Setting Up Malware Analysis Environments

When it comes to malware analysis, having an environment that is ready to go with pre-built tools will save you a lot of time. In today's video, I want to introduce you to both Remnux and FlareVM. These two are great to have and you can install them pretty quickly so the next time that you want to analyze malware, you can do just that. We'll start with Remnux. From their site, Remnux is a toolkit for reverse engineering and analyzing malicious software. Remnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools, which is a great thing to have. In other words, for those that want to get started without installing tools, Remnux is your go-to. Remnux was created by Lenny Zeltser, who is a fellow SANS instructor for 4610, which is reverse engineering malware. there are many different ways that we can install remnux we can install it by downloading and importing their virtual machine download remnux itself and install it on our os or we can install it in a container using docker switching over to flare flare was created by the folks over at mandian and it is a collection of software installation scripts for windows when your scripts are finished running it will prep your windows vm to be ready for malware analysis there is one caveat though the most recent flare vm version you will have to be running windows 10 or above so you must create a windows 10 virtual machine to get started if you don't know how to get started i created a video here that you can follow to help you do just that both are incredibly useful and i highly recommend that you have them ready to go in your tool set the way i typically have it is that i'll have flare and remnux up and running at the same time i'll use flare vm to do the dynamic malware analysis whereas i'll use remnux to be my proxy using burp suite by using the burp suite proxy i can intercept traffic and decrypt it to reveal additional information that the malware had generated so let's jump right in into how we can get started with flare vm onto our windows 10 machine there are some requirements that you should look out for before you get started with flare vm Avoid using usernames containing a space or special characters. In my case, my username is sally so I should be good to go. Your disk space should also have at least 80 gigs and you want your memory to be at least 2 gigs. We first want to make sure we pause our Windows updates for the time being until our installer is completed. So let's do that first. We'll open up the start menu and type in updates. Hit enter. and then at the bottom you want to make sure you select pause updates for seven days once your updates has been paused we want to move over to windows security on the left hand side and now we want to disable both our tamper protection and antivirus so we'll click on virus and threat protection scroll down to manage settings we want to disable our real-time protection then the tamper protection is next now our settings are good to go to start running our installer we want to make sure we open up powershell with admin privileges so i'll type in powershell and click on run as admin hit ok now that we have our powershell window open we want to paste in this command and i'll leave it down below I'll hit enter and this should go out to the internet and start downloading our install PowerShell script, which we see on the desktop. Next, we want to unblock the installation script, but first you need to make sure you're in the same directory as where your installation script is located. In my case, it's in the desktop, which is why my directory right now, my current directory, is on the desktop. We'll type in unblock file. type in install hit tab to auto complete perfect the next command is going to enable script execution so we will type in set execution policy unrestricted and hit enter it will prompt you with some options however since we are in a lab environment i'll go ahead and hit a for Awesome. Now that we have all of that out of the way, we can start installing our script. So we can just type in install PowerShell script and hit enter. The script will go out and do its thing and it will also do some additional checks before running the script. For example, please disable Windows Defender through group policy, reboot, and then rerun this installer. but we don't have to do that instead i'm just going to hit y to proceed and the script will continue to notify you of any warnings that it might detect so in this case it's saying that this windows version has not yet been tested but that's okay i'll still proceed after we go through all of the warnings it's asking you for the password so we will type in our password hit enter and now it will go out and grab everything and start installing flare vm on your machine eventually this gui will show up and it will ask you where do you want your tools to be installed you can install certain tools by adding them by clicking on the arrows or you can remove them by clicking on again the arrows you have the option to remove all or add all in my case i'll just add everything and hit ok do note that your computer will restart however once it's done restarting the script will automatically run again alrighty after a couple of reboots we finally have flare installed it did take a while but that is because i chose to install everything if you want to access the tools you can open them from the desktop over here or depending on where you chose to install your tools you can navigate to that directory By default, the tools are listed under the C drive under the tools directory. And there they are. If you recall earlier, when I ran the install script, it mentioned about a warning about you should disable Defender via group policy. Now, because it is a lab environment, I chose not to do so. However, I do recommend that you do disable Windows Defender via group policy because Defender won't constantly enable itself. For example, if I head over to Defender and I go under Manage Settings, you'll see that my real-time protection is turned on. If you were to disable this via Group Policy, it should stay off for you. So that is one thing to keep in mind. If you don't disable it via Group Policy, you'll just have to double check this just to make sure that it is disabled before you start doing your malware analysis. All there is left to do is... just make sure you configure your networking mode on your virtual machine to either host only or internal network now that we have flare vm up and running make sure that you take a snapshot so the next time you play with malware you can always revert it back and you'll be good to go again next we will download remnux and import it into our virtual box navigating over to remnux site we want to scroll down and download the remnux virtual machine so we click on download On this page, it'll present you with two options to download the OVA. So you got your general OVA and you also got your VirtualBox OVA. Depending on which hypervisor you're using, general OVA should work. However, because I am using VirtualBox, it is instructing me to make sure I get the VirtualBox version. So I'll click on the VirtualBox tab and then I'll click on Box to download and hit download. Once the Remnux OVA had finished downloading, it's always a good idea to verify the hash. So if we click on VirtualBox OVA hash, take note of 412 ending in 7b9. So we will go and generate a file hash of our OVA just to make sure it stays the same. Open up a PowerShell window and make sure that you're in the same directory on where the OVA is located. Then you want to type in get file hash and your remnux ova depending on your resources calculating this hash might take a while due to its size but if you do recall the first couple numbers were 412 and it ended in 7b9 once we have verified that the hash matches we can double click the ova file this will automatically import it into our virtual box once remnux had finished importing into your virtual box you can go ahead and click on start to start it up and that is it super easy there's no login credentials it just drops you right into remnux and now you can go ahead and start doing your static analysis or whatever you want to do in remnux if you did want to set up a burp suite proxy like i did i'll leave a blog post in the description down below for you to go and check it out you now have two machines ready to go the next time you want to perform malware analysis to identify additional IOCs to help you in your next investigation. I by no means am a malware analysis expert but if you are interested in malware analysis I highly recommend Josh Strachan. I might have butchered his last name, but I'll leave a link down below. That is it for the video. I hope you found it informative. And if you did, let me know by hitting that like button and subscribe if you want to. Remember, stay curious and do things differently.

We'll start with Remnux. From their site, Remnux is a toolkit for reverse engineering and analyzing malicious software. Remnux provides a curated collection of free tools created by the community.

Analysts can use it to investigate malware without having to find, install, and configure the tools, which is a great thing to have. In other words, for those that want to get started without installing tools, Remnux is your go-to. Remnux was created by Lenny Zeltser, who is a fellow SANS instructor for 4610, which is reverse engineering malware.

there are many different ways that we can install remnux we can install it by downloading and importing their virtual machine download remnux itself and install it on our os or we can install it in a container using docker switching over to flare flare was created by the folks over at mandian and it is a collection of software installation scripts for windows when your scripts are finished running it will prep your windows vm to be ready for malware analysis there is one caveat though the most recent flare vm version you will have to be running windows 10 or above so you must create a windows 10 virtual machine to get started if you don't know how to get started i created a video here that you can follow to help you do just that both are incredibly useful and i highly recommend that you have them ready to go in your tool set the way i typically have it is that i'll have flare and remnux up and running at the same time i'll use flare vm to do the dynamic malware analysis whereas i'll use remnux to be my proxy using burp suite by using the burp suite proxy i can intercept traffic and decrypt it to reveal additional information that the malware had generated so let's jump right in into how we can get started with flare vm onto our windows 10 machine there are some requirements that you should look out for before you get started with flare vm Avoid using usernames containing a space or special characters. In my case, my username is sally so I should be good to go. Your disk space should also have at least 80 gigs and you want your memory to be at least 2 gigs. We first want to make sure we pause our Windows updates for the time being until our installer is completed.

So let's do that first. We'll open up the start menu and type in updates. Hit enter.

and then at the bottom you want to make sure you select pause updates for seven days once your updates has been paused we want to move over to windows security on the left hand side and now we want to disable both our tamper protection and antivirus so we'll click on virus and threat protection scroll down to manage settings we want to disable our real-time protection then the tamper protection is next now our settings are good to go to start running our installer we want to make sure we open up powershell with admin privileges so i'll type in powershell and click on run as admin hit ok now that we have our powershell window open we want to paste in this command and i'll leave it down below I'll hit enter and this should go out to the internet and start downloading our install PowerShell script, which we see on the desktop. Next, we want to unblock the installation script, but first you need to make sure you're in the same directory as where your installation script is located. In my case, it's in the desktop, which is why my directory right now, my current directory, is on the desktop.

We'll type in unblock file. type in install hit tab to auto complete perfect the next command is going to enable script execution so we will type in set execution policy unrestricted and hit enter it will prompt you with some options however since we are in a lab environment i'll go ahead and hit a for Awesome. Now that we have all of that out of the way, we can start installing our script.

So we can just type in install PowerShell script and hit enter. The script will go out and do its thing and it will also do some additional checks before running the script. For example, please disable Windows Defender through group policy, reboot, and then rerun this installer.

but we don't have to do that instead i'm just going to hit y to proceed and the script will continue to notify you of any warnings that it might detect so in this case it's saying that this windows version has not yet been tested but that's okay i'll still proceed after we go through all of the warnings it's asking you for the password so we will type in our password hit enter and now it will go out and grab everything and start installing flare vm on your machine eventually this gui will show up and it will ask you where do you want your tools to be installed you can install certain tools by adding them by clicking on the arrows or you can remove them by clicking on again the arrows you have the option to remove all or add all in my case i'll just add everything and hit ok do note that your computer will restart however once it's done restarting the script will automatically run again alrighty after a couple of reboots we finally have flare installed it did take a while but that is because i chose to install everything if you want to access the tools you can open them from the desktop over here or depending on where you chose to install your tools you can navigate to that directory By default, the tools are listed under the C drive under the tools directory. And there they are. If you recall earlier, when I ran the install script, it mentioned about a warning about you should disable Defender via group policy.

Now, because it is a lab environment, I chose not to do so. However, I do recommend that you do disable Windows Defender via group policy because Defender won't constantly enable itself. For example, if I head over to Defender and I go under Manage Settings, you'll see that my real-time protection is turned on.

If you were to disable this via Group Policy, it should stay off for you. So that is one thing to keep in mind. If you don't disable it via Group Policy, you'll just have to double check this just to make sure that it is disabled before you start doing your malware analysis. All there is left to do is...

just make sure you configure your networking mode on your virtual machine to either host only or internal network now that we have flare vm up and running make sure that you take a snapshot so the next time you play with malware you can always revert it back and you'll be good to go again next we will download remnux and import it into our virtual box navigating over to remnux site we want to scroll down and download the remnux virtual machine so we click on download On this page, it'll present you with two options to download the OVA. So you got your general OVA and you also got your VirtualBox OVA. Depending on which hypervisor you're using, general OVA should work.

However, because I am using VirtualBox, it is instructing me to make sure I get the VirtualBox version. So I'll click on the VirtualBox tab and then I'll click on Box to download and hit download. Once the Remnux OVA had finished downloading, it's always a good idea to verify the hash. So if we click on VirtualBox OVA hash, take note of 412 ending in 7b9.

So we will go and generate a file hash of our OVA just to make sure it stays the same. Open up a PowerShell window and make sure that you're in the same directory on where the OVA is located. Then you want to type in get file hash and your remnux ova depending on your resources calculating this hash might take a while due to its size but if you do recall the first couple numbers were 412 and it ended in 7b9 once we have verified that the hash matches we can double click the ova file this will automatically import it into our virtual box once remnux had finished importing into your virtual box you can go ahead and click on start to start it up and that is it super easy there's no login credentials it just drops you right into remnux and now you can go ahead and start doing your static analysis or whatever you want to do in remnux if you did want to set up a burp suite proxy like i did i'll leave a blog post in the description down below for you to go and check it out you now have two machines ready to go the next time you want to perform malware analysis to identify additional IOCs to help you in your next investigation.

I by no means am a malware analysis expert but if you are interested in malware analysis I highly recommend Josh Strachan. I might have butchered his last name, but I'll leave a link down below. That is it for the video.

I hope you found it informative. And if you did, let me know by hitting that like button and subscribe if you want to. Remember, stay curious and do things differently.

Transcript for:Setting Up Malware Analysis Environments

Transcript for:
Setting Up Malware Analysis Environments