Malware Analysis Lab Build
Learning the craft of malware analysis requires for a lab to be built that allows for the malicious binaries and files to be safely analyzed and executed. This lab often involved multiple virtual machines that are able to interact with each other but not with any other computers on the network where the host OS resides or with the Internet, this means that it is necessary to create an isolated network that only those virtual machines can reach.
VirtualBox is one of the most common hypervisors that are used since it's free and runs in the most popular operating systems, it also has the features to configure the network that the virtual machines can use and generate snapshots of the virtual machine state.
In this post, the creation of the lab that uses VirtualBox and an isolated network is detailed. For the network configuration, the Internal Network is used and a DHCP server is configured in VirtualBox to hand out the IP addresses to the hosts, this is where this lab varies from other setups that I've seen.
Windows Host
Most malware is created for the Windows OS, this means that it is necessary to create a virtual machine that runs this OS and has the necessary tools for analyzing the malware.
The Windows 10 ISO can be downloaded from the Microsoft Evaluation Center, the Windows 11 ISO is also available on the same site. For the lab setup detailed here, a Windows 10 VM is going to be used, however, it is also possible to use Windows 11.
The virtual machine that is created with the Name of FlareVM
, this can be anything and doesn't affect the rest of the lab build, then set the Type to Microsoft Windows
and the Version to Windows 10 (64-bit)
. The amount of memory to reserve for the virtual machine will vary depending on the available memory for the host system, setting this to 4 GB (4096 MB) is generally a good amount to work with. The Hard disk size can be set to a minimum of 60 GB, though I usually set this to 100 GB.
After the virtual machine is created, I make some additional changes to the configuration prior to starting the machine for the first time
In the System section, the EFI is enabled, though this isn't required since the legacy BIOS can also be used
In the Processor tab, these settings will depend on the available resources of the host system. I set the processor count to 2 and also enable the PAE/NX
and the Nested VT-x/AMD-V
.
For the Display section, increase the Video Memory to 128 MB, which is the highest available when not enabling the 3D Acceleration. I also leave the 3D Acceleration disabled as I've found that it tends to generate display issues in Windows 10.
All other options can be left in their default configuration. The virtual machine can now be started and Windows 10 installed as normal, during the installation process disconnect the network cable from the virtual machine, this can be done by right clicking on the network icon on the bottom of the virtual machine window and unchecking the Connect network adapter option, this to avoid Windows from attempting to install updates and require a Microsoft 365 account for creating the user account.
After the Windows 10 OS has been installed, power off the system and create a snapshot of the virtual machine to have a restore point that can be used if necessary. The snapshot can be created with the following steps
- Click on the Tools menu button that is found on the right side of the virtual machine entry in the VirtualBox main window
- Select the Snapshots option from the menu
- Click on the Take button from the toolbar, a window is displayed where a name can be given to the snapshot and a description
Start the Windows 10 virtual machine again and follow the steps mentioned in the Flare-VM repository to install the tools that will be used for malware analysis within the Windows 10 virtual machine. This process will require for a connection to the Internet, so be sure to enable the network connectivity.
REMNux
The other virtual machine that is created is the GNU/Linux distribution called REMnux, which is a distribution that contains several tools that can be used for malware analysis and reverse engineering.
The virtual appliance can be downloaded from the REMnux Documentation, there is a VirtualBox OVA file that is downloaded and has the virtual machine already setup.
While the virtual machine can be used as is, I recommend reviewing the settings to increase the Processor, Memory, and Display resources to increase the configuration depending on the available resources of the host system.
Isolated Network Setup
Once the virtual machines have been installed and are ready to be isolated, the Internal Network can be created in VirtualBox. Setting up the DHCP Server that will be used can only be done through the CLI by using the VBoxManage
command.
The first command that is executed is to create the DHCP Server
VBoxManage dhcpserver add --network malwarelab --ip 10.0.0.1 --netmask 255.255.255.0 --lowerip 10.0.0.10 --upperip 10.0.0.100
Breaking down the command to detail each of the options that are specified
--network
specifies the name that the network receives and that is used to reference the network when configuring the virtual machines or the network--ip
specifies the IP address that the DHCP server uses, can be either set to the first or last address in the subnet range, this is an IP address that no other virtual machine can use--netmask
sets the network mask that is used for the subnet, even though there are only two virtual machines that are created, other machines can be added to analyze more complex samples or certain behavior, so leaving this to a large netmask is ok--lowerip
specifies the start of the range of IP addresses that can be assigned to the hosts that make the DHCP request--upperip
specifies the end of the range of available IP address for assigning, in this sample command there are 90 IP addresses in the pool and this should be enough
At this point the initial configuration is created, however, there are a couple of DHCP options that need to be set in order to use the REMnux virtual machine to capture any outbound requests that are made from the Windows 10 virtual machine. The command below sets the DNS and Default Gateway parameters so that the Windows 10 host sends any requests to the REMnux host
VBoxManage dhcpserver modify --netname malwarelab --set-opt=3 '10.0.0.2' --set-opt=5 '10.0.0.2' --set-opt=6 '10.0.0.2'
The --set-opt
option is used to specify the DHCP option that is being set, there are several options that exist, the ones being set in the command above are
3
Default Gateway5
Name Server6
Domain Name Servers
The option 6
is the one that sets the DNS server, however, the option 5
is also set to make sure that any requests to resolve a host or domain name are sent to the REMnux host.
These options are not dynamic, meaning that the REMnux virtual machine should have the IP address that is specified in the above command set via a static lease. This is configured with the command below
VBoxManage dhcpserver modify --network malwarelab --mac-address 08002780A107 --fixed-address '10.0.0.2'
The --mac-address
option is used to specify the MAC address that the network interface receives, this is obtained from the Network configuration for the virtual machine in VirtualBox.
Make sure to check that the MAC address matches the one on the interface from the output of ip a
, since some systems may set a random value that differs from the one set in VirtualBox
At this point, the DHCP Server can be enabled so that it can be used for the virtual machines, this is done with the command below
VBoxManage dhcpserver modify --netname malwarelab --enable
The configuration can be verified by running the command below, which lists all of the DHCP servers that are configured in VirtualBox
VBoxManage list dhcpservers
The final step is to set the Network configuration in each of the virtual machines that are part of the lab. After shutting down the virtual machines, go to the Network section in the Settings, set the Attached to to Internal Network
and select the malwarelab
from the Name
dropdown.
Once the virtual machines are started, verify that the IP addresses are assigned accordingly and that they are able to contact each other.
Keep in mind that the Internal Network that is created has no access to any other network and only the virtual machines that are in this malwarelab
network reach each other, this means that the virtual machines are completely isolated.