In this series of
posts, I’m continuing the Open Security Training materials, with this set of
post being more focused on the Malware Analysis class.
You may find reviewing
the material from Open Security more beneficial. However, if you do choose to
stick with this I hope you find it helpful.
In this post, we
will be learning more about setup and configuring Poison Ivy. In the next post we will look at learning about its
capabilities while in the final post, we will try
to analyze and learn more about detecting it.
My lab consists of 2
virtual machines. A Linux virtual machine which will be my command and control
(C2) server/Poison Ivy client and a WindowsXP machine which will be the Poison
Ivy Sever.On loading up the Poison Ivy executable in Linux we get the EULA screen:
Once we acknowledge the EULA, the next screen is the home screen:
From here we next
select the “File” menu and select “New Server”. This is the executable which
will be “sent” to the client and when it is executed, it will connect back to
our C2 server or from Poison Ivy perspective, our “Client”.
Next up is to focus
on the connection information:
From above, I’ve
added multiple C2 Servers IPs as well as some domain information. The list
consists of:
10.10.10.1:3460:0,
10.0.0.103:3460:0,
192.168.0.1:3460:0,
172.16.23.5:3460:0,
securitynik.web:3460:0,
ivy.securitynik.web:3460:0,
malware.securitynik.wejb:3460:0,
10.10.10.1:3460:0,
10.0.0.103:3460:0,
192.168.0.1:3460:0,
172.16.23.5:3460:0,
securitynik.web:3460:0,
ivy.securitynik.web:3460:0,
malware.securitynik.wejb:3460:0,
Once the C2 servers
have been added, click “Next” at the bottom right which now produces the “Install”
screen. In my example below I’ve set the persistence mechanism through HKLM/Run
Name” as “SecurityNik_PIvy_Agent”. I’ve also enabled the “Copy File” and
provided it with filename “secnik_piv.exe”. This will copy the file to the “system”
folder and will also leverage Alternate
Date Streams through “Copy file to
Alternate Data Streams”.
Once the above is
completed, click “Next” at the bottom right of the above screen. This then
brings up the “Advanced” window. I did not modify anything in this window so
click “Next” which then brings up the “Build” screen.
In the “Build”
screen, I choose generate to generate the new binary which brings up the window
to save the file as shown below:
Once the above file is saved, click “OK”.
Now that the file
has been generated, I’ve leverage Python’s Simple HTTP Server to serve the file
to the client.
From below, we see
Python’s Simple HTTP Server serving up the file
securitynik@siftworkstation:~/MalwareClass/PoisonIvy-2$ python
-m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
10.0.0.101 - - [03/Aug/2017 17:56:01] "GET / HTTP/1.1" 200 -
10.0.0.101 - - [03/Aug/2017 17:56:07] "GET /SecurityNik_PoisonIvy.exe HTTP/1.1" 200 -
Serving HTTP on 0.0.0.0 port 8000 ...
10.0.0.101 - - [03/Aug/2017 17:56:01] "GET / HTTP/1.1" 200 -
10.0.0.101 - - [03/Aug/2017 17:56:07] "GET /SecurityNik_PoisonIvy.exe HTTP/1.1" 200 -
Now that the setup
for the Poison Ivy server is complete and the file has been “delivered” to the
client, it’s now time to setup the Poison Ivy Client.
From Poison Ivy’s “File”
menu, select “New Client”. This brings up the screen below.
In the above
example, I left everything at their defaults, then choose “start”. This now
brings up the screen below which shows Poison Ivy waiting for connections.
At this point the
setup is completed.
Let’s do one more
thing before we go to the next post and that is to
execute “SecurityNik_PoisonIvy.exe” on the Poison Ivy Server. Once executed
successfully, this then produces the following.
As shown above, our client at “10.0.0.101” has successfully registered.
See you in the next post where we look at learning more about Poison
Ivy’s capabilities.
Other posts in this series:
I smell a RAT – Learning about Poison Ivy – The Setup
I smell a RAT – Learning about Poison Ivy – The Capabilities
I smell a RAT – Learning about Poison Ivy – Live Forensics Analysis
I smell a RAT – Learning about Poison Ivy – The Capabilities
No comments:
Post a Comment