Introduction:

Since joining the Cyber Security and Intelligence customs in 2016, I've e'er had a strong interest in malware analysis. The process of breaking something down, looking at its individual parts, testing hypotheses every bit to what its capabilities are. This is something that has always fatigued me to the field. Its also a field that is extremely new to me. I've only just started to larn how to setup a proper lab and all the various techniques that exist to breakdown and understand malware. Because of that, I wanted to showtime a web log series to certificate my process for others, in hopes that my journey will brand information technology easier for anyone trying to get started in the field.

What to Expect from this Postal service:

My aim for this mail service, and ideally for a continued series, is to provide a elementary straight forrad approach to setting up a malware assay lab. The best part is that nearly all the tools I will exist using are open source or accept an open up source alternative, meaning there isn't any toll to get started. Only expense will be a physical machine to host several VMs at once. I'yard hoping this will help out others, while as well reinforcing quondam concepts and learning new ones for myself.

Before Nosotros Start:

  • I will exist using VMware Fusion Pro for this walkthrough. I take had the best experience by far with VMWare'south line of virtualization software. However, VirtualBox tin exist a great, free, substitute for VMWare.
  • Troubleshooting the installation of virtualization software and/or the individual VMs is out-of-scope for this post. There are but likewise many things that might go wrong. If y'all do run into trouble, Google is your best friend.
  • When you run multiple virtual machines(VMs) on a single host machine, the host machine will slow down. Because of this, it is of import to requite each VM its recommended settings for optimal performance. For Windows 10, I recommend at to the lowest degree ii processor cores and 4GBs of RAM. For REMnux, one processor cores and 2GBs of RAM.

Pre-requisites

  • VMWare Fusion(MAC)/ Workstation(Windows/Linux): VMWare has some great, comprehensive guides to install both Fusion and Workstation. VMWare does offering trial licenses for those interested in trying out the total feature set VMWare Pro line(Fusion Pro and Workstation Pro). VMware also has its Player line, which is gratis for personal apply. Only downside is that the Player version doesn't allow network customization that you should utilize for your lab. Additionally, only Fusion Player has the ability to take snapshots. Which is the major divergence between Workstation Histrion and Fusion Player. Hopefully VMware fixes that in the future.
  • VirtualBox: Is the free alternative to VMware and some of the other virtualization software out there. It also has all the feature yous demand in a VM solution starting out. You tin get a re-create of VirtualBox here.
  • Windows Border Developer ISO: Y'all can download a Windows ISO file: here. We will be doing this later in the mail.
  • FLARE VM: FLARE VM is free malware analysis VM with a ton of tools and features pre-installed by FireEye. Its a not bad addition to your malware analysis toolset. You can discover instructions to install it here.
  • REMnux: REMnux is a powerful Linux VM that has a neat collection of tools for Malware Analysis by Lenny Zeltzer hither. You tin can detect a lot of helpful reasources on his site including REMnux and reversing cheatsheets as well as blog posts that y'all might discover useful.

Downloading Virtualization Software:

Using the links above, navigate to your preferred virtualization software site. Follow the instructions provided by each vendor. Installation shouldn't take as well long and might ask for sure permissions it needs to modify network settings and such. After you get information technology installed jump to the next section.

Configuring your Network Settings:

First affair we should do is set upwardly our isolated custom network nosotros volition be using for our lab. Existence able to control how the network interacts with a malware sample is extremely important for analysis. You also don't desire the malware sample to have access to the Internet(at least at outset) until you have a decent understanding of what the malware is trying to do. In VMware Fusion, information technology is pretty directly forward and easy to do.

  1. Select the tab VMware Fusion -> Preferences -> Network. Click the lock icon at the bottom left side to brand changes.
  2. Hit the + button simply above the lock icon. You should see a new network telephone call vmnet# mine is vmnet2 but yours could exist a different number. Highlight that then uncheck the radio button labeled allow virtual machines on network to connect to external networks(using NAT)
  3. Configure your subnet IP. I desire an IP subnet that volition stand out when I run into information technology. So I went with ten.1.1.0. Continue the Subnet Mask as is. Then click Apply.

Installing Virtual Machines:

Downloading a Windows 10 Edge Programmer image:

Now that you have virtualization software installed, nosotros need to get a Win 10 developer paradigm from Microsoft. This Win 10 image will serve as the base epitome. FLARE can only be install on an already existing concrete or virtual Windows auto. Using the link above, select the MSEdge on Win10 (x64) {Some_Stable_Version}. So select the VM platform y'all have, in this instance I will select VMware (Windows, Mac). The download is several GBs so depending on your download speed, it could take some time. Please note the password for the VM: "Passw0rd!" with a zip.

Installing and Setting up Windows x Machine in VMWare Fusion:

Lets unzip the file and shop it in a location of your option. Open upwards VMware's Virtual Machine Library and follow these steps:

  1. Unzip the MSEdge-Win10-VMware file, if not automatically washed by your host machine. You tin shop the unzipped contents anywhere. I'm going to put them on my Desktop.
  2. Click File -> Import -> Cull File -> MSEdge-Win10-VMWare.ovf -> Continue -> Save. You can change the name and location of where the VM is stored if you would like.
  3. Click Customize Settings later on the image has been imported successfully.
  4. Navigate to Processors & Retention. Confirm that the VM is allocated 2 processor cores and 4Gbs of RAM(4096MBs).

  5. Before nosotros power on the Windows ten motorcar for the first time, we should take a snapshot. Name it something similar Fresh Win10 Install. Microsoft states that the image expires afterwards xc days so this could crusade bug with your FLARE VM in the future. By taking a snapshot before yous starting time the VM, that snapshot will not commencement the expiration timer until it is booted up for the beginning time.
  6. When you start the machine, if VMWare prompts you lot to upgrade, click Upgrade.
  7. The VM should actuate itself subsequently a few minutes but we can practise it manually. Open a command prompt and type:
  8. VMWare should prompt you to install VMware'southward Virtual Tools. Install the tools and so reboot the machine. The VM might reboot twice, in one case for settings updates and some other time to successfully install VMware's Virtual Tools.
  9. After the machine logs in successfully afterwards installing VM Virtual Tools. Have some other snapshot and name it something to the effect of, Win ten Activated with VM Tools installed.

One thing to annotation, snapshots are a must when working with malware. The ability to revert back to a clean state after performing some behavior analysis on i file is very powerful and time saving. It allows yous to test other hypotheses or another file in a clean surround before infection. It also saves time and then you don't accept to rebuild a whole new VM from scratch because you lot don't have a make clean starting image.

VirtualBox Users:

VirtualBox tends to require more manual configuration to get your VMs to work properly. One affair I ever look at is the Invalid Setting notification(shown below) that appears at the bottom of the individul VMs settings window. These settings errors are normally pretty straight forward and easy to address in the setting carte du jour.

Last thing that tends to be more than complicated in VirtualBox is installing VB Invitee Additions. I recommend following the instructions VirtualBox has on their manual page here Section 4.two.1.one. Installing the Windows Guest Additions. Sometimes, you will become an error that you can't attach the guest additions due to no optical drive. If thats the instance, you need to employ the mount Guest Additions manually steps.

Install FLARE on your fresh install of WIN 10:

At present that nosotros take our base Win 10 machine up and running we can get FireEye's FLARE VM installed:

Optional: Install git on our Win10 box. Open up a browser on your Win10 VM and Google: Install git windows or re-create and by this url: https://git-scm.com/download/win. Click the 64 bit Windows Version and keep all the settings default during installations. When it finishes with the settings, striking install then after information technology installs hitting finish.

  1. Go to https:/github.com/fireeye/flare-vm. Download the code equally a zip file. If you performed the optional step then open up up a cmd prompt: 
                                              cd Desktop && git clone https://github.com/fireeye/flare-vm

    Else: Unzip the flare vm zip file on your Desktop

  2. Open up Powershell as an Administrator. Type Powershell in the Type here to search bar and then right click on Windows Powershell and select Run as Ambassador. In the Powershell prompt, navigate to the FLARE vm binder: 
                                              cd C:\Users\IEUser\Desktop\FLARE-vm

    Next enable unrestricted execution policy for PowerShell by executing the following control and answering "Y" when prompted by PowerShell:

                                              Ready-ExecutionPolicy unrestricted
  3. Execute the install.ps1 installation script. You will exist prompted to enter the current user's password. FLARE VM needs the current user's password to automatically login after a reboot when installing. Optionally, yous can specify the electric current user's countersign by passing the "-password " at the command line. 
                                              ./install.ps1 -password Passw0rd!

The residual of the installation process is fully automated. Depending upon your net speed the entire installation may take up to one hr to finish. The VM also reboots multiple times due to the numerous software installations' requirements. One time the installation completes, the PowerShell prompt remains open waiting for you lot to hit any central earlier exiting. Subsequently completing the installation, you will be presented with the following desktop surround:

One time the install is washed, run the control to update FLARE: loving cup all

Afterwards the update is finished, reboot and log back in. And then take some other snapshot and proper name it something like Fresh install of FLARE-VM.

Download and Configure REMnux:

Navigate to the REMnux page link shared above and hit Download -> -> General OVA(Or VirtualBox OVA if using VirtualBox) -> Box -> Download salvage the file and import simply like we did with the Win10 image:

  1. Unzip the file downloaded containing REMnux if non automatically washed by your host machine. You can store the unzipped contents anywhere. Again, i'g going to put them on my Desktop.
  2. Click File -> Import -> Choose File -> remnux-v7 -> Continue -> Save. You can change the name and location of where the VM is stored if you would like.
  3. Click Customize Settings afterward the paradigm has been imported successfully.
  4. Navigate to Processors & Retentiveness. Confirm that the VM is allocated 1 processor cores and 2Gbs of RAM(2048MBs).
  5. Go to Settings and click Add together Device -> Network Adapter -> Add -> Share with my Mac. When yous click the Show All button you should now see two network adapters.
  6. Go to Network Adapter 1 and select vmnet# that you lot created in the commencement section.
  7. Start up REMnux, if prompted, upgrade the virtual machine like we did with our Windows 10 automobile.
  8. Log in to the REMnux machine; credentials are user: remnux laissez passer: malware.
  9. First affair we want to do is grab the IP of our machine for Network Adapter i. Make certain to save that IP address. It should be an IP in the range nosotros selected when we create vmnet#. In my example its 10.one.1.2:

  10. Update our REMnux machine. This will update and upgrade all of the tools on Remnux to their latest version. It might take a several minutes to complete:
  11. After running the upgrade command we should reboot:
  12. Unattach Network Adapter two from the REMnux VM. When you want to update or employ internet on the VM just reattach.
  13. Ability off the REMnux VM and take a snapshot and proper name it something like Fresh install of REMnux {date}.

Final Configurations and Network Testing:

We need to connect our FLARE VM to the same network then that the REMnux box tin can run network based analysis on a sample.

  1. Power off the FLARE VM if you oasis't done so already.
  2. Open Settings -> Network Adapter. Alter the Network Adapter to our vmnet# we gear up in the first section of the mail service.

  3. Commencement up FLARE and open Control Panel -> Network and Net -> Network and Sharing Centre -> Alter adapter settings -> Ethernet0 -> Properties -> Internet Protocol Version 4 (TCP/IPv4) -> Utilize the following address->

    Apply the IP of your REMnux box. It might be different than mine.

    • IP address: x.1.1.3 or any IP y'all desire in this subnet. This will be the IP of our FLARE VM
    • Subnet mask: 255.255.255.0
    • Default Gateway: 10.1.1.two(Our REMnux VM)
    • Select utilise the following preferred DNS server addresses
    • Preferred DNS Server: 10.1.1.two(Our REMnux VM)
    • Alternate DNS Server: BLANK

  4. Click Ok

Testing our Network Setup with INetSim:

At present that we have washed all the networking setup in both VMs, we are going to set upward a tool call INetSim. INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behavior of unknown malware samples.

Remnux already comes with INetSim pre-install. All the same, we demand to exercise some minor configuration steps to make sure it functions properly.

  1. Open up /etc/inetsim/inetsim.confin a text editor: 
                                              sudo nano /etc/inetsim/inetsim.conf
  2. By default, INetSim just has a few services agile. However, nosotros are going to uncomment out all the other services by removing the #:

  3. Nosotros now need to demark REMnux'southward network adapter IP to INetSim. To do this scroll down a little scrap in the config file until you see service_bind_address. Uncomment it out and add your REMnux IP in place of the 0.0.0.0. I would put 10.ane.ane.2:

  4. Right below that you should encounter dns_default_ip. Uncomment that out and place your REMnux IP there every bit well. I would put 10.one.one.2:

  5. Ubuntu has a system-resolved system service which provides network name resolution to local applications. This conflicts with INetSim so we need to disable the service. Open up a terminal and blazon these commands: 
                                              sudo systemctl disable systemd-resolved   sudo systemctl mask systemd-resolved  sudo systemctl stop systemd-resolved

  6. At present nosotros can beginning INetSim:

  7. Start up your FLARE vm and type www.baddomain.com. Your browser should prove this:

Decision

There are infinite possibilities when it comes to setting upward a malware analysis lab. There are tons of tools out there to assist you lot in your analysis and FLARE is a great VM to kickoff out with because it has a lot of the nearly pop tools pre-installed. My promise is that I was able to assistance you lot get started in setting upwards a lab to being looking at malicious files. I definitely plan on writing up more articles where I will dive into specific malicious files and popular techniques used to clarify malware. If you have whatsoever comments, questions, or but desire to conversation, you can find me on Twitter.