Before we analyze any malware species, we have to set up our environment to be safe from the malware we would be detonating as we take on this challenge.

I am taking this from my notes from Matt Kiely's PMAT course which you can find on TCM Academy or find 5 hours of the course on youtube which I'm using as my guide.

Before we jump ahead of ourselves let's talk about your systems requirements

1. At least 8GB of RAM or more

2. 150GB or more HDD

Useful Links and Resources

• Virtual box (Can take snapshots for free )

• Windows 10 64 Bit You can search: Windows Evaluation Center or Download Windows 10 enterprise

To keep our host organized create a document where you can store all your VMs and ISOs.

Setting up our lab

1. Build and configure our virtual lab environment

   Creating a virtual machine on Virtual Box is straightforward but if you need help I recommend watching this youtube video and remembering to take a snapshot.

2. Download and install chrome on your windows VM, search for "flare vm github" or navigate to the repository on github.

Note: You need enough storage for this one! More than 100GB ( It takes at least 40GB )

Open Powershell as administrator

Set-ExecutionPolicy Unrestricted Type A for yes to all

wget "https://github.com/fireeye/flare-vm/raw/master/install.ps1" -UseBasicParsing-outfile C:\Users\quest\Destop\install.ps1 cd C:\Users\quest\Desktop dir ./install.ps1

Note: Change Users\quest to that of your system path

Enter your password, and proceed to download and install

Note: It takes a long time Approx 2-5 hours or more depending on your internet and processor speed

Now take a snapshot and name flarevm-base or any name that sounds appropriate to you.

Sourcing Malware Samples

Before we start detonating malware samples in our lab, we need to first get the malware samples we would be using before we lockdown everything.

Sources for malware samples There is no need to go into the dark web, maybe not yet. The clear web has some amazing resources from places such as;

1. Lenny Zeltser zeltser.com/malware-sample-sources

2. The zoo github.com/ytisf/theZoo

3. VX-underground github.com/vxunderground/MalwareSourceCode

4. PMAT labs https://github.com/HuskyHacks/PMAT-labs

Next, we download procmon from the sysinternals suit which you can download the entire Sysinternals suit.

The next Virtual machine we would be working on is setting up REMnux. REMnux is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. We're going to use it to investigate malware without having to find, install, and configure the tools. This video takes you through how to set up your REMnux box.

Network Settings for our lab environment

We want to detonate malware in an environment that is physically separated from our physical system but logically connected meaning Flare Vm and REMnux are going to be connected on a separate network from our host machine.

First Go to tools on Virtual box and select the Network tab. Make sure it's on the Host-only Adapter.

Click create to create a new host-only network adapter

Configuring the Host-only Adapter

The IP address you choose for your VM should be different from your host IP address. Change the IP range so that it is noticeably different from your network.

Enable DHCP to allow Virtual box to assign IP addresses automatically. Now we go ahead and configure our DHCP Server

Applying our network settings to our virtual machines.

Note: In the following screenshots, the IP addresses used are different from the above examples because I documented this first before going back to take notes on how to create our network adapters.

On each VM, navigate to the settings tab

Locate the network tab and from the "Attached to" drop-down menu, select Host-only adapter and from the "Name" section, select the adapter you just created.

To make sure the 2 machines are connected, go ahead and ping both IP addresses and ping google.com

If your results from pinging google results in this message pop up on your screen, then you're good to move on to the next step.

ping google.com

Ping request could not find host google.com. Please check the name and try again.

Setting a fake internet on REMnux

Rumnux which is a Linux-based operating system is going to run a service that simulates real internet situations called INetsim

INetsim helps us keep our environment safe from speaking to the outside world and help us capture and study network traffic. We also get dummy file downloads with no real effect when we're analyzing a dropper malware ( more on this later )

Run sudo nano /etc/inetsim/inetsim.conf to open up the configuration file for INetsim.

This is the config file inetsim uses

1. Move down and uncomment start_service dns to make it active

1. Uncomment service_bind_address and change the IP address from 10.10.10.1 to 0.0.0.0 ( This binds all interfaces to the host )

1. Run ip a to check the IP address on REMnux

   

2. Change default dns to that of REMnux

Press Ctrl + O to write to the file. Leave the file name as default and Ctrl + X to exit

1. Run inetsim to test our fake internet

   

On our flare VM, let's change the preferred dns to that of inetsim

Move to flarevm and open a chrome instance and type 10.0.0.3 you should get a default inetsim instance.

Say the malware reaches out for a second-stage payload, INetsim gives us a default GUI binary that looks like this.

Conclusion

At this point, we have our lab ready to detonate some life malware without infecting our host machine. As a final note, you should always have a good snapshot to revert to and have a backup of files should anything happen to your host machine.