Forum Thread: Catching/Analysing Malware with New Dionaea Version

Catching/Analysing Malware with New Dionaea Version

Hello my hacker friends! I have been exploring the world of honey pots for the past 2 weeks and noticed there is not a lot of good documentation on installing the new Dionaea and what to do with it after on the Internet, so I figured would add some commentary here so I can share the fun/hacker love.

First things first, there is a great article on here about deploying Dionaea on a VPS, but does not go into much detail on what to do next. Well I will show you some things you need to be successful here and now! (My struggles are your success)

We need a VPS provider, I usually use, Digital Ocean, Linode, and just turned up a honeypot from Vultr (no I am not endorsing these for the companies I just am trying to stick to a 5$ per month per honeypot deployment. There are lots to choose from online)

I have tried deploying Dionaea with MHN (modern honeypot network) but I noticed the script is for the older Dionaea version not supporting SMBCRY and WannaCRY ETC.

Links to MHN install can be found here, and or Google around if your interested.

https://www.anomali.com/blog/deploying-managing-and-leveraging-honeypots-in-the-enterprise-using-open-so

So at first I installed Dionaea, Kippo, POD, Snort, all that jazz, had the live maps of attacks and all, it was great and I thank them for all there hard work, BUT after I got bored of all that, I wanted to break down the malware and get to the good stuff. I also happened to notice they just upgraded Dionaea for Wannacry and SMBCRY so I figured Id wipe everything out and just use Dionaea. This is how I did it.

1) Pick your VPS provider, use version Ubuntu 14.04 x64, I have never tried another version so don't ask me if it works.

2) Type in the Commands below or make a script with "sudo nano install.sh" paste the script in, save it, and run it with "bash install.sh" or whatever else you might want to name it.

*Start Script*

sudo apt-get -y update
sudo apt-get -y dist-upgrade
sudo apt-get -y install software-properties-common
sudo add-apt-repository ppa:honeynet/nightly
sudo apt-get -y update
sudo apt-get -y install dionaea
sudo apt-get -y build-dep curl
mkdir ~/curl
cd ~/curl
wget http://curl.haxx.se/download/curl-7.50.2.tar.bz2
tar -xvjf curl-7.50.2.tar.bz2
cd curl-7.50.2
./configure --prefix=/usr
make
sudo make install
sudo ldconfig
sudo curl -V
sudo service dionaea start

#This will change the time zone, I like to do this as I want the malware time to match my local time
sudo dpkg-reconfigure tzdata

*End script*

3) BOOM , once this is successfully installed the newest Dionaea is running and working.
We can check the log file live at

tail -f /opt/dionaea/var/dionaea/dionaea.log

or just "nano /opt/dionaea/var/dionaea/dionaea.log"
if you want to view the file not live

To make sure we see some connections and traffic happening.

Also NOTE Your binaries will be listed in your /opt/dionaea/var/dionaea/binaries/ Folder
(things no one told me)

4) Wait for the malware, (sometimes this can take 30 minutes, sometimes hours) you can see connection attempts in your Dionaea log, you can also configure warning and errors to be enabled or disabled based on what you like with the original Dionaea setup article on Nullbytes

5) I GOT MALWARE!!! WOOHOO JUMP UP AND DOWN, ooh yeah, what do I do with it now you ask?

6) We need to look at the data inside, urls,strings,registry etc. I know a lot of people use IDA or IDA pro but am not that familiar with it, I have played around with it but thats another rabbit hole I need to go down into to learn...BUT I did discover PPEE the other day and it is much easier to work with and use for beginners.

7) You can download PPEE (Professional PE file Explorer) and open your malware to see the code inside and coolness your looking for. You can also run the malware in totalvirus with PPEE within the program. (Another reason I like it)

https://www.mzrst.com/

8) Tips to go by. I download my malware inside a VM using virtual box. I have a separate HDD I swap out, boot windows and then boot windows into a VM machine with virtual box. I ALSO use a VPN when downloading or running malware live, this is meant to try and be more safe and disguise my ip when playing around with this stuff. ALSO I use winscp to connect and transfer the malware.

9) Enjoy my hacker friends! Also here are some useful commands and or file locations

tail -f /opt/dionaea/var/dionaea/dionaea.log
/opt/dionaea/var/dionaea/binaries/
ls -la /opt/dionaea/var/dionaea/binaries/
df -h
who -h
nano /opt/dionaea/var/dionaea/dionaea.log
top or htop
I like to use htop to monitor system resources sometimes (sudo apt-get install htop)
You can search for files in the root directory with the command ( find / -iname "dionaea.log" )

/opt/dionaea/etc/dionaea/dionaea.cfg (the log file fills up quick, so taking out warning and just leaving errors is a good idea)

10) Also please note I am not an expert on everything. I will try my best though if asked any questions.

If you like my writing, check out my site at http://ethicalredteam.com

3 Responses

This is fucking great.

Thanks for writing this. It's relevant, detailed, and cool. If you're interested in writing more hit me up, my PGP fingerprint is 1471 DCC7 9642 7342 EC27 CAD6 9597 F559 97BB FCD1

Ill have to pass for now, but thanks for the offer, just wanted to share some information with everyone.

Share Your Thoughts

  • Hot
  • Active