Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Second part of this article is also applicable to KSB 2.0, details about it below.

It's rather hard to understand if malware channel works on KATA Sandbox or not. Here's a simple and reliable way of doing it.

Step-by-step guide

  1. Create a .bat script with commands that you would normally execute in console to check internet connection - like ping or tracert, - and redirect commands output to file. Here's the example of such script.
  2. Upload this script to Storage and wait for it to be scanned:
    image.thumb.png.6f29d7427bac39e24b1e615d9351f41c.png
  3. After the scan completes, download debug info with scan results.
  4. Unpack scan results using the password 'infected' without quotes.
  5. In folder task0 or folder task1, rename the file internal_tracing_report to internal_tracing_report.zip and unpack it.
    image.thumb.png.a7dc98d8e92b992ac9c559519befe060.png
  6. Open the file files.list with notepad and note the name of file that you used for commands output redirection (results.txt in our example script)
    image.thumb.png.ef1307b7527cdc75a878511607dbccb1.png
  7. Open the file with notepad to see the command results:
    image.thumb.png.706094e4cc17a690e5d99dfc631c23dd.png
  8. Done! You will see the output of ping/tracert commands. In our example, ping command succeeded, but tracert failed with DNS problems, which means malware channel does not work properly and detection rate will be significantly decreased.

How to test DNS on malware channel

There is also an option to test DNS without running samples in Sandbox. Sandbox server uses core DNS servers in the wild web, not the ones specified in WebUI. DNS servers are accessed by VMs via local unbound server, which attempts to run DNS queries via internet interface.

Interface namespace may be different, so in order to identify yours execute (after identifying proper dom* name execute command above):

cd /var/run/netns
ll

Example:

image.png.c22d1c3ac7f5f6a48e1fcfc81b8ae372.png

First, you need to jump to internet interface's namespace:

/opt/kaspersky/sandbox/bin/ns_exec /var/run/netns/dom1 /bin/bash

Then, test name resolution via local DNS server:

dig @127.0.0.1 google.com

Example:

image.thumb.png.ce4bab94115a9fc51526cb68ba61ab21.png

You can also test pings same way:

/opt/kaspersky/sandbox/bin/ns_exec /var/run/netns/dom1 /bin/ping -c 3 8.8.8.8
Do not forget to exit the namespace via exit command!
  • Like 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...