Setting Up Malware Analysis Environments

Sep 6, 2024

Malware Analysis Environment Setup

Introduction

  • Importance of having a ready-to-go environment for malware analysis.
  • Overview of two recommended tools: Remnux and FlareVM.

Remnux

  • Definition: Toolkit for reverse engineering and analyzing malicious software.
  • Features:
    • Curated collection of free tools from the community.
    • Allows analysts to investigate malware without installation hassles.
  • Creator: Lenny Zeltser, SANS instructor for course 4610 (Reverse Engineering Malware).
  • Installation options:
    • Virtual machine download.
    • Install on OS.
    • Install in a container using Docker.

FlareVM

  • Definition: Collection of software installation scripts for Windows.
  • Usage: Prepares Windows VM for malware analysis.
  • Requirements:
    • Must run Windows 10 or above for the most recent version.
  • Installation process:
    1. Pause Windows Updates:
      • Open Start menu, type "updates", and select "pause updates for 7 days".
    2. Disable Windows Security Features:
      • Disable tamper protection and antivirus.
      • Ensure real-time protection is off.
    3. Run PowerShell as Admin:
      • Type "PowerShell", right-click, and select "Run as administrator".
    4. Download and unblock installer:
      • Use command to download the installer script.
      • Navigate to the download directory, unblock the script.
    5. Enable script execution:
      • Set-ExecutionPolicy Unrestricted, confirm options.
    6. Run Installation Script:
      • Execute the installer and follow prompts (may require password).
      • GUI appears for tool selection.
    7. Post Installation:
      • Restart VM as needed.
      • Important: Disable Windows Defender via Group Policy for stability.
      • Configure networking to host-only or internal network.
      • Take a snapshot for future analysis.

Downloading and Importing Remnux

  1. Navigate to Remnux site and download the VirtualBox OVA.
  2. Verify the OVA:
  • Generate and compare file hash.
  • Use Get-FileHash in PowerShell.
  1. Import into VirtualBox:
  • Double-click OVA file after verification.
  • Start Remnux in VirtualBox (no login required).
  1. Static Analysis:
  • Utilize Remnux for static analysis or other tasks.

Conclusion

  • Now equipped with both Remnux and FlareVM for malware analysis.
  • Recommended learning resources:
    • Follow Josh Strachan for further insights on malware analysis.
  • Summary: Stay curious and explore different methods in malware analysis.