Setting Up a Malware Analysis Lab: Complete Beginner's Instructions
Anuj
So i always want to learn malware analysis from the beginning , because there is always we encounter in our own lives as Cyber Security student , people ask us “Hey can u tell me if my phone or computer is hacked or not”. and man i never had clear answer for them and I always try to bend things by telling them some basic solutions like . check background process in task manager and check if battery is draining or not or if they got any weird messages or not.
if u also feel this or if these things ever happened with you , I am going to tell u from now we will start a small series for malware analysis , that will help us to answer there questions with maximum confidence.
lets Go then…
first , we need to setup a malware analysis lab , because believe me malware is no joke and really can do preety nasty things in our system if handle without care and various times we cant even detect what its doing in the background.
So we need to setup an isolated lab environment:
Pre requisites:
A windows 10 iso file.(i will tell u where to download).
Remux VM iso file
Virtualbox or Vmware
Desire to learn
Install Virtual-box :
Installing a virtualization software is an easy task and I want u to do that own your own .
here is a little overview BTW :)
→ Download latest virtualbox installer for your desired OS via going to this site :
here look like this :-
for windows, linux , macOS or any
→ also downlaod virtualbox extenstion pack for added features =>
Next Step is installation :
Please try to do this own your own for learning purposes.
here after installation sucessfull , this look like this :
Next we Step:
Next we will downlaod and windows-10 iso and remux vm iso and after that we will successfully install them in our virtualbox and configure their networking.
okay here is a good resource from where I personally downloads every windows Iso file and even latest Microsoft Office application as well.
here is website : —hxxps://massgrave.dev/— and if read carefully you can also get some interesting things there to activate some stuff :)
okay we will download windows 10 iso :
we will download this english x64 arch version:
Now lets start the installation:
Step 1 : Open the virtualbox and click new then Name it (you can choose any name u want ) and select your iso , where u saved last time.
and then click skip unattended installation and click finish.
like this :
now it looks like this :
Step 2: start the VM :
and start the installation:
IMP NOTE : during installation dont choose windows home : choose windows 10 pro. and disconnect internet during installation.
and then select wait :
then:
then after everything setup , start your windows-10 vm,
So we will install flare-vm
Flare-VM: a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE-VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a "package" is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.
basic requirements :
Powershell
VM Username without spaces or any special character
Internet
Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) Windows Defender disabled, preferably via Group Policy
Windows Updates Disabled
Turn-Off windows-defender and update via GPO:
Step 1: Open search-box and type GPO
and open “EDIT GROUP POLICY” ( if above we select windows 10 pro or other than windows home ) we will see this : if not then u have to manually install Group policy editor , because by default windows home version microsoft don’t provide this ( Google is your best friend that will help you in this case :).
Step 2: Open this and go to “administrative templates (within computer configuration)
then → windows components → windows defender antivirus → real time protection :
then double click → “turn off real time protection”
and choose “enabled” then click apply.
we will do same steps for some other setting as well.
double click “scan all downloaded files and attachments” → disabled
double click “monitor file and program activity on your computer” → disabled
double click “Allow Animalwere service to remain running always” → disabled
double click “Turn off microsoft defender antivirus” → enabled
Next look down on left pannel and select windows Updates:
double click → configure automatic updates → disabled
“allow updates to be downloaded automatically over metered connection” → disabled
That’s it now reboot system.
after reboot go to windows defender settings :
u should see this : that means we are good to go.
Install Flare-VM
now most borring as well as fun part:
Step 1 : open powershell as administrator.
Step 2: Download the installation script installer.ps1 to your Desktop via running this command.
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
see this file should be downloaded on your desktop:
Unblock the installation script by running this command :
- Unblock-File .\install.ps1
Enable script execution by this command :
- Set-ExecutionPolicy Unrestricted -Force
and at last run the script : .\install.ps1
okay : first take a snapshot if something goes wrong we still have our clean “windows 10” state and we can retry these steps.
Click on “Machine Tab” → take snapshot → give any name and description.
start the installation: and wait for sometime.
Step 2: we will select to install every package.
so this windows will appear during installation and we want to install every package so we need to select all of them : easy way is just click on this highlighted arrow.
after that it should look like this :
just click OK : Installation should start:
Now wait and really it will take so much time : until the.
make some coffee or chat with someone or do a little dance because it will take hours and also plug-in charging in to your laptop….
and it will do many reboots so dont panic. installation will start automatically.
Installing Remnux (linux toolkit for Malware Analysis)
REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.
So according to the defination we can guess that Remnux is Linux OS which contains a lot of Malware Analysis and reverse-engineering tools in a one place.
So , we will Download remnux VM from official website which is → https://remnux.org/
Here are the steps:
visit : https://remnux.org/
Scroll a little and you will see a Download button (click on it)
You will redirected to another docs site.
at a time of writing Box method is not working (shows bandwidth error)
Make sure to select “VirtualBox OVA” and then click on SourceForge and your download should start.
As we already knew its an OVA file (This file works with most of the hypervisors
An OVA is a . TAR file of all the files that make up an OVF package into a single.
Here are the steps to import an OVA file into virtualbox.
Step 1 : open Virtualbox (Ofcourse u have to do that)
Step 2 : click on File tab and choose “Import Appliance or just press (CTRL + I)” and select our REMNUX FILE.
Step 3 : Wait a little and Done.
like this :
Take a snapshot as well as we did with flare-vm clean installation.
MOST IMPORTANT (don’t miss this):
Now we will setup a secure network environment that will completely different from our own network. So that malware can't able to access our own host network by any means. so our flare and remnux network will be physically seperated but logically connected to our host network . Our both Vms can talk to each other but can’t talk to host.
Open VirtualBox network manager : Click (3) lines and choose Network
Create a new host-only Network
Now We will change IP address range (make sure it will be different from your host)
also IP ranges of DHCP server:
and we are just one step for being ready to start our malware analysis journey.
Tip: if you also got “access denied” error while creating a host-only adapter in virtualbox (because i am using linux as my main host for this) then do this :
create a dir in /etc named => vbox and create a file “networks.conf” in that dir.
create a file in /etc named => vbox.conf
add this line in both of those file without quotes : “ * 0.0.0.0/0 ::/0 ” and save both and restart virtualbox now.
\=> Now we will attach our host adapter with both of our analyst VMs (flare and remnux)
1. open setting of remnux => Network => select “host-only adapter” and select your adapter.
- Same we have to do this for Flare-VM as well.
Setting up a fake internet via (InetSIM)
So inetsim is a fake internet simulation : that will trick our malware that it is connecting to internet but in reality its not : its like fake internet
we have a flare-vm which is a windows based machine : that will benifit us of running malware on a supported architecture and remnux which will act as a INTERNET SIMULATOR and whatever communication or requests our malware trying to make : remnux will catch all of that, hence it will help to perform a network analysis : as well . So will take all requests and study them at packet level.
Step 1 : open that file in any editor
sudo nano /etc/inetsim/inetsim.conf
Step 2 : now : uncomment dns service
- Uncomment service_bind address and change IP address to 0.0.0.0
- scroll a little and find dns_default_ip and put our remnux IP address there :
from now flare-vm will use remnux as its DNS server to resolve all queries and we can capture all requests.
- Now save the file and run inetsim without root.
Make some changes in flare-vm network settings.
\=> Open control pannel → choose “network and internet settings”
then “network and sharing center” → “ change adapter settings”
and
Right click → ethernet adapter → properties
double click → Internet Protocol Version 4 (TCP/IPv4)
and at last put your REMnux IP address as your DNS server. So that every dns query will be redirected to Remnux VM.
Testing Phase:
In this step we will check weather our setup is properly configured or not.
TEST 1: ping your remnux from flare-vm and vice-versa
from FLARE-VM:
FROM REMnux:
TEST 2: try ping our host OS from both flare and remnux vm. (you shouldn’t able to ping your host OS)
if you are (you made a mistake try rereading all steps please)
FROM FLARE:
FROM REMnux:
TEST 3: Visit any site from flare and try downloading any file like this:(first make sure inetsim is running on REMnux)
any website your try to visit we should always return to this Inetsim default page. Even malware try to download a second stage payload from any site with any extenstion. we can see that (not payload but what , how malware is trying to download from what site).
Example →Just a fake file will be downloaded with anyname .
Hence , in this blog we learn how to setup a completely isolated malware analyis Lab in virtualbox , we can mimic these steps to setup in vmware as well (google is our BF/GF here). So, in next some blogs we will learn how to perform actual static and dynamic malware analysis (first learn some basics) and also i will mention some amazing resources that i collect while learning. I hope you all like this . I know I am a beginner in writing these . I really dont know pretty much stuff here. But we always need to start from somewhere to reach our final destination. if you guys like this (add your emails to my newsletter). So that next time you will get mail . When my new blog will come out.
At last, I also started a whatsapp channel where i will share some amazing techniques and resources as well
Channel name => Cyb3rSec Academy
Subscribe to my newsletter
Read articles from Anuj directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Anuj
Anuj
if you dont ask me , I won't tell you