How to Use Metabrik to automate malware Analysis

How to Use Metabrik to automate malware Analysis

In this article, we will show you how to use Metabrik to automate malware analysis, so that you can run malicious programs on virtual machines after creating a snapshot of the Windows system. In this example, this snapshot only contains running processes, but you can actually do more. Next, I will introduce remote: wmi, remote: winexe, and system: virtualbox Briks.

In addition, we will introduce forensic: volatility Brik, which can help you dynamically analyze malware and extract IOC.

TIPS: when using Metabrik Shell, you can use Key to complete the Brik name and command.

Environment Construction

Wmic and winexe need to be compiled by yourself. Fortunately, Metabrik simplifies this process by running commands. Since wmic and winexe come from the same software package, you only need to run one of the installation commands of remote: wmi and remote: winexe. Here I think you have already installed the VitualBox virtual machine, so you have not run the installation command of system: virtualbox Brik.

use brik::tooluse remote::wmiuse remote::winexeuse forensic::volatilityhelp remote::wmihelp remote::winexehelp forensic::volatilityrun brik::tool install_needed_packages remote::wmirun brik::tool install_needed_packages remote::volatility

 

Your virtual machine needs to be configured to allow the specified user to access WMI and start the WINEXESVC service. You can find some help in the source code of remote: wmi and remote: winexe Briks.

Start the VM and create a snapshot

Our environment has been set up. let's create a snapshot before executing malware. To achieve the goal of practice, malicious software is just a simple calc.exe program.

use system::virtualboxhelp system::virtualboxrun system::virtualbox list

 

Let's start a windows machine in headless mode (a non-I/O mode in BISO): (I will not introduce GUI-related things here)

set system::virtualbox type headlessrun system::virtualbox start 602782ec-40c0-42ba-ad63-4e56a8bd5657run system::virtualbox snapshot_live 602782ec-40c0-42ba-ad63-4e56a8bd5657 "before calc.exe"

 

I already know the IP address of the machine, but you can obtain the IP address by performing an arp scan on the vboxnet0 interface because of the existence of network: ARP Brik.

my $win = '192.168.56.101'my $user = 'Administrator'my $password = 'YOUR_SECRET'set remote::wmi host $winset remote::wmi user $userset remote::wmi password $passwordset remote::winexe host $winset remote::winexe user $userset remote::winexe password $passwordrun remote::wmi get_win32_processfor (@$RUN) {print $_->{Name}."\n";}

Now you can see the calc.exe program.

 

Start the calc.exe program and find it in the process list. Because the program will crash here, you can use the ctrl+c combination to press the key, but calc.exe will continue to run on the remote host.

run remote::winexe execute "cmd.exe /c calc.exe"run remote::wmi get_win32_processmy @processes = map { $_->{Name} } @$RUNmy $found = grep { /calc.exe/ } @processes

In the screenshot below, you will see two results from grep, because the command is executed twice during the test.

 

Now we have restored the virtual machine to the running state, and the malicious software of calc.exe has not been run.

run system::virtualbox stop 602782ec-40c0-42ba-ad63-4e56a8bd5657run system::virtualbox snapshot_restore 602782ec-40c0-42ba-ad63-4e56a8bd5657 "before calc.exe"run system::virtualbox start 602782ec-40c0-42ba-ad63-4e56a8bd5657run remote::wmi get_win32_processmy @processes = map { $_->{Name} } @$RUNmy $found = grep { /calc.exe/ } @processes

 

No calc.exe process exists.

Volatility

From here on it will become very interesting. You can use Volatility for the same process analysis. To use Volatility, You need to dump out the system memory, and to get the dump memory, you need to use the bumpguestcore command of system: virtualbox. Then you need to use the extract_memdump_from_dumpguestcore command to extract the part of the core file generated from the dump memory.

Next, you can perform in-depth analysis on dump's memory. For example, check whether calc.exe is displayed. If you review the original malware analysis process, you will find that the Volatility tool can verify the process of executing malware with remote: winexe Brik. This method is a perfect tool for extracting IOC from malware.

run system::virtualbox dumpguestcore 602782ec-40c0-42ba-ad63-4e56a8bd5657 dump.corerun system::virtualbox extract_memdump_from_dumpguestcore dump.core dump.volatility

 

We have used the Volatility tool to dump something useful. Let's use forensic: volatility Brik for in-depth mining.

use forensic::volatilityset forensic::volatility input dump.volatilityrun forensic::volatility imageinfoset forensic::volatility profile $RUN->[0]

 

 

WINEXESVC features: Obtain windows Remote shell

The last one shows how to obtain remote: winexe Brik remote windows shell.

run remote::winexe execute cmd.exe

 Conclusion

We can see that the combination of Briks tools can easily analyze malware in windows. By combining the features of different tools (VirtualBox, winexe, Volatility), we can analyze the running sequence of malware on machines. If you want to find out how the malicious sample affects your system to extract the IOC of the malicious software, you can use remote: wmi Brik to scan these features on the network.

IOC extraction is a big topic, so we just use the "scapegoat" command of the virtual machine to extract some data. In addition, static analysis can be used to extract IOC, but it is a completely different system.

Finally, I suggest you try Volatility (and Metabrik, of course). You will see how powerful it is.