Setting Up A Home Lab — Malware Analysis Part 3
Malware Analysis Home Lab (With Screenshots)
Before starting to analyse the malware, it is very important to set up a secure malware analysis lab where you can safely analyse and detonate malware without infecting your host machine and or your network. The last thing you want is for a piece of malicious software to break free and start causing havoc on your main computer or corporate network
An example of how you can set one up
The tutorial that I referred to was this one by Grant Collins. However, a lot has changed with Virtual Box and so I will be highlighting what I struggled settting up.
For my setup, I will highlight what you need to know and what I struggled with the most while setting up my malware analysis home lab.
Here are a few things to note.
1. Host Machine
At the very top level, you’ll have your everyday computer — often what is called the “host.” This is your normal workstation, the system you trust, your laptop.
You need to ensure that It remains clean and free from any direct exposure to the malicious code you’re analyzing. The host machine will run virtualization software (like VMware, VirtualBox or Hyper-V) to create and manage virtual machines (VMs).
For my setup, I used VirtualBox because its free. However, there are better paid-for options like VMware.
2. The Isolated Network
Inside the host’s virtualization environment, you’ll set up a completely isolated virtual network. This is a case where what happens inside stays inside.
3. The Analysis Virtual Machine (FlareVM)
One key component within the isolated network is a dedicated virtual machine for analysis
Many analysts will use pre-configured environments like FlareVM, which comes loaded with reverse engineering tools, debuggers, disassemblers, and other forensics utilities.
This VM is your main workspace for digging into the malware sample. Because it’s virtualized and running inside a quarantined environment, you can safely detonate the malware and observe what it does — without endangering your host machine.
And so you might ask: Why not use just a vanilla windows/linux machine? Well, you can. However, you will need to preconfigure a lot of things in order to get things working. A pre-configured environment comes ready with all the core software — debuggers, disassemblers, network sniffers, memory analysis tools, and other utilities — already in place.
Also, with a pre-built solution, you know the environment has been tested and optimized by experts, and also comes with industry support. So if you get stuck, there will be lots of tutorials and forums to help you debug your way out.
4. The C2 Server (REMnux)
Many types of malware will rely on a C2 (Command and Control server) in order to say exfiltrate data from/ send instructions. The REMnux server acts as a fake server, where it will try to send stolen stuff or get new orders, but in the real sense, the malware is talking to a fake server and you are able to watch what it is doing.
A few Difficulties I encountered when setting up:
- Creating a connection between my FlareVM and REMNux
- First , I will create a host-only network which is a special kind of virtual network created by your virtualization software (Virtual Box in this case) that allows your computer (the “host”) and the virtual machines (VMs) running on it to talk to each other — but nothing else.
How to:
Open VirtualBox, Click on Tools, then Create:
On the Host-Only Tab, configure as follows. There are default IPs assigned, but I chose to change those to as follows:
I then Created the NAT Network on the NAT Tab with the following configuration: — Make sure to enable DHCP
Now we will assign this Network to our FlareVM Virtual Machine.
Select you flareVM Virtual Machine from the list, then settings
. This will open up a dialog box. Scroll down to Network
On the dialog box, on Attached to: Select the HostOnly Network option from the drop down. Then Allow VMS and check cable connected. Then Click OK and close.
Now onto the REMNux Server. This will set up my C2 Server to capture the Network from my FlareVM Machine
- Start your REMNux Server VM from the VMS You have listed:
Repeat the same process that you did with FlareVM.
- Settings — then Network — Then Attach it to the Host-Only Network and check cable connected
Once the RemNux VM starts, start the terminal and type Inetsim. Take note of the IP it is listening on.
We will also need to setup the configuration file: which is what is highlighted here:
Type On the terminal type the following command: sudo nano /etc/inetsim/inetsim.conf
This will open up the configuration file which you can now edit as per this video:
Just a summary of what you need to do:
- Uncomment the
start_service dns
line - Uncomment the line for
service_bind_address 0.0.0.0
Ensure it matches this. - Then lastly, uncomment the
dns_default_ip 10.0.0.3
. Note that is is the same ip that we saw earlier. Make sure it matches yours as well.
You can now see that the dns_53_tcp_udp
is actually running.
Now back to the FlareVM, Configure your Network settings as follows:
On Network and internet
select ethernet
then change adapter options
Use the following video to change your settings. (from 14.26–18:00).
My setting look as follows. Select the properties and edit as follows:
Double click the Internet protocl version 4(TCP/IPv4)
and edit as follows:
Note that the default gateway
and the preferred DNS Server
are the same ip adresses for the remnux c2 server.
Click ok and close.
To check that there was a connection established, ping the remnux IP as follows
Note: Make sure the Remnux vm is running.
Then ping the remnux server to see if you get a response.
If you see this, your system is ready to go!