Open in app

Sign in

Write

Sign in

Building a Malware Analysis Lab

Lounge Fly
9 min readSep 3, 2020

If you’re interesting in analyzing malware whether it be a requirement for your job or simply for your own research or learning purposes it’s critical to have a proper lab environment. Primary goals of the lab environment are to protect the host system, provide sufficient analysis capabilities and also ensure that malware gets properly detonated , hopefully evading any anti-analysis techniques.

Overview

Building a suitable environment is one of the most important aspects of analysis. In many cases you need to be able to communicate with the internet but also have network segmentation in place to avoid infecting your host machine. This was one of the challenges you’ll face that you might not find a lot of good information on doing successfully. If you try to use host-only networks in VMs, you’ll protect yourself but not be able to properly communicate. If you use NAT or bridged mode, you’ll expose your host system and trigger your AV which could be dangerous and counter-productive. You will need to create a host-based network that is routable to the internet from your sandbox or analysis machines through a firewall Virtual Machine, such as PFSense. You’ll need to make sure all the tools you need are available. The systems can communicate with each other. The systems will also need to be “dehardened” so the infection occurs properly. The article aims to take you through some of those steps.

Hypervisors

  • Virtualbox — I’ve used Virtualbox for years until I bit the bullet and got VMWare Workstation Pro. It’s a perfectly fine option for your environment.
  • Qemu-KVM — QEMU is a free and open-source emulator and virtualizer. One important note here is that if you plan to install CAPE sandbox (I’ll have an associated article on this shortly) then Qemu is the supported VM. Others will also work, however.
  • VMWare — There is a free version of VM Workstation Player, however I believe the limitations make it unsuitable for analysis so the Pro(paid) version is probably required.

The Host

You can do this with a Windows host, but the ideal architecture is with a Mac OS or Linux. Why? In the event the malware can escape the VM (generally through vulnerabilities in the VM software or analyst error), it’s less likely to infect the host. You can also do this on a completely separate physical network and machine, but it’s certainly less convenient. It can be helpful for analyzing VM-aware malware, however.

A good environment is going to consist of multiple operating systems (as malware is sometimes designed to run under certain conditions). In addition, you might have scripts or tools that only run under Windows or Linux respectively. For these reasons, it’s good to have a mixed bag of guest machines.

Lastly, you’ll want to make sure you have the necessary hardware to support your efforts. Should you have multiple guests running at a time you’ll need to have sufficient RAM as well as sufficient disk space for the virtual disks and snapshots. I recommend at least 16GB RAM and 500GB of FREE disk. This could be an external disk if necessary. Just take that into account when configuring snapshot directories or where the virtual hard disks are stored.

The Guests

  • PFSense — The open source firewall VM that will help you properly route traffic while isolating your host.
  • Remnux — Remnux is a Linux-based malware analysis environment created and maintained by Lenny Zeltser.
  • Kali — The go-to pentesting distribution. While I don’t use this often during analysis it’s more of a nice to have.
  • Windows 7 — A standard Windows 7 Virtual Machine for analysis.
  • Windows 10 — A Windows 10 Virtual Machine for analysis.
  • Ubuntu 18.04 (if you want to build an automated Sandbox like Cuckoo or CAPE).

Microsoft does offer some developer Virtual Machines for trial purposes.

Getting Started

The Windows Guests

If you’ve downloaded your Windows images in an OVA format you can simply import them into Virtualbox. Otherwise, you’ll have to setup a new Guest, allocate disk space, connect the installation media and install as normally. You can select a NAT or Bridged adapter for internet access that you’ll need for downloading various tools for analysis prior to switching back to your internal network or host-only network if you’re using VMWare.

There’s some basic criteria that make for a good analysis machine. Malware is constantly evolving and so are anti-analysis techniques. Many malware variants attempt to detect a plethora of host information such as the presence of certain directories, running processes, network connectivity etc.

The following tips will help you get started

  • Keep it simple. You really want to mimic a normal machine. This gets difficult when you start adding a million analysis tools, so make sure if you do to try and change the names of directories and executables
  • Consider your prerequisites. These include things like Acrobat, MS Office, various browsers etc.
  • Turn off User Account Control
  • Turn off Windows Update
  • Turn off any firewall or anti-malware solutions if you’re not using them during analysis
  • Make sure you have some updated version of .NET framework(Flare needs this as does some malware)
  • Update PowerShell(especially if you end up with a VM using version 2 or something)
  • Install Virtualbox Guest Additions(this may interfere with certain malware’s anti-analysis techniques)

Create Snapshots

Creating multiple snapshots on your VMs is paramount. All of this can end up being a lot of trial and error. You’d hate to break a few things and spend a ton of time troubleshooting when you can just roll back. Generally, I like to create snapshots during significant system changes or additions. If you setup a Windows server and promote it to a domain control or web server, take a snapshot once it’s functional. If you install some new tools in Linux and things are functioning as needed, take a snapshot. When things are good, take a snapshot!!! You’ll always want to make improvements and changes so it’s important to take snapshots when you have your system in a known-good working order. More obviously, if you infect your system with malware you’ll ALWAYS want to restore to a previous clean slate to improve your investigations and not have an infected system.

The toolkit

You can download all of your own preferred analysis tools individually or you can use a preconfigured array or tools in a package such as Flare VM.

If you want to set up your own tools for analysis here are some basic suggestions to get you started

Process Monitoring

Network

Memory

Disassembler

Debugger

Hex Editor

Initial Analysis

Registry

Other

Many other tools exist that could be helpful or overlap with these. The goal here is to point you in the right direction. Many, if not all of these are also included in Flare.

Installing FLARE

FLARE VM is a suite of tools released by Fireeye in 2017. The tools are consistently updated making for a great starting point for building out your analysis guest machine.

https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

You can begin the installation by running the PowerShell script here

If you have trouble getting the scripts to run, ensure you have an updated PowerShell environment. I updated through the Windows Management Framework 5.1 here.

This script can take a hell of a long time, so sit back, grab a coffee or feel free to get started with setting up addition VMs.

Once completed you’ll see a folder containing the Flare tools on the desktop. Make sure to change your network interface to your host-only network prior to any analysis.

The second VM, whether it be Windows 10 or something else can be used however you like. I personally like to use my second VM as a clean slate system. I’ll have a very limited number of tools in an effort to execute malware that might identify the other VM or not function under those conditions.

Remnux

The next VM for our analysis environment is Remnux. You can download the Remnux virtual appliance here.

Follow the steps listed in the documentation on the official site above. They’ve also got a great list of tools for various use-cases if you didn’t use Flare and want to explore some additional options.

What would this guide be if I also didn’t link the following cheat sheets.

https://zeltser.com/analyzing-malicious-documents/

https://zeltser.com/malware-analysis-cheat-sheet/

PFSense Setup

Now to move forward with PFSense. It’s the crutch to our networking configuration so it’s important to have in place.

  • Choose a new VM and select the presets for BSD
  • Allocate 1GB RAM.
  • Virtualbox Disk Image (or others if you want them)
  • Dynamic or Fixed Size — The disk space for this is super minimal. Assign it the default of 16GB or even less if you want to conserve.

The next step is setting up the network adapters for PFSense. Right-click on the virtual machine and go to settings then select the network tab. You should already have a NAT network adapter as your primary adapter, but you’ll need to configure a secondary for your internal network. Name the internal network whatever you’d like, but make sure it’s consistent across your other Virtual Machines.

Start your VM and once at the installer screen you can continue with all defaults unless you need to change anything.

You can now remove the PFSense ISO from your virtual drive.

At first boot, PFSense is going to ask us some questions.

1. Should VLANs be set up now? N

2. Enter the WAN interface name: Probably the first interface or em0

3. Enter your LAN interface name: This will be your internal or host-only network interface (em1)

Once the configuration is completed, you’re presented with the main CLI menu which provides options such as reassigning interfaces, resetting to defaults or testing connectivity through pinging a host.

You can use one of your other VMs and browse to the PFSense WebGUI using it’s LAN interface IP.

Sign in using the default username:admin and password:pfsense.

Change the default password under system-user manager.

Set your preferred DNS servers.

Enable DHCP to provide hosts with IP addresses and set your preferred DHCP scope.

In cases of using a host-only network you may want to configure firewall rules to prevent the guest machines from ever reaching the host networks. The Virtualbox option of internal network should not be able to communicate anyway.

For more information on distinctions between network configurations please see the Virtualbox documentation here.

You should now be ready for malware analysis.

Additional Guests

In another article we will demonstrate how to setup CAPEv2 sandbox on an Ubuntu host as an additional guest machine. If you want to include Kali as mentioned above you can head to the following link to download the images of your choosing.

Download Kali Linux Virtual Images | Offensive Security

Want to download Kali Linux custom images? We have generated several Kali Linux VMware and VirtualBox images which we…

www.offensive-security.com

Give me the malware!

Here is a list of some sources for malicious code to analyze.

theZoo is a project created to make the possibility of malware analysis open and available to the public. This has been around quite a while.

Malware Traffic Analysis does great job particularly when it comes to providing samples for pcaps and traffic analysis for malware.

Any.run is a popular public sandbox that you can register and download various samples.

Virustotal is the largest public database of malicious code on the planet. The catch, you need a paid account to download samples.

PMA Labs — Practical Malware Analysis was one of the most groundbreaking books during its time for learning to analyze malicious code. It also came with some great lab samples to practice with that are included with Flare VM.

Malware
Malware Analysis
Reverse Engineering
Virtual Machine

--

--

Lounge Fly

Written by Lounge Fly

41 Followers

Cyber Intel, Detection & Response

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams