infrastructure-notes/VMRay Notes.md

VMRay Notes

QUick Reference

Prod: https://vmray.pvt.xdr.accenturefederalcyber.com Test: https://vmray.pvt.xdrtest.accenturefederalcyber.com

iso's are stored in /opt/vmray/iso/. I downloaded 3:

• Win10_21H1_English_x32.iso
• Win10_21H1_English_x64.iso
• Win11_English_x64.iso

VPN Required. SAML signon enabled.

Summary

VMRay Analyzer is a tool to detonate malware in a controlled environment.

Generalized Architecture

VMRay Analyzer consists of a VMRay Server, which coordinates the use of other systems, and one or more bare metal worker machines on which malware detonates. The systems run Ubuntu 20.04 LTS.

The system is deployed in its own account in GovCloud (one for prod, one for test)

Test does not have a license, so will remain shutdown/disabled/unconfigured most of the time, and with 0 workers.

Source

documentation and downloads are at: https://portal.vmray.com/customer/login?

Install Log

Stand up via terraform. Apply the highstate, probably 2x to get 0 errors. Run 'pkg.upgrade' Run 'system.reboot'

Login to web page with username and password: admin@example.com (same un and password) Add the license (license can be grabbed from https://portal.vmray.com/customer/login?) and restart. Navigate to user settings, update admin email address to xdr.eng@accenturefederal.com and update the password. Configure the system

Under worker, click 'create worker' You'll have to provide the IP address, unfortunately.

On the worker:

cd /opt/vmray
sudo aws --region us-gov-east-1 s3 sync s3://afsxdr-binaries/iso iso
sudo chown -R vmray:vmray iso
sudo chmod 755 iso
sudo find iso -type f -exec chmod 644 {} \;
sudo find iso -type d -exec chmod 755 {} \;

Set up SSO

Install a VM

Installing a VM

** Recommendation: Run this in a screen or tmux session so that you can reconnect if the vpn disconnects you **

1. log into the worker
2. cd /opt/vmray/bin/
3. sudo -u vmray ./vm_setup.py
4. Option 2 - VM Operations
5. Option 1 - Create a new VM NOTE: No spaces in the name ... follow instructions. Most defaults are fine. See page 48 of the OnPrem installation guide for an example
6. Option 3 - Guest OS Operations
7. Option 1 - Install OS
8. Wait for the message VM started. You can now connect via VNC (port :0). You can monitor the installation by using a VNC viewer to connect. VNC Ports start at 5900, so :0 is port 5900, :1 would be 5901, and so forth.
9. After it returns to the main menu, select option 4, prepare VM for analysis, then option 2.
10. Defaults are probalby fine. You must specify the proxy as proxy.pvt.xdr.accenturefederalcyber.com:80
11. After initialization completes, select option 4, prepare vm for analysis, and then option 3, create VM Snapshot. (NOTE: The documents specify that the snapshot is not what we'd think of as a snapshot (i.e. a point in time image), but is something else... and you probably only need one named 'def' for each VM.)

Troubleshooting

2022-03-01: Had error in detection-update.log:

requests.exceptions.SSLError: HTTPSConnectionPool(host='download.vmray.com', port=443): Max retries exceeded with url: /repository/platform-updates/yara/4.4/index.json (Caused by SSLError('Fingerprints did not match. Expected "fcb64419c025ddf06042e2461d30171c17627edc9bfefed277789f501ffb3d52", got "b\'ea8f4b0b6a3519f10343195473d6cf0a63f652a7242fc768c502e091cd57e198\'".'))

Fix: Support sent an updated replacement file “communication_lib.so”.