Reverse engineering can be a challenging task, especially when it comes to creating a virtual machine (VM) and setting up the necessary tools. Fortunately, there are some great tools that can help with this process. One of these tools is FLARE VM which can install most baseline tools in a VM in just few minutes.

How to Manually Set Up a Malware Analysis Lab at Home

As malware threats continue to evolve and become more sophisticated, it’s becoming increasingly important for security researchers and IT professionals to have the tools and knowledge necessary to analyze and understand malware. Setting up a malware analysis lab environment at home can be a great way to gain hands-on experience and stay up-to-date with the latest threats. In this guide, we’ll walk through the steps required to create your own malware analysis lab environment at home.

Choose Your Hardware

The first step in setting up a malware analysis lab environment is to choose the hardware that you will use to host the lab. At a minimum, you will need a powerful computer that can run multiple virtual machines, as well as a network interface card (NIC) that supports promiscuous mode. The ability to run multiple virtual machines is essential, as it allows you to set up multiple environments with different configurations and operating systems. This is important because malware can behave differently on different systems, so it’s important to test it in a variety of environments.

Choose Your Software

Next, you’ll need to choose the software that you’ll use to create the virtual machines that you’ll be using in your malware analysis lab environment. There are several options available, including VMware, VirtualBox, and Hyper-V. Each of these virtualization platforms has its own strengths and weaknesses, so it’s important to choose the one that best fits your needs and budget.

In addition to the virtualization software, you’ll also need to install an operating system on each virtual machine. For malware analysis, it’s best to use a clean installation of a common operating system, such as Windows 10, Ubuntu, or Kali Linux.

Install Analysis Tools

Once you’ve set up your hardware, software, and network, it’s time to install the tools that you’ll be using to analyze malware. There are several different types of analysis tools that you may want to consider, including:

• Static analysis tools: These tools are used to analyze the code of a program without actually running it. Examples of static analysis tools include IDA Pro, Ghidra, and OllyDbg.
• Dynamic analysis tools: These tools are used to analyze the behavior of a program as it’s running. Examples of dynamic analysis tools include Procmon, Wireshark, and Fiddler.
• Sandboxes: Sandboxes are isolated environments that can be used to safely run malware. Examples of sandboxing tools include Cuckoo and Any.run.
• Memory analysis tools: These tools are used to analyze the memory of a running process. Examples of memory analysis tools include Volatility and Rekall.

FLARE-VM

Welcome to FLARE-VM – a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). FLARE-VM was designed to solve the problem of reverse engineering tool curation and relies on two main technologies: Chocolatey and Boxstarter. Chocolatey is a Windows-based Nuget package management system, where a “package” is essentially a ZIP file containing PowerShell installation scripts that download and configure a specific tool. Boxstarter leverages Chocolatey packages to automate the installation of software and create repeatable, scripted Windows environments.

Requirements

FLARE-VM should ONLY be installed on a virtual machine. The VM should satisfy the following requirements:

• Windows >= 10
• PowerShell >= 5
• Disk capacity of at least 60 GB and memory of at least 2GB
• Usernames without spaces or other special characters
• Internet connection
• Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) Windows Defender disabled, preferably via Group Policy
• Windows Updates Disabled

Installation instruction

Pre-installation

• Prepare a Windows 10+ virtual machine
  • Install Windows in the virtual machine, for example using the raw Windows 10 ISO from https://www.microsoft.com/en-us/software-download/windows10ISO
  • Ensure the requirements above are satisfied, including:
    • Disable Windows Updates (at least until installation is finished)
      • https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10
    • Disable Tamper Protection and any Anti-Malware solution (e.g., Windows Defender), preferably via Group Policy.
      • https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
• Take a VM snapshot so you can always revert to a state before the FLARE-VM installation

FLARE-VM installation

• Open a PowerShell prompt as administrator
• Download the installation script installer.ps1:
  • (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"install.ps1")
• Unblock the installation script:
  • Unblock-File .\install.ps1
• Enable script execution:
  • Set-ExecutionPolicy Unrestricted -Force
    • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
• Finally, execute the installer script as follow:
  • .\install.ps1
    • To pass your password as an argument: .\install.ps1 -password <password>
    • To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui
    • To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui
• After installation it is recommended to switch to host-only networking mode and take a VM snapshot

Installer GUI

The Installer GUI is display after executing the validation checks and installing Boxstarter and Chocolatey (if they are not installed already). Using the installer GUI you may customize:

• Package selection
• Environment variable paths

Configuration

The installer will download config.xml from the FLARE-VM repository. This file contains the default configuration, including the list of packages to install and the environment variable paths. You may use your own configuration by specifying the CLI-argument -customConfig and providing either a local file path or URL to your config.xml file. For example:

.\install.ps1 -customConfig "https://raw.githubusercontent.com/mandiant/flare-vm/main/config.xml"

Post installation steps

You can include any post installation step you like in the configuration inside the tags apps, services, path-items, registry-items, and custom-items.

For example:

• To show known file extensions:

<registry-items> <registry-item name=”Show known file extensions” path=”HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” value=”HideFileExt” type=”DWord” data=”0″/> </registry-items>

For more examples, check the default configuration file: config.xml.

Troubleshooting

If your installation fails, please attempt to identify the reason for the installation error by reading through the log files listed below on your system:

• %VM_COMMON_DIR%\log.txt
• %PROGRAMDATA%\chocolatey\logs\chocolatey.log
• %LOCALAPPDATA%\Boxstarter\boxstarter.log

Ensure you are running the latest version of the FLARE-VM installer and that your VM satisfies the requirements.

Installer Error

If the installation failed due to an issue in the installation script (e.g., install.ps1), report the bug in FLARE-VM. Provide all the information requested to ensure we are able to help you.

Note: Rarely should install.ps1 be the reason for an installation failure. Most likely it is a specific package or set of packages that are failing (see below).

Package Error

Packages fail to install from time to time — this is normal. The most common reasons are outlined below:

1. Failure or timeout from Chocolatey or MyGet to download a .nupkg file
2. Failure or timeout due to remote host when downloading a tool
3. Intrusion Detection System (IDS) or AV product (e.g., Windows Defender) prevents a tool download or removes the tool from the system
4. Host specific issue, for example when using an untested version
5. Tool fails to build due to dependencies
6. Old tool URL (e.g., HTTP STATUS 404)
7. Tool’s SHA256 hash has changed from what is hardcoded in the package installation script

Reasons 1-4 are difficult for us to fix since we do not control them. If an issue related to reasons 1-4 is filed, it is unlikely we will be able to assist.

We can help with reasons 5-7 and welcome the community to contribute fixes as well! Please report the bug in VM-Packages providing all the information requested.

Updates

Note that package updates are best effort and that updates are not being tested. If you encounter errors, perform a fresh FLARE-VM install.

Obtain Malware Samples

The final step in setting up your malware analysis lab environment is to obtain malware samples that you can analyze. There are several sources of malware samples, including malware repositories, honeypots, and virus scanners. It’s important to be careful when downloading and handling malware samples, as they can be dangerous and may infect your system if not handled properly.

It’s also important to keep in mind that some malware samples may be designed to detect and evade analysis tools. As a result, it may be necessary to use specialized tools and techniques to analyze these samples effectively. Download samples from: https://www.github.com/ytisf/theZoo

Practice Safe Analysis

Now that you’ve set up your malware analysis lab environment, it’s important to practice safe analysis techniques. Malware can be dangerous and may infect your system if not handled properly. To avoid this, make sure that you follow these best practices:

• Use a dedicated system or virtual machine for analysis purposes only. Do not use the same system for personal or business activities.
• Keep your analysis tools and operating systems up-to-date with the latest security patches and updates.
• Always use antivirus software and keep it up-to-date.
• Only download and analyze malware samples from reputable sources.
• Always analyze malware in a safe and controlled environment, such as a sandbox or virtual machine.
• Take precautions to prevent the spread of malware. For example, isolate your analysis environment from the rest of your network, and use a separate network interface card (NIC) for monitoring network traffic.

Source: Flare-VM Github, ringzerolabs.com