PMA 30: Windows 2016 Cloud Machine for Malware Analysis (15 pts)

What you need

Any computer with a Web browser.
A credit card (you won't be charged any money)

Task 1: Creating a Google Cloud Account

Sign in to Gmail

Open Chrome or Firefox and go to https://gmail.com

Open this page:

https://cloud.google.com/free/

Click "TRY IT FREE".

On the next page, fill out the form, as shown below, and click "AGREE AND CONTINUE".

Fill in the next page. You must enter a credit card number, but it says you won't be charged without agreeing to that later.

Click "START MY FREE TRIAL"

A box says you have $300 in free trial credit, as shown below.

On the next page, click "Compute Engine", "VM instances", as shown below.

The "VM instances" page appears, as shown below. Click the "Enable Billing" button.

If the "Enable Billing" button is not visible, at the top left, click the three-bar icon. Then click Billing. You can enable billing on that page.

Wait while it gets ready.

When it's ready, you see the screen shown below. Click Create.

Task 2: Setting up a Windows Server 2016 Cloud Machine

From the Google Cloud Console page, in the left sidebar, click "Compute Engine" and then "VM instances".

Click "Create Instance"

Type in a name of "win16-yourname", replacing yourname with your name, or whatever you want.

In the Machine Type select n1-standard-4 (4 vCPU, 15gb memory)

Click "Change" next to "Boot Disk".

On the Boot disk page, select an Operating system of "Windows Server" and a Version of

Windows Server 2016 Datacenter
Server with Desktop Experience

as shown below.

At the bottom of the page, click the blue Select button.

At the bottom of the "Create an instance" page, click the blue "Management, security, disks..." text, as shown below.

Set the Preemptibility to On as shown below. This makes your machine much cheaper and also makes it shut down every 24 hours, which will make your trial credit last longer.

At the bottom of the page, click the blue Create button.

Wait a minute or two for the instance to be created.

Assigning a Static IP Address

In Google Cloud Console, at the top left, click the three-bar icon.

Scroll down to the Networking section. Point to "VPC network" and click "External IP addresses", as shown below.

In the "External IP addresses" page, look in the "In use by" column to find your new Windows instance. In the Type column, click the down arrow next to Ephemeral, as shown below.

Change the Type to Static. Assign your IP address a name and click RESERVE.

Preparing for RDP Access

Under your new Windows instance, click "RDP" and click "Set Windows Password"

Leave the username to its default setting (probably your Google account name) and then click "SET"

Copy the password for the account and save it in a safe place. Click "Close".

Click "RDP" next to your Windows Instance and "Download the RDP File".
Make a note of where it is saved to (usually /Downloads).

Getting a Remote Desktop Client

For Windows Users:
Use Remote Desktop https://support.microsoft.com/en-us/search?query=remote%20desktop

For MAC users:
Download and install the Microsoft Remote Desktop client.
https://itunes.apple.com/us/app/microsoft-remote-desktop/id1295203466

Choose "Open APP Store" in the popup.

Click "GET" when the App Store loads.

You may have to enter in our Apple iCloud account password to install Microsoft RDP depending on your security settings.

After getting RDP setup on your Windows or MAC computer, locate the RDP file you downloaded earlier and open it (double clicking it should load RDP automatically).

If you get the error "We couldn't connect to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled." the machine could still be setting up.

Click "Continue" if you encounter "The certificate could not be verified to a root certificate".

Type in or paste the password that was generated earlier and click "Continue"

Again, click "Continue" if you encounter "The certificate could not be verified to a root certificate".

Your Windows RDP connection should load.

Task 3: Lowering Security Settings

If Set Device to discoverable pops up you can ignore this by clicking outside of it.

Blocking Automatic Updates -

Updates are important for security, but for this class we want a vulnerable target machine, so we'll stop them.

On your Windows Server 2016 desktop, in Server Manager, on the top right, click Tools, "Windows PowerShell", as shown below.

In PowerShell, execute this command:

sconfig

A menu appears, as shown below. Enter these values:

The Command line opens and after a minute or two an "Update Settings" box pops up should pop up.
Click OK

Disabling IE Enhanced Security Configuration

This setting prevents you from downloading software directly on the server, which is a poor practice.

We want to allow that, so do these steps:

In Server Manager, on the left side, click "Local Server". On right side, find "IE Enhanced Security Configuration". Click the word On next to it, as shown below.

In the "Internet Explorer Enhanced Security Configuration" box, click both Off buttons, as shown below.

Click OK.

Troubleshooting

Right-Click on a Mac
To right-click in the Windows session from a Mac, you need to enable "Secondary click" in Trackpad preferences, as shown below.

Creating a "Malware" folder

Right-click on the Windows desktop and click New, Folder.

Name the folder Malware.

Adding a Windows Defender Exception

Click Start and type DEFENDER. Click "Windows Defender".

In Windows Defender, click Settings.

In Windows Defender, in the "Exclusions" section, click "Add an exclusion", as shown below.

In the "Add an exclusion" window, click "Exclude a folder".

Navigate to the Malware folder, as shown below.

Click "Exclude this folder". Close the Settings window.

Installing Firefox

In Internet Explorer, go to

https://getfirefox.com

Download and install Firefox.

Installing 7-Zip

In Firefox, go to

https://7-zip.org

Download and install the 64-bit version of 7-Zip.

Downloading the Lab Files

In Firefox, go to

https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

Click PracticalMalwareAnalysis-Labs.7z, as shown below.

On the next page, right-click Download and click "Save Link As...", as shown below.

Navigate to your Malware folder and save the file there.

Extracting the Lab Files

On your desktop, double-click the Malware folder.

Right-click the PracticalMalwareAnalysis-Labs.7z file and click 7-Zip, "Extract Here", as shown below.

A box pops up asking for a password. Enter

malware

as shown below.

A new file appears, with a red icon, named PracticalMalwareAnalysis-Labs, as shown below.

Double-click the PracticalMalwareAnalysis-Labs file.

Click Accept. Click Extract.

A folder appears with the malware samples, as shown below.

PMA 30.1 Recording Your Success (15 pts)
In the "Malware" window, open these folders:

PracticalMalwareAnalysis-Labs
BinaryCollection
Chapter_1L
Right-click Lab01-01.dll and click Properties.
The flag is the file size, covered by a green box in the image below.

Warning
This server uses a lot of Google resources, so it burns through your $300 free trial rapidly. I strongly recommend shutting this server down when not in use.

Billing tip added 9-8-2020
Static IP and Preemptibility added 9-15-2020