How to Setup a Malware Analysis VM? The Complete Guide

So you want to setup a malware analysis environment uh.

NOTE: all the tools and setup are present in the article but I don’t go in great detail. I will hopefully update everything, but as of now use this article as an array of pointers to investigate yourself

There are lots of guides online on how to do this but here I want to show what I do, as always mainly to remind myself.

There are different philosophies on how to make the perfect analysis machine and more broadly the whole environment. From the minimalis side (like they do in OALabs, check it here) to a full suite of preselected tools (like they do at mandiant with FlareVM, check it here).

I tried both and they are obviously fine, I tend to like more the minimalist side, but still some additional tools can simplify by a lot your life. I started with the minimal number of tool and then started adding each time I discover and use a new one. In the end what use is having a whole suite of tools if you don’t know how to use them?

My Environment Setup

I work with 3 VMs (right now I’m using virtualbox):

  • Static Analysis Windows 10 machine
  • Dynamic Analysis Windows 10 machine
  • Remnux Linux machine

Select a non Home version of Windows

Why Remnux? It let’s me do some static analysis work from linux (which is my main driver and I’m comfortable with it). Also, it is safer.

I have a shared folder in read-only mode by the guest between my host and the Remnux machine. All 3 machines are on an internal network with nothing else.

img1

The way I deliver files to the Windows machines is through INetSim

Some other settings I use are:

  • Deny deletion in folders: properties > security > advanced > add > select principle > object set to “Everyone” > deny > Advanced permissions > the deletion
  • Remove clickable links from text editors like Notepad++. You can turn that off in the options. For Notepad++ navigate to Settings > Preferences > Cloud & Link. Under Clickable Link Settings remove the Enable checkmark.
  • The Windows machines have a folder which is excluded from Defender.
  • Powershell is enabled with Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  • Also, VERY IMPORTANT: ASLR is disabled

Obviously take Snapshots and bla bla bla

Tools Installed

  • 010 Editor: Hex editor
  • 7zip: Version 15.05 is useful to unpack installers
  • API Monitor
  • Autoruns: for more details remove tick from “Options/Hide windows entries”
  • Binary Ninja: disassembler/decompiler
  • Binary Refinery (binref): Use it in a python venv
  • Binwalk: binwalk -e <file>, extract embedded data
  • Burpsuite
  • CAPA
  • CAPE
  • CFF Explorer: Manipulation of PE files
  • ctrl2cap: Swap ctrl with caps lock in windows (this is needed just because I swap ctrl and cap)
  • CyberChef: online or can be downloaded. Download it
  • Defender Remover (Win10)
  • DependencyWalker
  • DiE: Detect it Easy, info on compilers and other things for PE. Press “S” to show detection rule
  • Diffing Tools: Ybindiff, Meld, Bindiff / vBinDiff
  • dnSpy: decompiler for C#
  • Exiftool: image metadata
  • Firefox: Browser of choice, use the following plugins for hardening
    • uMatrix
    • NoScript
    • uBlock
  • FLOSS: advanced strings.exe. Can extract 4 types of strings: static (classic), stack (created at runtime in stack), decoded (encoded strings), tight (encoded and stack). use the param --only followed by the string type to make it quicker
  • Ghidra: disassembler/decompiler
  • glogg: to read immense files
  • Hashing: you can use autosandboxes, general tools for PEs or md5deep, WinMD5
  • HxD: Hex editor. “Open main memory” to watch RAM live
  • IDA: disassembler/decompiler
  • ILSpy: like dnSpy but sometimes works better
  • INetSim: this is needed Remnux side, no need for it on Windows
  • lnk-parser: parser for LNK files
  • Notepad++: Text editor. You can multiple highlight
  • PEBear: PE file viewer
  • PEiD
  • PEStudio: Very useful for initial triage. Tells you which imported system calls can be malicious
  • pe_unmapper
  • PortexAnalyzer: PE file viewer
  • Procmon: Process Monitor to monitor processes
  • Python3: for scripting
  • Regshot: check the registry for changes
  • ResourceHacker: easy manipulation of PE resources
  • strings.exe: gives you strings
  • TrID: best to get the file types
  • Wireshark: for analyzing PCAPs
  • x64dbg: debugger with everything you need
    • Scyllahide
    • OllydumpEx
    • xAnalyzer

There are also other that I use but these are the ones I always install in my labs and I feel comfortable with. Here is the final product

img2