# Technical Malware Test

## Overview

The Malware Simulation Toolkit is a powerful tool designed to mimic various types of malware behavior on your computer. However, using this tool without appropriate precautions can raise concerns within your organization's Information Security (InfoSec) team.

## Checklist

* [x] Set up a VM that replicates your real environment.

{% hint style="danger" %}
You should only use this tool inside of a VM - **never** in your real environment. While the files are ultimately harmless, they mimic the behavior of many types of malware and could raise false alarms for your security team(s).
{% endhint %}

* [x] [Download the LHFC email template](https://wiki.lucysecurity.com/application-reference/templates/download-templates)
* [x] [Download the Malware Testing Toolkit file template](https://wiki.lucysecurity.com/application-reference/templates/download-templates)
* [x] [Create a Malware Test campaign using the wizard](https://wiki.lucysecurity.com/application-reference/campaigns/wizard-mode)
* [x] Use the toolkit in the message template<br>

  <figure><img src="https://3536856424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVYPsDfg76rUuy4DWfSsJ%2Fuploads%2FWUGbwqANjvKnP0GU3Lky%2Fimage.png?alt=media&#x26;token=c8892cea-c8d8-4808-911e-a68df77c6735" alt=""><figcaption></figcaption></figure>
* [x] Whitelist the delivery method(s)
  * [x] Email attachment
  * [x] Download from your Lucy server
* [x] Alert your Security team before starting!

## Configure the Toolkit

The Malware Testing Toolkit comes with three different modes to choose from; Full, Advanced Dropper, and Ransomware. Each mode has its own set of configuration options:

{% tabs %}
{% tab title="Full" %}
The full toolkit performs an extensive test of the system using a large number of operations. By default the full suite of tests is active, and each test can be configured in the message template.

[Click here to view the full list of tests.](https://wiki.lucysecurity.com/guides/attack-simulations/attack-types/technical-malware-test/malware-toolkit-test-suite)
{% endtab %}

{% tab title="Dropper" %}
This template simulates certain aspects of malware behavior similar to [FinFisher](https://attack.mitre.org/software/S0182/), but without making any modifications to the system (e.g., no hooks, MBR changes, etc.). All activities will be executed with standard user rights.

### Setup

* The tool creates a subfolder in the TEMP directory, named something like `TMP6BCF227D` (details will be provided in the report).
* A file named `malware.jpeg` is placed in this subfolder.

### Execution

* The image is decrypted and launched from its current location.
* The contained file is a standard LUCY dropper that establishes a reverse HTTP/HTTPS connection using the browser to make base64 POST requests.
* The new process will be named `malware.jpeg`.

### Logging

* The dropper generates a log file named `log.txt`, which is stored in the `TMP*` folder.

### Information Harvesting

* A hidden folder is created in the TEMP directory, named something like `ADVDROP81227C11` (details will be recorded in `log.txt`).
* The dropper begins to gather information and, for each session, creates a subfolder within the hidden folder, named similarly to `82C89047`. The resulting structure will look like `ADVDROP81227C11\82C89047` in the TEMP directory.
* Harvested files are placed in this subfolder and are later encrypted.

### Data Transmission

* After encryption, the LUCY URL is called, and the dropper sends the files back to LUCY via POST (using HTTP or HTTPS, depending on your campaign settings).

{% hint style="success" %}
If you have SSL configured for the domain, Lucy uses HTTPs by default.
{% endhint %}

### Variables

Several LUCY variables can be defined for this template:

* **Working Hours**: Currently set from 10:00 to 00:00. If the template is launched at 9:00, the dropper will wait until 10:00 to begin execution.
* **Session Count**: Currently set to 3, meaning the dropper will create 3 subfolders within `ADVDROP81227C11`, each containing its dataset.
* **Session Intervals**: Currently set to 5 minutes, allowing the dropper to operate for approximately 15 minutes in total (`number of sessions X minutes per session`).
* **Maximum File Size**: This defines the maximum size of files the tool will send or encode within the POST requests (in kB).
  {% endtab %}

{% tab title="Ransomware" %}

### Overview

Ransomware is a type of malware that restricts users from accessing their systems or files. Victims are typically coerced into paying a ransom through various online payment methods to regain access to their systems or recover their data. Some ransomware, such as Cryptolocker, encrypts files, while others, like CTB Locker, utilize TOR to conceal command and control (C\&C) communications.

### Simulation Tool

Our template simulates a form of ransomware that locks files such as documents, spreadsheets, and other important data. It then creates an encrypted copy on either a shared drive with write access or locally. The primary goal of this template is to determine if the information-gathering activities or the significant number of read/write operations on a drive from a single PC trigger any alerts in your monitoring system.

### Settings

Within the tool, you can specify several settings:

* **File Location:** Where the tool will install itself.\
  0 = Current directory, 1 = Desktop, 2 = Temp folder, 3 = User folder
* **Start/Stop Hours:** When the tool will execute and when it will automatically unlock.
* **Operation Mode**: Choose whether to work with dummy data or real data discovered on the network. Mode 0 = Data Discovery, Mode 1 = Dummy Data.
* **File Extensions**: Specify which file types to search (default: doc, ppt, xls, pdf, txt).
* **Maximum File Size**: Set the maximum size of files to process (default: 512 KB).
* **Number of Files**: Specify the maximum number of files to copy (default: 100).
* **Crawl Time (minutes):** The maximum amount of time the tool will spend searching for files.
* **Data Retention**: Decide whether to leave a copy of the data on the PC/share or delete it after execution.
* **Number of fake file operations:** If using dummy data, this setting controls the maximum number of files the tool will create.
  {% endtab %}
  {% endtabs %}

## Running the test

Start your campaign, then either download the toolkit to your VM from your Lucy server or from the campaign email attachment.

{% hint style="warning" %}
A test like this is likely to raise a lot of red flags for your InfoSec team. While this is a good sign that your policies are working to protect you, it's best to give them a heads up before executing this test and setting off alarms.
{% endhint %}

## AV problems and security warnings <a href="#av_problems_security_warnings" id="av_problems_security_warnings"></a>

Some antivirus solutions may flag the tool as a virus or suspicious file, especially behavior-based antivirus programs. This indicates that your antivirus can detect certain methods used by the tool that are commonly associated with malware. It is a positive sign that your antivirus can identify malicious code without relying solely on signatures. Since the toolkit mimics malware activities, these alerts are not inherently incorrect. You can either ignore them or, if necessary, disable your antivirus if it prevents you from completing the malware assessment test.

You may encounter multiple security warnings when opening or executing the file. If you open the file as an email attachment or download it, a warning window will inform you that executables can be dangerous and may harm your computer. This warning occurs because the executable is not code-signed. We cannot code-sign the executable because parts of it are dynamically generated at runtime; however, it is safe to execute.