Post

Setting up a Windows Malware Analysis Lab Enviroment Using Flare

Setting up a Windows Malware Analysis Lab Enviroment Using Flare

Setting up Flare VM for Malware Analysis

In this guide we are going to learn how to setup a safe and practical lab enviroment for malware analysis. We will be focusing on a windows lab enviroment using Flare VM. This is an open source project that contains scripts to setup a windows lab enviroment with tools for analyzing and reversing malware.

Here is a link to the project:

https://github.com/mandiant/flare-vm

Choosing a Virtualization Platform:

The most common options for easy virtualization are vmware and virtualbox.

In this guide we will be using virtualbox. You can find information about how to download the software here:

https://www.virtualbox.org/wiki/Downloads

Download a Windows 10 iso:

We will need a windows ISO with a version greater or equal to 10.

At the time of writing you can obtain a copy from here:

https://www.microsoft.com/en-us/software-download/windows10ISO/

Setup the Windows VM:

Before we can use Flare VM we will need to setup our windows 10 virtual machine.

I will not be going over how to setup a Windows VM as the steps varry between virtualization software. I will however put links below that show you how to setup a vm.

Preferably we want to use windows 10 pro as it makes the next steps a bit easier.

You can avoid needing a microsoft account by disconnecting the vm from the internet when running the install. Windows 10 pro also gives an “offline account” option.

Here are the links:

Installing Flare:

Once we have our vm up we can begin the install process for Flare.

img

Step 1 Disabling Windows Updates on Windows 10 pro:

  • Open the Group Policy Editor
    • Search for “group policy” and click “Edit group policy”
  • Follow the path: Computer Configuration > Administrative Templates > Windows Components > Windows Update

img

image

Double-click “Configure Automatic Updates.”

image

Then set to “Disabled”

image

If you do not have windows 10 pro on your VM additional methods can be used.

Step 2 Disabling Tamper Protections and Anti Virus:

Flare prefers us to do this via group policy but it can also be done via windows defender.

We are going to disable real-time protection via group policy like the last step.

  • Open the Group Policy Editor again
  • Follow this path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
  • Double-click “Turn off real-time protection”

image

Set to “Enabled”

alt text

To disable microsoft defenderfollow the same process as above with a different path.

  • Open the Group Policy Editor
  • Follow the path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

image

Enable “Turn off Microsoft Defender Antivirus”

alt text

Now restart the machine.

Finishing the Install:

Next we are going to run the install scripts for the Flare VM setup. These can be found at their github page: https://github.com/mandiant/flare-vm

We are going to follow the instructions as they are listed on gituhub:

They are as follows:

  • Open a PowerShell prompt as administrator
  • Download the installation script installer.ps1 to your Desktop:
    • (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
  • Unblock the installation script:
    • Unblock-File .\install.ps1
  • Enable script execution:
    • Set-ExecutionPolicy Unrestricted -Force
      • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
  • Finally, execute the installer script as follow:
    • .\install.ps1
      • To pass your password as an argument: .\install.ps1 -password <password>
      • To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui
      • To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui
  • After installation it is recommended to switch to host-only networking mode and take a VM snapshot

Running this script will take a long time. I recommended to walk away during the install as it can take over 3 hours.

When you return you should be greated by the flare VM background and all the tools installed. This would be a good time to take another VM snapshot.

flare

Your desktop might look slightly different as I moved some stuff around.

Post Install Networking:

Typically you want your VM to have no internet access as it opens an additonal attack vector for malware.

If you wish to use tools like fakenet you will need to setup the following.

Using VirtualBox you will have to set your network adapter to host only.

Before setting that you have to go into Tools > Network Manager > Create this will create a network for VirtualBox that will allow you to used the host only adapter.

alt text

alt text

Happy reversing….

This post is licensed under CC BY 4.0 by the author.