.jpg "Nwosu Bezalel")
Nwosu Bezalel
Malware Analysis Lab Setup (FlareVM)
Malware Lab
Hey there, welcome back to my blog
Today, I’ll be going through how I setup my Malware analysis lab. Without further ado, let’s get into it.
Requirements
- A virtualization software, could be VirtualBox or VMWare but in this case, we’ll use VirtualBox
- At least 4GB RAM
VirtualBox Installation
The first thing you’ll need to do is download VirtualBox and the extension pack. You can get VirtualBox for any of the supported platforms here VirtualBox. The extension pack can also be found here VirtualBox Extension Pack. After downloading and installing VirtualBox, simply run the extension pack and it gets installed too.
The next thing you’ll want to do is download the Windows 10 ISO file. You can download that here Windows 10. If you’re using windows, you’ll most likely have to download the Windows Media Creation Tool which will create the ISO for you.
Open VirtualBox after getting everything and then click on ‘New’ to create a new VM.
Type in a name for your lab, leave the type and version as seen below. Select wherever you’d like to store the VM files.
Next, we need to specify the amount of memory for the VM. Now, this all depends on your system capabilities but the minimum amount of RAM needed is 4GB and that’s what I’m using.
Then, allocate 80GB for the virtual disk image.
Finally, click finish and you’ve created the Virtual Image.
Next up, configuration!!
VM Configuration
Start up your VM. You’ll get a pop-up like this
Click the dropdown menu and select your Windows 10 ISO and then click ‘Mount and Retry Boot’. And the installation starts.
Select your language and time and then install.
When the product key page shows up, if you have a valid product key you can input it, else just click I don’t have a product key. Next, select Windows 10 Pro as the OS to be installed.
Accept the T&C’s and select Custom install. Select the Drive shown on screen and click next.
As the installation finishes, detach the Windows ISO file using the Devices tab in the VM and move ahead with the installation. Select your region. Select your keyboard layout.
Setup for personal use. Then select offline account. Click limited experience. Type in your username and set a password as well as the 3 security questions.
Next, you can just put off all the options there and click ‘accept’. Skip the next prompt. Allow windows do its thing and then after a while the installation should be complete.
net we need to add the Guest Additions to the VM. Go to Devices tab, and click insert Guest Additions. Go to File Explorer, click on the Guest Additions disk, select VBoxWIndowsAdditions-amd64 and click yes. Then click next for all and then allow it to reboot. The Guest Additions helps the VM run smoothly.
Next, we disable Windows Updates. Right click the start menu and select run. Then type in services.msc, scroll down to Windows Updates and double click. Stop the service and disable it. This is what it should look like
Next go to Windows Security. In the Virus and Threat Protection Section, click manage settings and turn off everything.
Then do Win+R and type gpedit.msc. Go to Adminstrative Templates -> Windows Components -> Microsoft Defender Anti-Virus -> Real-Time Protection. Then select Turn off Real-Time protection and enable it. Then go back to Microsoft Defender Anti-Virus and do the same for Turn off Microsoft Defender Anti-Virus. Reboot when you’re done.
Next, go to File Explorer, click the View tab in the ribbon and the check the file name extensions and hidden items boxes.
After you’ve done this, create a snapshot. Name it BaseLine with any description you see fit.
FlareVM installation and setup
Next and final thing is the installation of FlareVm which has the tools we need to make our lab a lab. Go to Mandiant. Save the install.ps1 file on your desktop. Follow the instructions below, after getting the script.
The installation will take a while, at least 2 hours to complete. If any of the packages fail to install, open PowerShell as administrator and run choco install -y <package-name>. And if all goes well, your VM desktop should look like this
Finally, we’ll have to change the Network Adapter to Host-only before analyzing any malware samples to avoid host machine contamination.