A couple of weeks ago I wrote a one-page paper for a college class that I am about the Clop ransomware. Tonight, I decided to install Tor and try to locate Clop’s leaking site. That was actually very simple as a kind Redditor published a list of the well-known ransomware operators and their PR page. Sadly, since these are onion sites, you need the Tor browser to get to the page. I have never used Tor or installed it in my 27 years of existence.
Until today! And what’s the first onion site I go to?
In my last post, I wrote about how I wanted to be a webpage that will allow me to upload files to my server so I can store them for later analysis. Well, Microsoft has graciously written an ASP.NET Core program that does just that! That way, I don’t have to build the entire thing from scratch!
After working on it for about 20 or so minutes, here’s what I have:
Puter Services Malware Upload Center
My idea for this is twofold:
A central storage for malware I find while away from home
The ability to submit the uploaded files automatically to VirusTotal, Hybrid-Analysis, and AppAnyRun so that I don’t have to manually.
After it submits, it will then automatically download the completed report so I can view it later. Finally, it will also send me an email with the results. This way I don’t have to manually upload, keep malicious files on my phone/computer, or keep refreshing a page until I get the results.
This should be completed by the end of this weekend. I plan on livestreaming next time I work on this!
During the last post, I got to adding a separate network for the malware analysis server to sit on. When I clicked on save and update, the router refused to work correctly. Sadly, I could not get it to stop boot looping or keep the router powered on. After that, I reverted my changes, bought a new router, and prayed that it stayed healthy long enough to switch to the new router.
My new router
I decided on a Ubiquiti EdgeRouter X. Small form factor, able to deliver gigabit speeds, and packed with all the settings I am accustomed to having. I got it plugged in, configured, and tried to change my wireless router to a switch. It totally failed at that point. I then had to buy a new wireless access point.
My new Wireless Access Point
I ended up deciding on a Ubuquiti Unifi AP-AC Lite for my access point needs. It too has the features I am accustomed to having. It made for a simple setup that was painless and user friendly.
Finally, my last goal was to enable VLAN tagging on the AP and the router. After 15 factory resets, I now have VLANs enabled on the router. Woo!
VLAN Setup
It definitely took a while to get everything configured, and I probably should have recorded the steps I took, but the information is out on the internet. Perhaps its a topic for a different day.
What’s Next?
The next pressing matter I have is I want to create a program where I can upload malicious files for later analysis. After that, then I can finish setting up the analysis lab and do the analysis on the Clop sample I located.
Following these directions, I was able to successfully install OpenVM Tools within my FreeBSD environment. It took a couple reboots, but everything worked as expected. It was nice to finally have something work on the first couple tries!
Part VII: Installing Xen Orchestra
This one was pretty easy. Xen Orchestra requires 4GBs of RAM, and a few dependencies specific to FreeBSD. These are:
After everything is installed, you can then follow the official documentation. Once built, configured, logged in, and attached to your XenServer, it will look like this:
FreeBSD running Xen Orchestra
Part VIII: Implement Firewall Rules
Out of everything in the lab, this is the absolute most important. Without adequate firewall rules, the Windows 7 VM can interact with anything on the network. This is… not good. Especially considering most malware nowadays can spread at the speed of light. So, we will need to implement rules in order to protect everything on the network. Currently, my router acts as my firewall, so we will configure it from there.
The first part is to connect the XenServer to an open port, and assign a new VLAN to it. For my setup, the server is connected to port 3 and I have assigned it VLAN 12:
Buffalo DD-WRT VLAN Page
This will reboot the router, and once the router comes back up, port 3 no longer has access to the network. We can identify this from our previously connected XenCenter reports the XenServer offline:
RIP to XenCenter. It was good while it lasted
Now its time to configure our VLAN. I labeled it “To MAL”, enabled NAT masquerade, net isolation, and assigned an IP address of 10.10.220.1. The DHCP server is set to start at .35 and have a maximum of 5 IPs:
vlan10 & DHCPd configuration
Finally, I have to write the firewall rules, which will have to come later. Until next time!
In order to more safely analyze malware, I needed an entirely separate environment to run harmful programs. Previously, I would run them in a VM hosted on my personal computer through VMWare. This is how the VBScript was de-obfuscated.
That’s why it’s in its own VM. To ensure that should it break, it won’t destroy the rest of the computer. Unless it escapes of course.
“Escape? Escape from what?”
There are certain exploits that malware can use to “break” out of its sandbox, and thus run whatever hack code they want on your own computer.
“Perhaps it is not the best idea to run malware on your own computer.”
And that is why I have revamped my malware analysis lab! I will be running malware on a VM hosted on a Dell PowerEdge R310 with Citrix XenServer. I will have a firewall rule in place to only allow the XenServer to communicate with the outside world and a FreeBSD VM running on my computer. With XenServer, I can run a program called Xen Orchestra in order to manage my XenServer. That way, my personal computer should be much more protected in case of malware attempting to break out. The workflow would be as follows:
Personal Computer -> FreeBSD VM -> HTTPS -> XenServer -> Malware VM
I have 90% of this setup up and running right now. Here is what I did:
Part I: Deploy New Webserver
The first thing I needed to tackle was to set up a new server for my website and this blog. I chose AWS because a simple Windows Server would cost me about <$20/month whereas GCP and Azure would have costed a bit more. Simple enough. AWS EC2 makes it simple and quick to launch new instances for whichever need you have. I chose Windows because I wanted to have the experience of being my own Windows Server Administrator.
This would prove a disaster later on.
I get my Windows Server set up, install IIS and the required plugins, set up my server, and figure out how to install WordPress. Web Platform Installer has an automatic WordPress install. Woo!
Web Platform Installer showing WordPress
Installed it, got it configured, and…. there’s a security warning. Apparently this version of WordPress installs PHP 5.1 !!!, MySql 5.1!, and an outdated WordPress version. These are horribly out of date. Need to update.
First on the list is WordPress itself. It has a button. You click the button and boom. Updated 🙂 Easy enough.
Second is PHP. Got PHP 7.4 installed, and now WordPress has an error. I ran PHP manually from the command line, and I get an error popup:
PHP error popup. PHP 7.4 has a dependency.
A quick Google search states this is due to PHP requiring the Microsoft Visual C++ Redistributable for Visual Studio 2019. I installed it, WordPress no longer has an error AND reports that PHP is up to date.
Next was MySql. That was rough. It took me 4 days, and I ended up deleting everything, including the Windows Server itself, and started over from scratch. This time, I installed everything manually, using the official installation walkthrough. After that, worked like a charm.
Part II: Securing the WebServer
This is the next thing that took forever at two days. I originally went with OpenVAS. However, I quickly found out that OpenVAS is now Greenbone Vulnerability Manager. It is the absolute worst thing I have ever had the misfortune of attempting to install. Since it is a Linux application, I had to fire up a Linux VM. My first try was in Ubuntu, however, the apt-get didn’t work. It just simply didn’t start at all. My second through sixth attempt was in Kali Linux. All attempts failed. I used apt-get, an automated script I found on GitHub, the manual build process, and a mix of both. It just simply didn’t work. Fine. I then tried to use their pre-packaged VM. But that too failed. I gave up on GVM.
So I then went to my good friend Nessus. I installed it in my Kali VM, and it worked the first try. As of this writing, I have 9 medium vulnerabilities to fix:
8 Medium vulnerabilities, 42 info
The last thing I needed to do was run the Microsoft Baseline Security Analyzer. However, that is no longer supported 🙁
🙁
I did find out that its successor is the Microsoft Security Compliance Toolkit. So, I have something else to get running.
Part III: Building the Malware Analysis Environment
Out of everything, this was the easiest. I was originally going to go with VMware’s ESXi, but my PowerEdge is too out of date. However, Citrix’s XenServer happily runs on the old hardware. Tough decision that was 🙂
Since I do not have a DVD drive, I have to boot my new OSs through PXE Boot. I use (and highly recommend) Serva for all my PXE Boot needs. Simple to install and works without a hitch. I got XenServer installed, and then XenOrchestra installed on my Ubuntu VM for testing. It works! However, it appears I couldn’t start VMs through XenOrchestra, so I installed XenCenter. Worked perfectly. Well… almost.
I configured my Windows 7 VM on XenServer, got Serva running, tested Serva on my PXEBoot VM, and went to install Win7. Nope. Connection timed out. No matter which settings I tried, the guest VM refused to boot. I even tried another PXE Boot server. Didn’t work. Was my project dead in the water? It almost was until…
I realized I can IMPORT VMS through XenCenter!
gasp
And VMware Workstation can export! I can load VMs this way!
gasp… it will work!
So, Windows 7 was installed in VMware, exported, imported into XenServer, and now it runs!
XenCenter with VM running in XenServer
Part IV: Installing FreeBSD
This was the most difficult part of this project. I have never used FreeBSD in my lifetime. Never even seen it. FreeBSD installed fine, but it doesn’t come with a GUI. So I installed the GUI, set the resolution, and it appears to be working. Sweet. I just have to finish configuring it for VMWare, and then I can install Xen Orchestra.
FreeBSD
Part V: Finding Malware
I have decided my first analysis will be on the Clop Ransomware. This is a really nasty piece of malware family that encrypts your files until you pay. I wrote a paper on the Clop ransomware, so naturally, this would be the first analysis done. My first step is to actually find it in the first place. The McAfee blog gave me an MD5 hash of:
ed7db8c2256b2d5f36b3d9c349a6ed0b
So we have our starting point. The first place I searched from this list is app.any.run. So I put the MD5 has into the search and…. could it be?
App.any.run results
On the first try, no less! There it is! In all its glory! Or is it? There’s only one way to find out.
The McAfee blog post shows a snippet of the disassembled code with the memory address included. If we go to that specific memory address, we find….
Disassembly of captured sample vs McAfee’s blog
The same. exact. assembly code in McAfee blog post. I can conclude with reasonable accuracy that I have acquired the Clop ransomware file. Next week, I will dive into this sample!
I first started this blog over on the WordPress site. I had big plans with it, but they…. fell to the wayside.
Today, after a four-day adventure, I now have a fully functional self-hosted WordPress site, built ontop of my Windows Server in AWS!
Stay tuned for more content delivered right to my server! My first project is reviewing the Clop ransomware. I decided on this first because I wrote a paper on malware, and I chose Clop as my topic. The one-page paper was too limiting to really dive deep into the subject. Luckily for me, I have an unlimited amount of space on this blog.
