PolarProxy is a transparent SSL/TLS proxy designed to intercept and decrypt TLS traffic, and save it in PCAP format so that we can analyze it further using Wireshark. PolarProxy is also installed by default in REMnux.
PolarProxy will listen on port 10443, for that we have to redirect traffic 443 to 10443. To do this we have to create some iptables rules. ens37 here is my Host-only interface, you can customize it yourself:
sudo iptables -A INPUT -i ens37 -p tcp --dport 10443 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens37 -p tcp --dport 443 -j REDIRECT --to 10443
After the rule is created, to run PolarProxy you can use the following command:
You can customize the destination PCAP file location, in this case I saved it in the user directory named polarproxy.pcap.
Next, you need to install the root CA certificate from PolarProxy on your Windows VM. For that you have to download the certificate file first by visiting the following REMnux VM address, for example in my case: http://192.168.126.100:10080/, then the polarproxy.cer file will be downloaded automatically.
Double click the polarproxy.cer file and click [Install Certificate…]
Click [Next] and then select “Place all certificates in the following store“
Click [Browse] and select “Trusted Root Certification Authorities” and click [OK]
Click [Next] and [Finish]
Go to [Options > Privacy & Security]
In the Certificates section, click [View Certificates…]
On the Authorities tab, click the [Import…] button and select the polarproxy.cer file
Check “Trust this CA to identify websites” and click [OK]
Additionally we can disable the certificate revocation check:
In the Run box execute the following command: inetcpl.cpl
Click the tab [Advanced] and scroll to the bottom named [Security]
Uncheck the “Check for server certificate revocation” then click [OK]
And restart the VM.
If everything is running smoothly, now you can create a snapshot of the VM. Configuration on this VM can also be applied to your other VMs.
When performing malware analysis, we must ensure that the environment we are using is completely safe and controlled. This is done to isolate our lab machines from affecting or even infecting the entire network, but also to prevent any of our data from leaking and entering into this lab machine.
This Lab uses a virtualization system, so we don’t need a lot of hardware, just one PC or laptop is enough:
PC/Laptop with Windows 10 (as Host)
It is recommended to have a large enough RAM >8GB
Enough storage space (SSD is highly recommended)
VMware Workstation (you can also use other virtualization software such as VirtualBox, because in general the method is the same, and you just need to adopt it)
VPN (optional but recommended)
Make sure the Windows has been updated to the latest version. And I consider that you have also installed VMware Workstation.
For Guest machines, at least later we will have two virtual machines, a Linux-based VM using REMnux distro, and Windows-based VM, of course you can also install several more VMs as needed.
REMnux is a Linux distro that was made specifically for malware analysis purposes and has various tools installed, and you can download the image from their site: https://docs.remnux.org/install-distro/get-virtual-appliance. The downloaded image is already in OVA format (Open Virtualization Format), so you don’t need to install it from scratch and just import it into your VMware Workstation.
For Windows VM, you can use Windows 7 or Windows 10, and it is recommended to use the 64-bit version, so it can cover both 32 or 64 bit malware. If you think Windows 10 is too heavy, you can just use Windows 7 and that is more than enough from my experience.
Apart from being used for malware analysis, we will also use REMnux as a gateway for other VMs. So traffic from other VMs will pass through REMnux first, then forward it to the NAT network in REMnux so that it can access the internet. In REMnux, we can also capture the passing traffic for further analysis.
As we know VMware Workstation supports several connection modes such as Bridged, NAT, and Host-only. For the VM, we will mostly use the Host-only network configuration. Bridged configuration is not recommended, because your VM will be on the same network as the Host, so anyone can access the network.
The network configuration I use is as follows:
Local Area Network
Host-Only Network (VM)
NAT Network (VM)
You can view your VM network information through the Virtual Network Editor.
Additionally, if desired you can also completely isolate the Host-only network by disconnecting it from the Host, via the Virtual Network Editor by deactivating the “Connect a host virtual network adapter to this network” option for the Host-only adapter.
By default this VM only uses one Network Adapter, here we need to add one more network adapter and adjust its connection mode.
The method is as follows:
Go to the Virtual Machine Settings via [VM > Settings].
Change its network connection mode to NAT.
Add one more network adapter by clicking the [Add] button, select [Network Adapter], and clicking [Finish].
Click on the newly created [Network Adapter 2] and change its network connection mode to [Host-only].
Click the [OK] button to save changes.
Next we will change the IP address and routing configuration:
Run ifconfig -a in Terminal to see a list of network interfaces.
In my VM it shows that Network Adapter 1 (NAT) is detected as ens33, and Network Adapter 2 (Host-only) is detected as ens37. This may be different in your VM.
Edit the network interface configuration file: sudo nano /etc/netplan/01-netcfg.yaml
I use static IP for both interfaces. Here I use IP 192.168.246.100 for Network Adapter 1 (NAT), and because NAT can connect to the internet, we have to set the gateway and DNS as well, which here I set 192.168.246.2 (see Virtual Network Editor) and DNS 126.96.36.199. For Network Adapter 2 (Host-only) I use IP 192.168.126.100. You can of course customize it yourself.
Once finished we need to apply the configuration: sudo netplan apply
Run ifconfig -a again and make sure both interfaces are using the IP address that we set earlier.
Enable the IP forwarding:
echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1
Next we will create some iptables rules so that the VM can access the internet. ens33 is my NAT network that has internet access, and 192.168.126.0/24 is the Host-only network range used in each VM.
sudo iptables -t nat -A POSTROUTING -o ens33 -s 192.168.126.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.126.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.126.0/24 -d 192.168.126.0/24 -j ACCEPT
That’s it. Now the network configuration in REMnux is complete.
Keep in mind that iptables rules are not persistent so they are not survive for every reboot. If you want the rule to be applied every time you reboot, you can simply create a script that executes every reboot, or use the iptables-save and iptables-restore tools in REMnux. Or you can also install a package called iptables-persistent (sudo apt install iptables-persistent).
If you don’t feel comfortable having your public IP exposed to the internet when analyzing malware, you can use a VPN. We can install this VPN on the REMnux VM so that later it can be used by all VMs connected through this REMnux gateway.
The method is as follows:
sudo apt-get update
sudo apt-get install openvpn
Place your VPN configuration file in the /etc/openvpn/client/ directory, for example named myvpn.ovpn.
To run the OpenVPN, use the following command:
sudo openvpn /etc/openvpn/client/myvpn.ovpn
If OpenVPN displays the “Initialization Sequence Completed” log in the terminal, it means that you are now connected via VPN.
Now we need to add more iptables rules to allow traffic to go through this VPN. tun0 is the interface of the VPN (you can check it using ifconfig -a to be sure).
When you are done with all the configuration in the VM, it is highly recommended to make a snapshot so that you can revert to its original state if something goes wrong.
On a Windows VM we need to change the connection mode and its IP:
Go to the Virtual Machine Settings via [VM > Settings].
Click on [Network Adapter] and change its Network connection mode to [Host-only].
Click [OK] to save the changes.
After that you need to change the IP address in this VM by going to Network adapter setting in Control Panel.
In this VM I use IP 192.168.126.101 with gateway set to REMnux VM (192.168.126.100). For DNS I use DNS Cloudflare 188.8.131.52.
At this point, we have applied the network configuration. Please test whether it can access the internet properly.
For monitoring traffic on a VM network, you can run Wireshark or tshark in REMnux.
To simplify traffic analysis, now we will configure Wireshark to make it more comfortable to use.
Before we change some of the settings in Wireshark, it’s a good idea to create a separate profile. This will be quite handy if we want to switch profiles, or if we want to save and or copy the profile to another machine, so there is no need to set it up from scratch.
First we’ll make a duplicate of the Default profile:
Click the [Edit] menu then [Configuration Profiles…]
Click on the Default profile, then click the copy button in the lower left corner to copy the profile.
Rename the profile to let say “Custom Profile“.
Click the [OK] button when done.
We’ll be adding fields like Source Port, Dest Port, and Host, which will be very useful for our day-to-day analysis.
Right click on any column header, then click [Column Preferences…]
First we will add the Source Port column. Click the [+] button to add a column.
Double click on the newly created Title and type “Source Port“.
Double click on Type, in the drop-down that appears select “Src port (unresolved)“.
Second, we add the Dest Port column. Click on the [+] button to add a column.
Double click on the newly created Title and type “Dest Port“.
Double click on Type, in the drop-down that appears select “Dest port (unresolved)“.
Now we will add the Host column. Click on the [+] button to add a column.
Double click on the new Title and type “Host“.
Double click on Type, in the drop-down that appears select “Custom“.
Double click on Fields and enter “dns.qry.name || http.host || tls.handshake.extensions_server_name“
Then you can drag the newly created columns so that the order is the way you want.
If you have clicked the [OK] button to save.
By default Wireshark displays the date and time format in the form “Seconds Since Beginning of Capture”, here I will usually convert it to local time or even to UTC.
Click the [View] menu, then [Time Display Format], and select “UTC Date and Time of Day“.
Still in the same menu, also click on “Seconds” (the default is Automatic).
Wireshark has a filter feature which is very useful when we want to display data packets that only we want. In most cases I usually just want to display web traffic, and use the following filters:
In the filter box, enter the following command:
(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)
Here I want to show only HTTP traffic (http.request), or SSL/TLS (tls.handshake.type == 1), or TCP SYN packets (tcp.flags eq 0x0002), or DNS traffic. To minimize irrelevant data, I also eliminated SSDP traffic (udp.port eq 1900).
To save the filter, click the [+] button next to the filter box.
In the Label section, enter the filter name, for example “My Filter” or “Web Traffic“.
Click the [OK] button if so.
The save filter feature is quite handy, because now you just have to click the [Web Traffic] button which is created next to the filter box, without having to manually write it down again.
If you don’t want to use a GUI version, you can use TShark as an alternative. TShark is a terminal-based of Wireshark.
For example, if you want to capture traffic from all interfaces and save the results in a PCAP file, you can use the following command:
tshark -i any -w ~/tshark.pcap -P --color
The -P parameter will display the captured traffic on the terminal screen, and the additional parameter --color will display colored text just like Wireshark, and here I set the captured packets in the user directory called “tshark.pcap“.
When we capture the traffic directly from the VM, Wireshark is often filled with unwanted irrelevant packets, such as SSDP (Simple Service Discovery Protocol) packets, which can come from the Guest or even the Host network. For that we can block the packets from the Host side using Firewall in Windows, so that the Host doesn’t forward the packets to the Guest or VM.
For security purposes, I personally also don’t want any information from the Host to be exposed to the Guest, so I also usually block the other packets related to Name Resolution and NetBIOS, so that the packet is not forwarded to the Guest or VM. Especially if your host is also connected to an office network or office VPN.
Small information such as for example DHCP lease renewal will usually be broadcast to the entire network. Another example, suppose you type any hostname in the browser which doesn’t actually exist, for example, here I type “thisisjustarandomhostnameanditdoesntexist“, then the request will also be broadcast to all networks, including Guest or VM which even use Host-only mode. Therefore, here I try to minimize the information that can be sent to the Guest or VM network as much as possible.
As you can see in the image above, I ran Wireshark on a Windows VM and it capture several MDNS and LLMNR packets coming from the host.
So, I’ll usually block packets coming from:
SSDP (Simple Service Discovery Protocol, UDP Port 1900)
MDNS (Multicast DNS, UDP port 5353)
LLMNR (Link-Local Multicast Name Resolution, UDP port 5355)
NBNS/WINS (NetBIO Name Service, UDP port 137)
BROWSER (UDP port 138)
The method is as follows:
On the Host side, go to Windows Defender Firewall with Advanced Security.
On the left side of the screen, right-click [Outbound Rules] and select [New Rule…]
In the “New Outbound Rule Wizard” window, select [Custom] and click [Next >]
Select [All programs] and click [Next >].
In the “Protocol type” select [UDP], then in the “Remote port” select [Specific Ports] and type the following ports: “1900, 5353, 5355, 137, 138“, then click [Next >] again.
In the “Which local IP addresses does this rule apply to?” select [These IP addresses].
Next we will fill in the network address that we will block by clicking the [Add…] button.
Select [This IP address or subnet:] and enter the IP of the Host-only network adapter that is on the Host side, in my case it is 192.168.126.1, then click the [OK] button
Then add another IP in the same way by clicking the [Add…] button, this time the link-local IPv6 address of the Host-only network adapter on the Host, for example in my case “fe80::250a:cbca:aeab:1672“, then click the [OK] button
If the IP has been added, then click [Next >].
Select [Block the connection] and click the [Next >] button.
In the next window select “Domain“, “Private“, and “Public” (usually checked by default), then click [Next >]
In the Name field you can enter “Block some ports for VM Host-only” and click [Finish]
You can apply these rules to other networks if you want, for example the NAT network.
Hint & Tips
If you want to create an autorun script in REMnux, for example you want to run the command to create the above iptables rule automatically every time you reboot, you can place it in the /etc/rc.local file.
Emotet is a trojan with a fairly high spread rate. This time I will discuss a bit about how it generates file names on infected computers.
So when a computer is infected by Emotet, it will copy itself with a name that can be different in each system, for example on my test VM the file is using the following name: C:\Windows\SysWOW64\markupremote.exe.
This is a piece of assembly code for the function that determines the file name:
And this is the list of words it uses, separated by commas:
When we disassembly it, the pseudocode will look like this:
So basically it will choose 2 words using that algorithm, which is based on the volume serial number (VSN) of the main hard drive, where VSN is quite unique and varies on each system. The two words obtained are then combined and given the extension .exe.
If you translate it into Python the function is pretty much like this:
words = "delete,band,ipsm,sspi,div,rdp,whole,dir,privacy,make,watched,pano," \
len_words = len(words)
name = ''
div_value = volume_serial_number
for iteration in range(2):
div_value, mod_value = divmod(div_value, len_words)
div_value = ~div_value & 0xFFFFFFFF
i = 0
for i in range(mod_value - 1, -1, -1):
if words[i] == ',':
if words[i] == ',':
i += 1
for x in range(i, len(words), 1):
if words[x] == ',':
name += words[x]
return name + '.exe'
In the list of names there are 64 words in total, while the words chosen are 2, so if permutated there are 4096 possibilities.
This is the Coloured Black color scheme that I use in my x64dbg debugger. This is a modified version of the several existing black skins. The font is using Droid Sans Mono.
I made it look similar to the color scheme I used in OllyDbg. Maybe it’s been 15 years since I used OllyDbg, so it seems like it’s a bit difficult to move on. Hopefully with this skin I can use x64dbg more often. : D
FLARE On Challenge is a CTF (Capture The Flag) challenge held by FireEye, in early July 2014. As usual in CTF we are required to complete missions or puzzles to get the key or flag in question.
In FlareOn there are 7 levels of challenge, and as usual in every CTF competition, the higher the level, the more difficult and time consuming it is, and it is all about reverse engineering. The targets we have to reverse also vary, ranging from PE files (.exe, .dll), .php, .pdf, to 64-bit ELF files (Linux executable). The tools I use are of course the debugger such as OllyDbg, disassembler, and many more, and also a little bit Python scripting.
And thank God, today I got a special package from the FireEye Labs team, a prize in the form of coins. Nice! The gift was sent from USA and it took approximately 6 months to arrive at my house hahaha, well that’s took a long time.
Actually I follow this just for fun, and do it casually, when I have free time. At least I’m quite satisfied that I can complete all the missions, and it’s a pretty unique coin.