malware-analysis-toolkit

Setup guides for malware analysis tools on Fedora:

capa
DiE
frida
Ghidra
INetSim
Joern
LLVM
OpenSSL
Python
QEMU
Qiling
rbi
shadow-shell
Suricata
VirtualBox
Wireshark
YARA
Zeek

Ghidra

Base

curl -s "https://get.sdkman.io" | bash
sdk install gradle
sdk list java
sdk install java 21.0.7-tem
git clone https://github.com/NationalSecurityAgency/ghidra.git
cd ghidra
gradle -I gradle/support/fetchDependencies.gradle
gradle assembleAll

Necessary for Ghidra debugger:

pip install psutil
pip install google-api-python-client

PyGhidra:

https://pypi.org/project/ghidra-stubs/

pip install pyghidra
pip install ghidra-stubs

Config

Edit --> Theme --> Switch... --> Flat Dark
Edit --> Theme --> Configure --> Fonts --> font.plugin.terminal --> Source Code Pro-BOLD-12
Edit --> Theme --> Configure --> Colors --> color.fg.plugin.terminal.normal.blue --> RGB --> Color Code: 00FFFF, Alpha: 255
add Python stubs: NationalSecurityAgency/ghidra#8018 (comment)
open a domain file, then File --> Configure --> BSim

Startup

cd ghidra/build/dist/ghidra_11.4_DEV
./ghidraRun

References:

Ghidra server

cd ghidra/build/dist/ghidra_11.4_DEV
sudo ./server/svrInstall

Config

cd ghidra/build/dist/ghidra_11.4_DEV
sed -i 's|ghidra.repositories.dir=./repositories|ghidra.repositories.dir=/home/gemesa/git-repos/ghidra-server|' server/server.conf
sed -i 's|wrapper.app.parameter.2|wrapper.app.parameter.2=-u\nwrapper.app.parameter.3|'
sudo ./server/ghidraSvr restart
./server/ghidraSvr status
sudo ./server/svrAdmin -add gemesa
sudo ./server/svrAdmin -users

Startup

cd ghidra/build/dist/ghidra_11.4_DEV
sudo ./server/ghidraSvr start

References:

https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/RuntimeScripts/Common/server/svrREADME.html

BSim

cd ghidra/build/dist/ghidra_11.4_DEV
cd Ghidra/Features/BSim/support
sudo dnf install readline-devel
./make-postgres.sh

Startup

cd ghidra/build/dist/ghidra_11.4_DEV
./support/bsim_ctl start ~/git-repos/bsim-db

References:

Extensions

INetSim

wget https://www.inetsim.org/downloads/inetsim-1.3.2.tar.gz
tar -xzf inetsim-1.3.2.tar.gz
sudo groupadd inetsim
cd inetsim-1.3.2
sudo ./setup.sh
sudo dnf install perl-Net-Server perl-IPC-Shareable perl-Digest-SHA perl-IO-Socket-SSL
sudo dnf install perl-CPAN perl-App-cpanminus
# Net::DNS@1.22 is installed on REMnux (newer versions such as 1.40..1.50 do not work with INetSim)
sudo cpanm Net::DNS@1.22 --verbose --notest

Config

sed -i 's|#service_run_as_user inetsim|service_run_as_user gemesa|' conf/inetsim.conf
sed -i 's|start_service tftp|#start_service tftp|' conf/inetsim.conf
sed -i 's|start_service irc|#start_service irc|' conf/inetsim.conf
sed -i 's|start_service ntp|#start_service ntp|' conf/inetsim.conf
sed -i 's|start_service finger|#start_service finger|' conf/inetsim.conf
sed -i 's|start_service ident|#start_service ident|' conf/inetsim.conf
sed -i 's|start_service syslog|#start_service syslog|' conf/inetsim.conf
sed -i 's|start_service time_tcp|#start_service time_tcp|' conf/inetsim.conf
sed -i 's|start_service time_udp|#start_service time_udp|' conf/inetsim.conf
sed -i 's|start_service daytime_tcp|#start_service daytime_tcp|' conf/inetsim.conf
sed -i 's|start_service daytime_udp|#start_service daytime_udp|' conf/inetsim.conf
sed -i 's|start_service echo_tcp|#start_service echo_tcp|' conf/inetsim.conf
sed -i 's|start_service echo_udp|#start_service echo_udp|' conf/inetsim.conf
sed -i 's|start_service discard_tcp|#start_service discard_tcp|' conf/inetsim.conf
sed -i 's|start_service discard_udp|#start_service discard_udp|' conf/inetsim.conf
sed -i 's|start_service quotd_tcp|#start_service quotd_tcp|' conf/inetsim.conf
sed -i 's|start_service quotd_udp|#start_service quotd_udp|' conf/inetsim.conf
sed -i 's|start_service chargen_tcp|#start_service chargen_tcp|' conf/inetsim.conf
sed -i 's|start_service chargen_udp|#start_service chargen_udp|' conf/inetsim.conf
sed -i 's|start_service dummy_tcp|#start_service dummy_tcp|' conf/inetsim.conf
sed -i 's|start_service dummy_udp|#start_service dummy_udp|' conf/inetsim.conf
sed -i 's|#service_bind_address 10.10.10.1|service_bind_address	192.168.56.128|' conf/inetsim.conf
sed -i 's|#dns_default_ip 10.10.10.1|dns_default_ip		192.168.56.128|' conf/inetsim.conf

Set static IP and DNS:

nmcli connection show
sudo nmcli connection modify "Wired connection 1" ipv4.method manual ipv4.addresses 192.168.56.128/24 ipv4.gateway 192.168.56.128 ipv4.dns 192.168.56.128
sudo nmcli connection down "Wired connection 1"
sudo nmcli connection up "Wired connection 1"

Revert static IP and DNS (necessary when upgrading or installing new packages):

sudo nmcli connection modify "Wired connection 1" ipv4.method auto
sudo nmcli connection modify "Wired connection 1" ipv4.addresses "" ipv4.gateway ""
sudo nmcli connection modify "Wired connection 1" ipv4.dns ""
sudo nmcli connection down "Wired connection 1"
sudo nmcli connection up "Wired connection 1"

Update firewall rules:

sudo firewall-cmd --permanent --add-port=80/tcp   # HTTP
sudo firewall-cmd --permanent --add-port=443/tcp  # HTTPS
sudo firewall-cmd --permanent --add-port=21/tcp   # FTP
sudo firewall-cmd --permanent --add-port=25/tcp   # SMTP
sudo firewall-cmd --permanent --add-port=53/tcp   # DNS (TCP)
sudo firewall-cmd --permanent --add-port=53/udp   # DNS (UDP)
sudo firewall-cmd --permanent --add-port=110/tcp  # POP3
sudo firewall-cmd --permanent --add-port=143/tcp  # IMAP
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Startup

sudo ./inetsim

Check services:

netstat -tuln
sudo tail -f log/service.log

References:

Zeek

sudo dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/security:zeek/Fedora_41/security:zeek.repo
sudo dnf install zeek

Config

sudo ln -s /opt/zeek/bin/zeek /usr/local/bin/zeek
sudo ln -s /opt/zeek/bin/zeekctl /usr/local/bin/zeekctl
sudo ln -s /opt/zeek/bin/zeek-cut /usr/local/bin/zeek-cut
ip a
sudo sed -i 's|interface=eth0|interface=enp0s3|' /opt/zeek/etc/node.cfg

Startup

ip a
sudo zeek -i enp0s3

Open an other terminal:

cat http.log | zeek-cut -d ts uid id.orig_h host

References:

Suricata

sudo dnf install dnf-plugins-core
sudo dnf copr enable @oisf/suricata-7.0
sudo dnf install suricata
sudo suricata-update

Config

ip a
sudo sed -i 's| HOME_NET| #HOME_NET|' /etc/suricata/suricata.yaml
sudo sed -i 's|#HOME_NET: "any"|#HOME_NET: "any"\n    HOME_NET: "[192.168.56.128/25]"|' /etc/suricata/suricata.yaml
sudo cat /etc/suricata/suricata.yaml
...
  address-groups:
    #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
    HOME_NET: "[192.168.56.128/25]"
...

Startup

Create some rules:

cat http.rules 
alert http any any -> any any (msg:"HTTP GET Request Detected"; flow:established,to_server; http.method; content:"GET"; sid:1000001; rev:1;)
alert http any any -> any any (msg:"HTTP POST Request Detected"; flow:established,to_server; http.method; content:"POST"; sid:1000002; rev:1;)

suricata -h
ip a
sudo suricata -s http.rules -i enp0s3

Open an other terminal:

sudo tail -f /var/log/suricata/fast.log

References:

DiE

sudo dnf install cmake qt5-qtbase-devel qt5-qttools-devel qt5-qtmultimedia-devel qt5-qtsvg-devel qt5-qtwebsockets-devel qt5-qtdeclarative-devel qt5-qtscript-devel qt5-qtquickcontrols2-devel qt5-qtwayland-devel
git clone --recursive https://github.com/horsicq/DIE-engine.git
cd DIE-engine
mkdir -p build
cmake . -B build
cd build
make -j4
sudo make install -j4

Config

sudo dnf install qt5ct
echo 'export QT_QPA_PLATFORMTHEME=qt5ct' >> ~/.zshrc
source ~/.zshrc

qt5ct --> Appearance --> Palette --> Custom --> Color scheme --> darker --> OK then log out and log in

Startup

die

or

diec

References:

VirtualBox

sudo dnf install gcc make perl kernel-devel
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
sudo rpm --import oracle_vbox_2016.asc
wget https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo
sudo mv virtualbox.repo /etc/yum.repos.d/
sudo dnf install VirtualBox-7.0
sudo usermod -a -G vboxusers $USER

Fingerprint:

B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>

Fedora VM

Install Fedora.

Config

machine settings:
- Settings --> System
  - --> Processor --> Processors: 4
  - --> Motherboard --> Base Memory: 4096
- Devices --> Shared Clipboard --> Bidirectional
Settings
- --> Display --> Resolution --> 1600 x 900
- --> Appearance --> Style --> Dark
sudo dnf upgrade --refresh -y
install the tools listed above
machine settings:
- Settings
  - --> Adapter 1 --> Attached to: Internal Network
  - --> Shared Folders --> add read-only, auto-mount folder, path: /home/gemesa/malware-bazaar
take VM snapshot

Troubleshooting

`VirtualBox can't enable the AMD-V extension. Please disable the KVM kernel extension, recompile your kernel and reboot (VERR_SVM_IN_USE)`

lsmod | grep kvm

sudo modprobe -r kvm_amd

or

sudo modprobe -r kvm_intel

References:

https://www.virtualbox.org/wiki/Linux_Downloads

Python

sudo dnf install python pip

LLVM

sudo dnf install llvm

OpenSSL

sudo dnf install openssl

capa

wget https://github.com/mandiant/capa/releases/download/v9.1.0/capa-v9.1.0-linux.zip
unzip capa-v9.1.0-linux.zip
sudo mv capa /usr/local/bin/

frida

pip install frida-tools

rbi

git clone https://github.com/N0fix/rustbininfo
sudo dnf install poetry
cd rustbininfo
poetry build
pip install dist/*.whl

QEMU

sudo dnf install qemu-user
sudo dnf install qemu-user-static
sudo dnf install qemu-user-static-aarch64
sudo dnf install qemu-system-aarch64
sudo dnf install qemu-system-aarch64-core
sudo dnf install sysroot-aarch64-fc41-glibc

shadow-shell

git clone https://github.com/gemesa/shadow-shell
sudo dnf install mingw64-gcc
sudo dnf install gcc-aarch64-linux-gnu
sudo dnf install binutils-aarch64-linux-gnu
sudo dnf install sysroot-aarch64-fc41-glibc
sudo dnf install llvm
cd shadow-shell

Then

make arm64x
make x64

Qiling

pip install qiling

References:

https://docs.qiling.io/en/latest/install/

YARA

wget https://github.com/VirusTotal/yara-x/releases/download/v0.13.0/yara-x-v0.13.0-x86_64-unknown-linux-gnu.gz
tar -xzf yara-x-v0.13.0-x86_64-unknown-linux-gnu.gz
sudo mv yr /usr/local/bin/

References:

https://virustotal.github.io/yara-x/docs/intro/installation/

Wireshark

sudo dnf install wireshark
sudo usermod -a -G wireshark gemesa

Joern

git clone https://github.com/joernio/joern
cd joern
sdk install scala
sdk install sbt
sbt stage

References:

https://docs.joern.io/

Name		Name	Last commit message	Last commit date
Latest commit History 44 Commits
README.md		README.md

gemesa/malware-analysis-toolkit

Folders and files

Latest commit

History

Repository files navigation

malware-analysis-toolkit

Ghidra

Base

Config

Startup

Ghidra server

Config

Startup

BSim

Startup

Extensions

INetSim

Config

Startup

Zeek

Config

Startup

Suricata

Config

Startup

DiE

Config

Startup

VirtualBox

Fedora VM

Config

Troubleshooting

VirtualBox can't enable the AMD-V extension. Please disable the KVM kernel extension, recompile your kernel and reboot (VERR_SVM_IN_USE)

Python

LLVM

OpenSSL

capa

frida

rbi

QEMU

shadow-shell

Qiling

YARA

Wireshark

Joern

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

`VirtualBox can't enable the AMD-V extension. Please disable the KVM kernel extension, recompile your kernel and reboot (VERR_SVM_IN_USE)`

Packages