Malware Analysis Home Lab Setup
Welcome back to the home lab setup for Malware Analysis. This is a step-by-step procedure to download the required tools and instruction on how to configure an isolated environment.
Hypervisor is very important for malware safety as it allows to detonate malware in safe environment without risking physical operating system {In this case I’m using Oracle Virtual Box}.
Download Windows 10 Evaluation ISO from [here]. Open the ISO file on the Virtual Box. Setup the Windows virtual machine based on your requirement. After setting up, reboot the guest operating system. Also do not forget to take snapshot of the virtual machine.
Inside the VM -> Machine -> Take Snapshot -> Provide the nameNext tool to download is REMnux, it is a Linux distribution built for Malware Analysis and Reverse Engineering. This tool is used for examining properties and code of malicious files without executing them and also the malware can be executed in a controlled environment. REMnux has capabilities to perform packet capture and analyze malicious scripts. Link to download is provided [here].
Now onto installing the tools on Windows 10 machine, the main package of software to install is Flare VM, maintained by Mandiant. This tool is an open source repository that runs install scripts for all software that I use during malware analysis. Before installing Flare VM, there are major changes to be made in the Windows virtual machine.
Disable all Proxy setting, Tamper Protection, Microsoft Defender Antivirus After disabling all the security features, take a snapshot.
To install Flare VM, open “Windows PowerShell” as an ‘Administrator’ and copy the command.
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")Change directory to ‘Desktop’. And Run these commands.
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted
The installation takes good few minutes and when it’s done. Take a snapshot.
Network Setup
It’s time to setup the network for the virtual machines to analyze malware. The main motive for setting up the network is to detonate the malware in a safe environment and not risking the host operating system. In simple terms, Flare VM and REMnux are connected on a network that is separate from the host machine but logically connected so that both of these machines can talk to each other but cannot interact with host machine. In Virtual Box or any hypervisor which you chose, create a “Host Only Adapter” and configure the IPv4 address and Network mask.
And verify that machines cannot ping outside the network but can interact with each other.
This is it for the lab setup. Do follow me on GitHub where I will be posting more projects performed in Malware Analysis.
