🌱 Beginner

Malware Lab Setup

Before analyzing a single byte of malicious code, you must establish a secure environment. A proper malware lab isolates dangerous samples from your physical machine and network while providing the tools needed for dissection.

CRITICAL SAFETY WARNING

  • NEVER analyze malware on your host operating system.
  • NEVER connect your malware lab to your home or production network.
  • ALWAYS use a "Host-Only" network adapter to prevent accidental internet access.
  • ALWAYS take a clean snapshot before infecting the VM.

1. Virtualization Software

You need a Type-2 hypervisor to run your analysis VMs.

  • VMware Workstation Pro / Player: Industry standard, robust networking features. (Recommended)
  • VirtualBox: Free and open-source alternative.

2. The Victim Machine: FlareVM

FlareVM is a Windows-based security distribution maintained by Mandiant. It automates the installation of hundreds of reverse engineering tools.

Installation Steps

  1. Create a Windows 10/11 VM: Install a fresh copy of Windows. Ensure it has at least 60GB disk space and 4GB RAM.
  2. Disable Windows Defender: This is critical. Defender will delete your tools and samples. Use the FlareVM installer script which handles this, or manually disable Tamper Protection and Real-time protection via Group Policy.
  3. Download & Run Installer: 
    (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$HOME\Desktop\install.ps1")
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1
  4. Wait: The installation can take 1-3 hours and will reboot multiple times.

3. The Gateway: Remnux

Remnux is a Linux toolkit for reverse engineering and analyzing malicious software. It is often used as a gateway to simulate internet services (DNS, HTTP) for the victim machine.

4. Network Isolation (Host-Only)

To analyze how malware communicates without exposing your network, create a private network between FlareVM and Remnux.

VMware Configuration

  1. Go to Virtual Network Editor.
  2. Select a VMnet (e.g., VMnet2) and set it to Host-only.
  3. Uncheck "Connect a host virtual adapter" (optional, for strict isolation).
  4. Uncheck "Use local DHCP service" (Remnux will act as DHCP/DNS).
  5. Set both FlareVM and Remnux network adapters to Custom: VMnet2.

VirtualBox Configuration

  1. Go to File > Host Network Manager.
  2. Create a new network. Disable the DHCP Server.
  3. Go to VM Settings > Network.
  4. Set "Attached to" to Host-only Adapter.
  5. Select the network you created.

5. Snapshotting

The Golden Rule

Once your lab is set up, configured, and tools are installed, take a snapshot named "Clean State". After every analysis session, revert to this snapshot to wipe any infection.