Tuesday, August 29, 2017

I Smell A RAT – Learning about Poison Ivy – The Setup

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post, we will be learning more about setup and configuring Poison Ivy. In the next post we will look at learning about its capabilities while in the final post, we will try to analyze and learn more about detecting it.

My lab consists of 2 virtual machines. A Linux virtual machine which will be my command and control (C2) server/Poison Ivy client and a WindowsXP machine which will be the Poison Ivy Sever.On loading up the Poison Ivy executable in Linux we get the EULA screen:

Once we acknowledge the EULA, the next screen is the home screen:

From here we next select the “File” menu and select “New Server”. This is the executable which will be “sent” to the client and when it is executed, it will connect back to our C2 server or from Poison Ivy perspective, our “Client”.

Next up is to focus on the connection information:

From above, I’ve added multiple C2 Servers IPs as well as some domain information. The list consists of:,,,,

Once the C2 servers have been added, click “Next” at the bottom right which now produces the “Install” screen. In my example below I’ve set the persistence mechanism through HKLM/Run Name” as “SecurityNik_PIvy_Agent”. I’ve also enabled the “Copy File” and provided it with filename “secnik_piv.exe”. This will copy the file to the “system” folder and will also leverage Alternate Date Streams  through “Copy file to Alternate Data Streams”.

Once the above is completed, click “Next” at the bottom right of the above screen. This then brings up the “Advanced” window. I did not modify anything in this window so click “Next” which then brings up the “Build” screen.

In the “Build” screen, I choose generate to generate the new binary which brings up the window to save the file as shown below:

Once the above file is saved, click “OK”.

Now that the file has been generated, I’ve leverage Python’s Simple HTTP Server to serve the file to the client.

From below, we see Python’s Simple HTTP Server serving up the file

securitynik@siftworkstation:~/MalwareClass/PoisonIvy-2$ python -m SimpleHTTPServer 8000
Serving HTTP on port 8000 ... - - [03/Aug/2017 17:56:01] "GET / HTTP/1.1" 200 - - - [03/Aug/2017 17:56:07] "GET /SecurityNik_PoisonIvy.exe HTTP/1.1" 200 -
Now that the setup for the Poison Ivy server is complete and the file has been “delivered” to the client, it’s now time to setup the Poison Ivy Client.

From Poison Ivy’s “File” menu, select “New Client”. This brings up the screen below.

In the above example, I left everything at their defaults, then choose “start”. This now brings up the screen below which shows Poison Ivy waiting for connections.

At this point the setup is completed.

Let’s do one more thing before we go to the next post and that is to execute “SecurityNik_PoisonIvy.exe” on the Poison Ivy Server. Once executed successfully, this then produces the following.

As shown above, our client at “” has successfully registered.

See you in the next post where we look at learning more about Poison Ivy’s capabilities.

Python Simple HTTP Server

Other posts in this series:

I smell a RAT – Learning about Poison Ivy – Live Forensics Analysis

No comments:

Post a Comment