Setup Malware Analysis Lab

The lab has a windows 10 machine to detonate malware (FlareVM) and a linux Ubuntu (Remnux) machine to detect malware activity on the network and redirect (DNS).

Internal network to reduce the possibility of malware spreading to the host and to the network, we will need to setup the network information manually on each machine Less time than setup of iptables ecc…

---

Table of Contents

• Remnux

• FlareVM

• General network checks

• Important

---

Remnux

Download from the official site, tools are already installed.

Network configuration

no DHCP for internal networks.

sudo nano /etc/netplan/01-netcfg.yaml

# This file describes the network interfaces available on your system # For more information, see netplan(5). 
network: 
	version: 2 
	renderer: networkd 
	ethernets: 
	enp0s3: 
		dhcp4: no 
		addresses: [10.0.0.3/24] 
		gateway4: 10.0.0.1

sudo netplan apply

The linux machine will also act as DNS of the network after we setup the windows machine network settings, so that every request will be redirected here and we can intercept malware activity and in case it will also provide files to continue the malware or ransomware chain attack with INETSIM.

iNetSim setup

sudo nano /etc/inetsim/inetsim.com

AFTER THE SETUP OF THE VMs AND NETWORK

Check if it works open chrome on the FlareVM machine and see if searching any sites redirects you to a default page.

nslookup site.com

---

FlareVM

Download Windows 10 ISO from the official site and create a clean virtual machine with windows 10.

Pre-Installation

Disable proxy auto detect setting

1. In the Windows search bar, search “proxy settings”,
2. Switch “Automatically detect settings” button off

Tamper Protection must be disabled first, otherwise Group Policy settings are ignored.

1. Open Windows Security (type Windows Security in the search box)
2. Virus & threat protection > Virus & threat protection settings > Manage settings
3. Switch Tamper Protection to Off

   It is not necessary to change any other setting (Real Time Protection, etc.)

To permanently disable Real Time Protection:

1. Make sure you disabled Tamper Protection
2. Open Local Group Policy Editor (type gpedit in the search box)
3. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
4. Enable Turn off real-time protection
5. Reboot

   Make sure to reboot before making the next change

To permanently disable Microsoft Defender:

1. Make sure you rebooted your machine
2. Open Local Group Policy Editor (type gpedit in the search box)
3. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
4. Enable Turn off Microsoft Defender Antivirus
5. Reboot

FlareVM setup

PS admin prompt

download the installing powershell script from the official github page > Desktop

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

unblock file downloaded from the internet

Unblock-File .\install.ps1

set execution policy

Set-ExecutionPolicy Unrestricted

run

.\install.ps1 -password <password>

after that GUI interface and install the tools you want or you can install the tools directly from the PMAT course of HuskyHacks

.\install.ps1 -customConfig https://raw.githubusercontent.com/HuskyHacks/PMAT-labs/main/config.xml

It’s important to disable bidirectional clipboard or other types of “links” with the host like shared folders if present.

Network setup

Set DNS and gateway equal to the ip of the Remnux machine.

---

General network checks

From both VMs ping: the other VM, an external ip like google DNS (8.8.8.8), your host ip or internal ips of your network.

No address should be reachable except for an internal communication between the VMs that you added to the internal network

Important

take snapshots after important changes to the VMs and before detonating malware