submit my sample to unaffiliated third parties

  • Uncheck: Allow community members to access sample

  • Check: I consent to the Terms & Conditions and Data Protection Policy

You can also send the report to your email, if you want. After filling out the form, click Continue.

Please select Windows 7 64 bit as this operating system is still widely used. Click Generate Public Report to start the analysis.

5. Adding the result details into MISP

Create a new event:

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Ransomware Sandbox. Click Submit

Add a new Object: Sandbox-Report

After entering all the details click submit

6. Create correlation between events

As a next step, we simulate that another event will be created and that the same file is uploaded to MISP.

Please create a new event. Let's call it Ransomware MISP.

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Ransomware MISP.

This time, we will upload our file directly to our MISP instance. Go to Add attachment and select the .exe file from before. Please also check Is a malware sample (encrypt and hash) and Advanced extraction. Click Upload to commit.

The advanced extraction from MISP analysed the file and already created several objects with hashes and other information.

Enable Correlation on both events

After a reload of the page, an event correlation should appear.

7. Correlation Graph

This graph shows the connection that events have. In a real world MISP instance, these correlations can be very helpful to understand if the event recorded event already has been discovered. Correlation of hashes and other attributes can also be made.

To the right of the graph you see the two events (Ransomware Sandbox & Ransomware MISP). Attached are the different attributes that this event has. On Ransomware MISP this is an object. On Ransomware Sandbox this is an attribute.

8. Security Questions

  1. Explain what you have learned in this exercise.

  2. Describe the advantages and disadvantages of uploading the file directly to MISP vs. uploading the file to a sandbox.

  3. Please examine the following correlation graph. Describe what you can interpret from the given data.

9. Answers

  1. Key Learnings:

  • Use a sandbox service to analyse a specific malware

  • Create a MISP Event and add informations from the sandbox report

  • Create a MISP Event and informations based on a fileupload with the same malware

  • Create a Corelation Graph between this two events

2. A File upload in MISP will create a lot of attributes automatically and summarize them in objects. You can check then if the results will correlate other events and if the malware is allready known. With a sandbox report you will get more informations what the malware does in detail and maybe better chances to identify unknow malware. The disadvantage in this case is that you have to add more informations manually to your MISP Event.

3. Based on this picture we can see a correlation between 3 MISP Events

Possible Victim: John Doe receive a mail that contains malware

  • Event 1 contains informations about a person john doe and a maliscious file

  • Event 2 contains informations about a mail with victim address john.doe@gmail.com

  • Event 3 contains a attribute with a hash value that is linked to the maliscious file in Event 1

PreviousMISP Exercise 2NextMISP Exercise 4

Last updated