Introduction:

Since joining the Cyber Security and Intelligence community in 2016, I've ever had a strong interest in malware analysis. The process of breaking something down, looking at its individual parts, testing hypotheses as to what its capabilities are. This is something that has ever drawn me to the field. Its also a field that is extremely new to me. I've only just started to learn how to setup a proper lab and all the various techniques that be to breakup and empathise malware. Because of that, I wanted to start a blog series to document my process for others, in hopes that my journeying volition make it easier for anyone trying to get started in the field.

What to Expect from this Post:

My aim for this postal service, and ideally for a continued series, is to provide a simple straight frontward approach to setting up a malware analysis lab. The all-time part is that well-nigh all the tools I will be using are open source or have an open source alternative, meaning there isn't any cost to get started. Only expense will be a concrete motorcar to host several VMs at ane time. I'm hoping this will assist out others, while likewise reinforcing former concepts and learning new ones for myself.

Before We Beginning:

  • I will be using VMware Fusion Pro for this walkthrough. I have had the all-time experience by far with VMWare's line of virtualization software. However, VirtualBox can exist a great, free, substitute for VMWare.
  • Troubleshooting the installation of virtualization software and/or the private VMs is out-of-scope for this post. There are just as well many things that might go wrong. If you practise run into problem, Google is your best friend.
  • When you run multiple virtual machines(VMs) on a single host machine, the host machine will slow down. Considering of this, information technology is important to give each VM its recommended settings for optimal performance. For Windows x, I recommend at least 2 processor cores and 4GBs of RAM. For REMnux, 1 processor cores and 2GBs of RAM.

Pre-requisites

  • VMWare Fusion(MAC)/ Workstation(Windows/Linux): VMWare has some great, comprehensive guides to install both Fusion and Workstation. VMWare does offering trial licenses for those interested in trying out the total feature set VMWare Pro line(Fusion Pro and Workstation Pro). VMware also has its Player line, which is costless for personal use. Only downside is that the Player version doesn't allow network customization that yous should utilize for your lab. Additionally, only Fusion Histrion has the ability to have snapshots. Which is the major difference between Workstation Player and Fusion Actor. Hopefully VMware fixes that in the future.
  • VirtualBox: Is the free alternative to VMware and some of the other virtualization software out there. It also has all the feature you need in a VM solution starting out. You can get a re-create of VirtualBox here.
  • Windows Border Developer ISO: You can download a Windows ISO file: here. Nosotros will be doing this after in the post.
  • FLARE VM: FLARE VM is costless malware analysis VM with a ton of tools and features pre-installed by FireEye. Its a nifty addition to your malware analysis toolset. You tin can find instructions to install it here.
  • REMnux: REMnux is a powerful Linux VM that has a swell collection of tools for Malware Analysis by Lenny Zeltzer here. You can find a lot of helpful reasources on his site including REMnux and reversing cheatsheets too every bit web log posts that you might observe useful.

Downloading Virtualization Software:

Using the links above, navigate to your preferred virtualization software site. Follow the instructions provided by each vendor. Installation shouldn't take besides long and might ask for sure permissions it needs to modify network settings and such. After y'all go information technology installed leap to the next department.

Configuring your Network Settings:

First thing we should practise is prepare our isolated custom network we will be using for our lab. Being able to control how the network interacts with a malware sample is extremely important for analysis. Yous too don't want the malware sample to have admission to the Internet(at to the lowest degree at first) until you take a decent understanding of what the malware is trying to do. In VMware Fusion, it is pretty straight forward and easy to exercise.

  1. Select the tab VMware Fusion -> Preferences -> Network. Click the lock icon at the lesser left side to make changes.
  2. Hit the + button just to a higher place the lock icon. You lot should meet a new network call vmnet# mine is vmnet2 simply yours could exist a dissimilar number. Highlight that then uncheck the radio button labeled allow virtual machines on network to connect to external networks(using NAT)
  3. Configure your subnet IP. I desire an IP subnet that will stand up out when I see it. Then I went with ten.1.1.0. Go on the Subnet Mask every bit is. Then click Apply.

Installing Virtual Machines:

Downloading a Windows 10 Edge Developer image:

At present that you have virtualization software installed, we need to become a Win 10 developer image from Microsoft. This Win 10 epitome volition serve as the base image. FLARE can only be install on an already existing physical or virtual Windows machine. Using the link above, select the MSEdge on Win10 (x64) {Some_Stable_Version}. So select the VM platform you take, in this case I will select VMware (Windows, Mac). The download is several GBs so depending on your download speed, it could take some time. Delight annotation the countersign for the VM: "Passw0rd!" with a zilch.

Installing and Setting up Windows ten Machine in VMWare Fusion:

Lets unzip the file and store it in a location of your choice. Open up VMware'south Virtual Machine Library and follow these steps:

  1. Unzip the MSEdge-Win10-VMware file, if not automatically done by your host motorcar. Y'all tin can store the unzipped contents anywhere. I'm going to put them on my Desktop.
  2. Click File -> Import -> Choose File -> MSEdge-Win10-VMWare.ovf -> Continue -> Relieve. Y'all can change the proper noun and location of where the VM is stored if you would like.
  3. Click Customize Settings after the image has been imported successfully.
  4. Navigate to Processors & Retention. Ostend that the VM is allocated 2 processor cores and 4Gbs of RAM(4096MBs).

  5. Before we power on the Windows 10 machine for the outset time, we should take a snapshot. Proper name information technology something like Fresh Win10 Install. Microsoft states that the image expires after xc days so this could crusade problems with your FLARE VM in the futurity. By taking a snapshot before you showtime the VM, that snapshot will not start the expiration timer until it is booted up for the start time.
  6. When you lot start the machine, if VMWare prompts yous to upgrade, click Upgrade.
  7. The VM should actuate itself later on a few minutes merely we can do information technology manually. Open a command prompt and blazon:
  8. VMWare should prompt you to install VMware'due south Virtual Tools. Install the tools and then reboot the machine. The VM might reboot twice, once for settings updates and another time to successfully install VMware's Virtual Tools.
  9. After the machine logs in successfully after installing VM Virtual Tools. Have another snapshot and name information technology something to the effect of, Win 10 Activated with VM Tools installed.

I thing to note, snapshots are a must when working with malware. The power to revert back to a clean state after performing some behavior analysis on one file is very powerful and fourth dimension saving. It allows you to test other hypotheses or some other file in a make clean surroundings before infection. It also saves time and then you don't have to rebuild a whole new VM from scratch because you don't take a make clean starting paradigm.

VirtualBox Users:

VirtualBox tends to crave more than manual configuration to get your VMs to work properly. One affair I always expect at is the Invalid Setting notification(shown beneath) that appears at the bottom of the individul VMs settings window. These settings errors are normally pretty straight forrad and easy to address in the setting menu.

Final matter that tends to exist more complicated in VirtualBox is installing VB Invitee Additions. I recommend following the instructions VirtualBox has on their manual page hither Section iv.2.ane.one. Installing the Windows Invitee Additions. Sometimes, you will go an mistake that you tin't adhere the guest additions due to no optical bulldoze. If thats the case, you need to use the mount Guest Additions manually steps.

Install FLARE on your fresh install of WIN ten:

Now that we have our base Win ten machine up and running we can go FireEye'south FLARE VM installed:

Optional: Install git on our Win10 box. Open up a browser on your Win10 VM and Google: Install git windows or re-create and past this url: https://git-scm.com/download/win. Click the 64 bit Windows Version and go along all the settings default during installations. When it finishes with the settings, hit install then after information technology installs hit finish.

  1. Become to https:/github.com/fireeye/flare-vm. Download the lawmaking as a nix file. If y'all performed the optional step then open a cmd prompt: 
                                              cd Desktop && git clone https://github.com/fireeye/flare-vm

    Else: Unzip the flare vm zip file on your Desktop

  2. Open up Powershell every bit an Ambassador. Type Powershell in the Type here to search bar and and so right click on Windows Powershell and select Run as Administrator. In the Powershell prompt, navigate to the FLARE vm binder: 
                                              cd C:\Users\IEUser\Desktop\FLARE-vm

    Next enable unrestricted execution policy for PowerShell by executing the post-obit command and answering "Y" when prompted past PowerShell:

                                              Gear up-ExecutionPolicy unrestricted
  3. Execute the install.ps1 installation script. You will be prompted to enter the electric current user'southward password. FLARE VM needs the electric current user'southward password to automatically login after a reboot when installing. Optionally, you can specify the current user's password by passing the "-password " at the command line. 
                                              ./install.ps1 -password Passw0rd!

The rest of the installation process is fully automated. Depending upon your internet speed the entire installation may have upwardly to i hour to finish. The VM also reboots multiple times due to the numerous software installations' requirements. One time the installation completes, the PowerShell prompt remains open waiting for you lot to hit any key before exiting. After completing the installation, you volition exist presented with the following desktop environment:

One time the install is washed, run the control to update FLARE: cup all

After the update is finished, reboot and log dorsum in. Then accept another snapshot and name information technology something like Fresh install of FLARE-VM.

Download and Configure REMnux:

Navigate to the REMnux page link shared above and hitting Download -> -> General OVA(Or VirtualBox OVA if using VirtualBox) -> Box -> Download save the file and import just like we did with the Win10 image:

  1. Unzip the file downloaded containing REMnux if non automatically done by your host car. Y'all tin shop the unzipped contents anywhere. Again, i'chiliad going to put them on my Desktop.
  2. Click File -> Import -> Choose File -> remnux-v7 -> Continue -> Salve. You lot can change the name and location of where the VM is stored if you would like.
  3. Click Customize Settings after the image has been imported successfully.
  4. Navigate to Processors & Retentiveness. Ostend that the VM is allocated ane processor cores and 2Gbs of RAM(2048MBs).
  5. Go to Settings and click Add together Device -> Network Adapter -> Add -> Share with my Mac. When yous click the Bear witness All push y'all should now see two network adapters.
  6. Go to Network Adapter ane and select vmnet# that you created in the first section.
  7. Start upward REMnux, if prompted, upgrade the virtual motorcar similar nosotros did with our Windows 10 machine.
  8. Log in to the REMnux motorcar; credentials are user: remnux pass: malware.
  9. First thing we want to do is grab the IP of our machine for Network Adapter 1. Make sure to save that IP address. Information technology should exist an IP in the range nosotros selected when nosotros create vmnet#. In my example its ten.1.1.two:

  10. Update our REMnux machine. This will update and upgrade all of the tools on Remnux to their latest version. It might take a several minutes to complete:
  11. Afterward running the upgrade command we should reboot:
  12. Unattach Network Adapter 2 from the REMnux VM. When you want to update or use internet on the VM but reattach.
  13. Ability off the REMnux VM and have a snapshot and proper name it something similar Fresh install of REMnux {date}.

Final Configurations and Network Testing:

We need to connect our FLARE VM to the same network and then that the REMnux box can run network based analysis on a sample.

  1. Power off the FLARE VM if you haven't washed then already.
  2. Open Settings -> Network Adapter. Change the Network Adapter to our vmnet# nosotros set up in the starting time section of the mail service.

  3. First upward FLARE and open Control Panel -> Network and Internet -> Network and Sharing Center -> Change adapter settings -> Ethernet0 -> Properties -> Internet Protocol Version 4 (TCP/IPv4) -> Use the following address->

    Use the IP of your REMnux box. Information technology might be different than mine.

    • IP address: ten.1.1.iii or any IP you want in this subnet. This will exist the IP of our FLARE VM
    • Subnet mask: 255.255.255.0
    • Default Gateway: 10.i.i.ii(Our REMnux VM)
    • Select utilise the following preferred DNS server addresses
    • Preferred DNS Server: 10.1.1.two(Our REMnux VM)
    • Alternating DNS Server: Bare

  4. Click Ok

Testing our Network Setup with INetSim:

Now that we accept done all the networking setup in both VMs, we are going to ready a tool call INetSim. INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behavior of unknown malware samples.

Remnux already comes with INetSim pre-install. However, nosotros demand to do some minor configuration steps to make sure it functions properly.

  1. Open upwardly /etc/inetsim/inetsim.confin a text editor: 
                                              sudo nano /etc/inetsim/inetsim.conf
  2. By default, INetSim only has a few services active. However, we are going to uncomment out all the other services by removing the #:

  3. Nosotros now need to bind REMnux's network adapter IP to INetSim. To practice this scroll down a little chip in the config file until you lot see service_bind_address. Uncomment it out and add your REMnux IP in identify of the 0.0.0.0. I would put x.one.1.2:

  4. Right below that you should meet dns_default_ip. Uncomment that out and place your REMnux IP there also. I would put 10.i.ane.2:

  5. Ubuntu has a system-resolved system service which provides network name resolution to local applications. This conflicts with INetSim so nosotros need to disable the service. Open upwardly a concluding and blazon these commands: 
                                              sudo systemctl disable systemd-resolved   sudo systemctl mask systemd-resolved  sudo systemctl cease systemd-resolved

  6. Now we can start INetSim:

  7. Outset up your FLARE vm and type www.baddomain.com. Your browser should bear witness this:

Conclusion

There are infinite possibilities when it comes to setting up a malware analysis lab. In that location are tons of tools out there to assist you in your analysis and FLARE is a keen VM to start out with because it has a lot of the most popular tools pre-installed. My hope is that I was able to assist yous get started in setting upwardly a lab to being looking at malicious files. I definitely program on writing up more than articles where I volition dive into specific malicious files and popular techniques used to analyze malware. If you have any comments, questions, or just want to chat, you can find me on Twitter.