My Kind of Malware Analysis Lab Set-up

By on





In this write-up I'll go over with my Malware Analysis Lab set-up to kind of run through the basics of safety Malware handling when analysing real world Malware. The aim of this write-up is to document my journey in Malware Analysis to practice safety Malware handling ALWAYS!


In the above diagram, you'll find my current Malware Analysis Lab environment wherein we will use it to detonate and dissect Malwares for analysis. We will use FlareVM a Windows based Malware Analysis Distribution and REMnux OS to isolate our Host machine and run these OS thru virtual machine. The virtual environment is isolated and not in anyway connected to our host machine and wild Internet. This is purposely done to get rid of the risk associated with the tasks while we examine and detonate Malwares which is very HARMFUL and RISKY by its nature. So our goal is to practice SAFETY ALWAYS when handling Malware!


Goal:

Malware analysis provides a very accurate and comprehensive list of IoCs compared to other methods such as log analysis or digital forensics. Some of these IoCs may be very difficult to identify using other digital investigation or forensics methods. And because of this, I’ve always had a strong interest in malware analysis. The process of breaking something down, looking at its individual parts, testing hypotheses as to what its capable of. This is something that has always drawn me to explore more into this field.


Tools:

-FlareVM

-REMnux

-Virtual Machine / Virtualization Software



FlareVM

FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensic investigators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others.

FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.


REMnux

REMnux is an Ubuntu-based Linux distribution with a toolkit for reverse-engineering and analysing malicious software. It provides a curated collection of free tools created by the community. Reverse engineers and Analysts can use it to investigate malware without having to find, install, and configure the tools.


Virtualization Software

We will use virtualization software to create controlled and isolated environments for studying and analyzing malicious software.This tool allows us to create virtual machines (VMs) on our host systems, enabling us to run different operating systems and isolate potentially malicious software from our main system. This will also provide us networking capabilities that allow virtual machines to be isolated to the outside world and enable us to make a private internal network, making it suitable for analyzing malware that relies on network communication. Additionally, the tools offer features such as snapshotting, cloning, and snapshot differencing, which are valuable for capturing and analyzing the behavior of malware in a controlled environment.


Comments

Post a Comment

Popular posts from this blog

GOAD Active Directory LAB Setup on a Windows host

By on
Image
 In this write-up, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and steps and procedure I went through how I fixed them. GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods. As described in the Github page, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much. On high level, my setup will look like: Windows host: with Vagrant installed to run the VMs on VMware. VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable. In this environment, there are two different available labs: GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD...
Read more

My Short Analysis - Redline Infostealer

By on
Image
  In this write up, Let's tear up a specific sample of Infostealer malware and deep dive into some of its functions. This is just short analysis of Redline Infostealer malware and it is intended for educational and entertainment purposes only. The reason for picking up this sample is because of its significant and rampant in the cybercrime ecosystem. One of the most common and prolific malware stealers out there in the wild. Distributed in the cybercrime marketplace and the dark web. So, without further ado let's take a look on this malware and unravel some of its functions. Executive Summary: RedLine Stealer is a malicious program that harvest users’ confidential data from browsers, systems, installed software, credit card information and domain information of enterprise environment. It also infects operating systems with other malware. Distributed in underground forums for sale as standalone ($100/$150 depending on the version) or on a subscription basis ($100/month). This ma...
Read more

Regular expressions - Notes

By on
Image
  Regular expressions - Notes Introduction What are regular expressions? Regular expressions (or Regex) are patterns of text that you define to search documents and match exactly what you're looking for. Why should I learn how to use them? Even if you won't need them sooner or later, it's a great tool to know how to use. It will make you more capable in CTF's, and potentially a better developer if that's a goal you have. You spend a little time learning it and save yourself lots of time in the long run by using it. I know all that, but I'm lazy. This is a lazy person's tutorial. There's a little reading, and then you  learn by doing . Where's the 'Deploy' button? There's no machine to deploy.  There are two ways to test your expressions. Either: create a text file with some test paragraphs (in a Unix machine) and then use  egrep <pattern> <file>  to see what matches and what doesn't, or use an online editor like  https://r...
Read more