Post

Setting up a Windows Malware Analysis Lab Enviroment Using Flare

Setting up a Windows Malware Analysis Lab Enviroment Using Flare

Setting up Flare VM for Malware Analysis

In this guide we are going to learn how to setup a safe and practical lab enviroment for malware analysis. We will be focusing on a windows lab enviroment using Flare VM. This is an open source project that contains scripts to setup a windows lab enviroment with tools for analyzing and reversing malware.

Here is a link to the project:

https://github.com/mandiant/flare-vm

Choosing a Virtualization Platform:

The most common options for easy virtualization are vmware and virtualbox.

In this guide we will be using virtualbox. You can find information about how to download the software here:

https://www.virtualbox.org/wiki/Downloads

Download a Windows 10 iso:

We will need a windows ISO with a version greater or equal to 10.

At the time of writing you can obtain a copy from here:

https://www.microsoft.com/en-us/software-download/windows10ISO/

Setup the Windows VM:

Before we can use Flare VM we will need to setup our windows 10 virtual machine.

I will not be going over how to setup a Windows VM as the steps varry between virtualization software. I will however put links below that show you how to setup a vm.

Preferably we want to use windows 10 pro as it makes the next steps a bit easier.

You can avoid needing a microsoft account by disconnecting the vm from the internet when running the install. Windows 10 pro also gives an “offline account” option.

Here are the links:

Installing Flare:

Once we have our vm up we can begin the install process for Flare.

img

Step 1 Disabling Windows Updates on Windows 10 pro:

  • Open the Group Policy Editor
    • Search for “group policy” and click “Edit group policy”
  • Follow the path: Computer Configuration > Administrative Templates > Windows Components > Windows Update

img

image

Double-click “Configure Automatic Updates.”

image

Then set to “Disabled”

image

If you do not have windows 10 pro on your VM additional methods can be used.

Step 2 Disabling Tamper Protections and Anti Virus:

Flare prefers us to do this via group policy but it can also be done via windows defender.

We are going to disable real-time protection via group policy like the last step.

  • Open the Group Policy Editor again
  • Follow this path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
  • Double-click “Turn off real-time protection”

image

Set to “Enabled”

alt text

To disable microsoft defenderfollow the same process as above with a different path.

  • Open the Group Policy Editor
  • Follow the path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

image

Enable “Turn off Microsoft Defender Antivirus”

alt text

Now restart the machine.

Finishing the Install:

Next we are going to run the install scripts for the Flare VM setup. These can be found at their github page: https://github.com/mandiant/flare-vm

We are going to follow the instructions as they are listed on gituhub:

They are as follows:

  • Open a PowerShell prompt as administrator
  • Download the installation script installer.ps1 to your Desktop:
    • (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
  • Unblock the installation script:
    • Unblock-File .\install.ps1
  • Enable script execution:
    • Set-ExecutionPolicy Unrestricted -Force
      • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
  • Finally, execute the installer script as follow:
    • .\install.ps1
      • To pass your password as an argument: .\install.ps1 -password <password>
      • To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui
      • To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui
  • After installation it is recommended to switch to host-only networking mode and take a VM snapshot

Running this script will take a long time. I recommended to walk away during the install as it can take over 3 hours.

When you return you should be greated by the flare VM background and all the tools installed. This would be a good time to take another VM snapshot.

flare

Your desktop might look slightly different as I moved some stuff around.

Happy reversing….

This post is licensed under CC BY 4.0 by the author.