⚡ Intermediate

Malware Analysis Lab Setup

Build a safe, isolated environment for analyzing malicious software. Learn to set up sandboxed VMs, network isolation, and analysis tools without risking your host system.

Safety First

Malware analysis carries real risks. Always use isolated VMs, disable network access to your LAN, and never analyze samples on your host machine. When in doubt, use a dedicated physical machine with no network connection.

Lab Architecture

HOST MACHINE

Isolated Virtual Network
(No Internet / Host-Only or Internal Network)

Analysis VM

(REMnux)

• Ghidra
• x64dbg
• Wireshark
• YARA

Victim VM

(Windows)

• Snapshots
• Procmon
• API Mon
• Autoruns

INetSim VM

(Services)

• Fake DNS
• Fake HTTP
• Fake SMTP
• Fake IRC

Isolated Switch

Required Virtual Machines

🔬 Analysis VM (REMnux)

OS: REMnux (Ubuntu-based)
RAM: 4-8GB
Disk: 60GB+
Purpose: Static analysis, network capture

remnux.org →

🎯 Victim VM (Windows)

OS: Windows 10/11
RAM: 4-8GB
Disk: 60GB+
Purpose: Execute & monitor malware

Use evaluation ISOs from Microsoft

🌐 INetSim VM

OS: Debian/Ubuntu minimal
RAM: 1-2GB
Disk: 20GB
Purpose: Simulate internet services

inetsim.org →

Network Isolation Setup

Critical

NEVER connect malware analysis VMs to your real network. Use Host-Only or Internal networking only. Malware can spread to other machines on your network.

VirtualBox Configuration

bash

# Create host-only network in VirtualBox
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 10.0.0.1 --netmask 255.255.255.0

# Disable DHCP on host-only network (manual IPs only)
VBoxManage dhcpserver remove --netname HostInterfaceNetworking-vboxnet0

# Configure VM to use host-only adapter
VBoxManage modifyvm "MalwareAnalysis" --nic1 hostonly --hostonlyadapter1 vboxnet0

VMware Configuration

bash

# Edit vmnetcfg or use Virtual Network Editor
# Create custom VMnet (e.g., VMnet2)
# Settings:
#   - Host-only
#   - Subnet: 10.0.0.0/24
#   - DHCP disabled
#   - "Connect a host virtual adapter" UNCHECKED (important!)

# Assign VMs to this custom network in VM settings

Static IP Configuration

VM	IP Address	Gateway	DNS
INetSim (Gateway)	10.0.0.1	-	-
Analysis VM	10.0.0.10	10.0.0.1	10.0.0.1
Victim VM	10.0.0.100	10.0.0.1	10.0.0.1

INetSim Configuration

INetSim simulates common internet services, tricking malware into thinking it has internet access while you capture all its communications.

bash

# Install INetSim
sudo apt update && sudo apt install inetsim

# Edit configuration
sudo nano /etc/inetsim/inetsim.conf

# Key settings to modify:
service_bind_address    10.0.0.1
dns_default_ip          10.0.0.1
dns_default_hostname    inetsim

# Enable services
start_service dns
start_service http
start_service https
start_service smtp
start_service pop3
start_service irc

# Start INetSim
sudo inetsim

Essential Analysis Tools

Static Analysis

Ghidra: NSA's reverse engineering framework
IDA Free: Interactive disassembler
PE-bear: PE file analyzer
DIE: Detect It Easy - packer detection
strings/FLOSS: String extraction
YARA: Pattern matching rules

Dynamic Analysis

x64dbg: Windows debugger
Process Monitor: System activity monitoring
Process Hacker: Advanced task manager
Wireshark: Network traffic capture
Regshot: Registry comparison
API Monitor: API call logging

Victim VM Configuration

powershell

# Disable Windows Defender (as admin)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -SubmitSamplesConsent NeverSend

# Disable Windows Firewall
netsh advfirewall set allprofiles state off

# Install analysis tools via Chocolatey
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

# Install tools (run before isolating network)
choco install -y procexp procmon autoruns wireshark x64dbg.portable

# Take a CLEAN SNAPSHOT before any malware execution
# Name it: "Clean-Baseline-YYYYMMDD"

Snapshot Strategy

Always take a clean snapshot before analyzing each sample. After analysis, revert to the clean state. Never accumulate malware executions on a single snapshot.

Alternative: FLARE VM

Mandiant's FLARE VM is a pre-configured Windows-based malware analysis distribution with 140+ tools pre-installed.

powershell

# Start with fresh Windows 10+ VM
# Disable Windows Defender and Updates
# Run PowerShell as Administrator:

# Download and run FLARE VM installer
(New-Object net.webclient).DownloadFile(
  'https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',
  "$env:TEMP\install.ps1"
)
Unblock-File "$env:TEMP\install.ps1"
Set-ExecutionPolicy Unrestricted -Force
& "$env:TEMP\install.ps1"

# Follow prompts - installation takes 1-2 hours
# Take snapshot after installation completes

Malware Sample Sources

Handle With Care

These sources contain REAL malware. Only download samples to isolated analysis VMs. Never execute samples outside your sandboxed environment.

Free Sources

MalwareBazaar - Community sample sharing
VirusTotal - Download with API/account
theZoo - Curated sample repository
vx-underground - Malware papers & samples

Practice Samples

Endermanch Collection - Classics
YourMalware - Sample library
CTF samples - Malware challenges from CTFs
PMAT Course - TCM Security's course samples

Analysis Workflow

Prepare Environment

Start from clean snapshot, verify network isolation, start INetSim and packet capture

Static Analysis

Hash sample, check VT, extract strings, identify packers, review imports/exports

Dynamic Analysis

Start monitoring tools, execute sample, observe behavior, capture network traffic

Deep Analysis

Disassemble in Ghidra, debug with x64dbg, unpack if needed, extract IOCs

Document & Clean Up

Export PCAP, save IOCs, document findings, REVERT TO CLEAN SNAPSHOT

Quick Reference Commands

bash

# Hash a file (PowerShell)
Get-FileHash -Algorithm SHA256 sample.exe

# Hash a file (Linux)
sha256sum sample.exe
md5sum sample.exe

# Extract strings (Linux)
strings -a sample.exe | less
floss sample.exe  # Better string extraction

# Check PE headers
pecheck sample.exe
pefile-parse sample.exe

# Start Wireshark capture
wireshark -i eth0 -k -w capture.pcap

# YARA scan
yara -r rules/ sample.exe

⚠️ Safety Reminder

Malware analysis is inherently dangerous. Always maintain strict isolation, use dedicated hardware when possible, and never underestimate a sample's capabilities. Some malware can detect and escape virtual environments.

Related Guides

Malware Analysis Guide

Static and dynamic analysis techniques

Kali Setup

Configure your analysis machine

Threat Intelligence

IOC extraction and analysis

Binary Exploitation

Understanding binary internals