📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP LAB03: Malware Sandbox
  • 1. Introduction
  • 2. Setup
  • 3. Download Malware samples
  • 4. Uploading Malware to sandbox
  • 5. Adding the result details into MISP
  • 6. Create correlation between events
  • 7. Correlation Graph
  • 8. Security Questions
  • 9. Answers

Was this helpful?

  1. Threat Intelligence

MISP Exercise 3

PreviousMISP Exercise 2NextMISP Exercise 4

Last updated 3 years ago

Was this helpful?

MISP LAB03: Malware Sandbox

1. Introduction

In this Lab you are going to analyse different infected files with a sandbox. You will then feed that information into MISP.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

LAB URL: http://misp.localhost

User: investigator@misp-lab3.com Password: compass

3. Download Malware samples

git clone https://github.com/fabrimagic72/malware-samples.git cd malware-samples

This repository contains malware samples of different kinds. We are going to use these sample for testing purposes. Please DO NOT EXECUTE these files!

4. Uploading Malware to sandbox

In this step you are going to use an online sandbox. There are many different kinds, in this exercise we are working with https://www.hybrid-analysis.com because it is free and there is no registration required. Hybrid Analysis also gathers information from different sources, like Virus Total and others.

cd malware-samples/Ransomware/Wannacry 7z x smb-z7uhqxx6.zip

Enter the password infected to successfully extract the malware. You should now find an exe file called smb-z7uhqxx6.exe in your working directory.

Now, go to https://www.hybrid-analysis.com and upload the extracted malware.

Make sure to check the following boxes.

  • Check: Do not submit my sample to unaffiliated third parties

  • Uncheck: Allow community members to access sample

  • Check: I consent to the Terms & Conditions and Data Protection Policy

You can also send the report to your email, if you want. After filling out the form, click Continue.

Please select Windows 7 64 bit as this operating system is still widely used. Click Generate Public Report to start the analysis.

5. Adding the result details into MISP

Create a new event:

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Ransomware Sandbox. Click Submit

Add a new Object: Sandbox-Report

After entering all the details click submit

6. Create correlation between events

As a next step, we simulate that another event will be created and that the same file is uploaded to MISP.

Please create a new event. Let's call it Ransomware MISP.

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Ransomware MISP.

This time, we will upload our file directly to our MISP instance. Go to Add attachment and select the .exe file from before. Please also check Is a malware sample (encrypt and hash) and Advanced extraction. Click Upload to commit.

The advanced extraction from MISP analysed the file and already created several objects with hashes and other information.

Enable Correlation on both events

After a reload of the page, an event correlation should appear.

7. Correlation Graph

This graph shows the connection that events have. In a real world MISP instance, these correlations can be very helpful to understand if the event recorded event already has been discovered. Correlation of hashes and other attributes can also be made.

To the right of the graph you see the two events (Ransomware Sandbox & Ransomware MISP). Attached are the different attributes that this event has. On Ransomware MISP this is an object. On Ransomware Sandbox this is an attribute.

8. Security Questions

  1. Explain what you have learned in this exercise.

  2. Describe the advantages and disadvantages of uploading the file directly to MISP vs. uploading the file to a sandbox.

  3. Please examine the following correlation graph. Describe what you can interpret from the given data.

9. Answers

  1. Key Learnings:

  • Use a sandbox service to analyse a specific malware

  • Create a MISP Event and add informations from the sandbox report

  • Create a MISP Event and informations based on a fileupload with the same malware

  • Create a Corelation Graph between this two events

2. A File upload in MISP will create a lot of attributes automatically and summarize them in objects. You can check then if the results will correlate other events and if the malware is allready known. With a sandbox report you will get more informations what the malware does in detail and maybe better chances to identify unknow malware. The disadvantage in this case is that you have to add more informations manually to your MISP Event.

3. Based on this picture we can see a correlation between 3 MISP Events

Possible Victim: John Doe receive a mail that contains malware

  • Event 1 contains informations about a person john doe and a maliscious file

  • Event 2 contains informations about a mail with victim address john.doe@gmail.com

  • Event 3 contains a attribute with a hash value that is linked to the maliscious file in Event 1