Capturing malware evidence with detonaRE
Lately I’ve been experimenting with a lot of varieties of different malware strains. Each time the malware executes, I have a process where I’ll initiate a packet capture, give the malware some time to spin up, and then execute an evidence capture while the malware is running. Then I’ll revert to a snapshot, make some modifications to the environment, and run the process again.
To make things easier on myself (and to help with late afternoon brain fog) I decided to script out the process with PowerShell.
detonaRE - from Latin, to detonate
- initiates packet capture
- launches malware sample
- terminates packet capture after specified interval
- initiates evidence collection with Magnet RESPONSE (memory, process, and triage capture)
- converts collected .etl file (network capture) to .pcap with etl2pcapng.
variable configuration:
$malwspath = “E:” ## malware source path
$malwdpath = “C:\Users\REM\Desktop\Malware" ## malware destination path
$malware = “redline-76ca4a.exe” ## malware executable
$pcaptime = 180 ## duration in seconds for pcap capture
$toolsdir = “E:\Tools” ## MagnetRESPONSE.exe and etl2pcapng.exe
In my case I’ve got my malware file on the root of a USB device (E:) that will be attached to the VM. I want to copy the malware to the ‘Malware’ folder on the VM desktop. For this example the malware file is redline-76ca4a.exe. Any tools needed will be stored in E:\Tools.
I’m using the netsh command to capture any network traffic in .etl format. Later on, we’ll convert the .ett to .pcap. This is the same process I utilized in the QuickPcap PowerShell script.
Once the packet capture is running, the malware file gets detonated. The packet capture will continue running for the set duration, the default being 180 seconds or 3 minutes. It’s important not to terminate the packet capture too early. As you can see in the demonstration video below, once this particular malware sample is detonated, it sleeps for a bit and doesn’t show as active on the system until about 45 seconds into the capture.
Once the packet capture is completed, I’m running the command line version of Magnet RESPONSE. If you’re a fan ofCyberPipe this is definitely one you’ll want to check out. Using Magnet RESPONSE I collect the memory (Comae DumpIt), pagefile, running processes (full process dumps) and triage system collection. Note, these artifacts can be scaled down by adjusting the Magnet RESPONSE CLI parameters.
Finally, when that’s all done, the .etl file gets converted to .pcap via etl2pcapng.exe. Then I transfer the collected files to my analysis machine and then the real fun begins.
update:(a day later) version 1.1 now also initiates Process Monitor with a filter applied for the malware to be detonated.
https://youtu.be/Waxo351UucM
detonaRE v1.0
https://youtu.be/XsnuJ_yJm3I
detonaRE.ps1 v1.1 now includes Process Monitor
https://youtu.be/lHi7zH9BicM
detonaRE version 1.2 demo