Flare-VM Sandbox Guide: Creating an Isolated Lab Environment for Malware Analysis & Reverse Engineering

🛡️Your Key to a Secure Sandbox for Malware Research🔍

Welcome to my guide on creating a local sandbox an isolated lab environment for malware analysis and reverse engineering. This step-by-step tutorial covers VirtualBox setup, creating Windows-10 VM, FLARE-VM configuration, REMnux installation, and network isolation. With clear instructions and screenshots, you’ll have a secure environment for honing your cybersecurity skills and analyzing malware effectively.

======(Part-1)======

* Creating Windows-10 VM in VirtualBox *

a). Download and Install Virtual Box:

• VirtualBox Download Link: https://www.virtualbox.org/wiki/Downloads

b). Download Windows 10 from the official website:

• Windows ISO Download Link: https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise

Select 64-bit and download the ISO file.

After downloading the ISO file, open the virtual box and create a new virtual machine.

Give a name (PMAT-VM), or you can give any name to the virtual machine and select the directory where you want to save the VM installation files.

Allocate disk capacity of at least 80 GB to avoid storage problems, and Keep the RAM at least 2-GB for better performance.

VM initial setup is completed next we will install Windows-10.

Now run the PMAT-VM.

Click on the browse option and Select the Windows Enterprise ISO image file.

The selected ISO file name will appear, now click on “Choose”.

Select the custom installation option

Next, click new and select apply, click ok it will create an additional partition. Follow the rest of the simple steps to complete the Windows installation setup.

Windows installation setup is completed and the VM is ready, let’s start the VM.

Windows VM is running, here are two additional steps (12, 13) that install the required utilities (Resolving screen resolution and copy paste issue).

Now Reboot the system.

======(Part-2)======

* Downloading and Configuring the Flare VM *

FLARE-VM: FLARE-VM is a purpose-built virtual machine created & maintained by FireEye, a cybersecurity company. It comes pre-configured with a variety of tools, software, and scripts commonly used for malware analysis and reverse engineering tasks. These tools include disassemblers, debuggers, memory analysis tools, and various utilities for analyzing and dissecting malware samples.

It provides a controlled and isolated environment for security analysts to safely analyze potentially malicious software without risk to their own systems. It’s a valuable resource for those working in the field of cybersecurity and malware analysis to better understand and defend against threats.

Flare-VM GitHub Repo: https://github.com/mandiant/flare-vm

Download & Install Chrome browser: https://www.google.com/chrome/

Optional: Take a Snapshot of the VM, if anything went wrong during installation, so you can revert back your clean VM.

→ Run the PowerShell window as an administrator, change the directory to the desktop.

First we need to download some important packages.

1). Download the VCLibs package. run command: “wgethttps://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -usebasicparsing -o VCLibs.appx”

2). Download the Windows Terminal MSIX bundle. run command: “wget https://github.com/microsoft/terminal/releases/download/v1.15.3465.0/Microsoft.WindowsTerminal_Win10_1.15.3465.0_8wekyb3d8bbwe.msixbundle -UseBasicParsing -o winterminal.msixbundle”

3). In a PowerShell admin window, add the VCLibs package. run command: “Add-AppxPackage [C:\path\to\downloaded\VCLibs.appx]”

4). In a PowerShell admin window. run command: “Add-AppxPackage [C:\path\to\downloaded\winterminal.msixbundle]”

→ Prior to Flare-VM installation, we must adjust Windows VM proxy, firewall, and Defender settings. Here are the steps:

i). Disable proxy auto detect setting

• In the Windows search bar, search “proxy settings”,
• Switch "Automatically detect settings" button off

ii). Disable Tamper Protection

• Search "Defender", open Defender settings and set all Defender Settings to off

iii). Disable AV/Defender in GPO

• In Windows search bar, search "group policy"
• In GPO, navigate to → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Enable “Turn off Microsoft Defender Antivirus”

iv). Disable Windows Firewall

• GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Domain Profile → Disable “Protect All Network Connections”
• GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Standard profile → Disable “Protect All Network Connections”

Note: If Windows Defender is not disabled correctly, it may cause issues during the FlareVM installation. To address this, you can also use the following utility to completely disable Windows Defender in your Windows 10 VM.

Download link: https://www.sordum.org/9480/defender-control-v2-1/

→ Run the following commands to download and install FLARE-VM:

Step-1. In PowerShell Admin prompt, run:

(New-Object net.webclient).DownloadFile(‘https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

Install.ps1 file is downloaded to the desktop.

Step 2- Change directories to the Desktop and run: Unblock-File .\install.ps1

Step 3- Run: Set-ExecutionPolicy Unrestricted

Accept the prompt to set the ExecPol to unrestricted if one appears

Step 4- Run: .\install.ps1 -customConfig

If you’ve followed the steps correctly, everything should be disabled as shown above. Continue with the Flare-VM installation.

Note: Ensure a stable internet connection for the Flare VM installation; download times may vary based on your internet speed, so please be patient.

Flare-VM is ready to use.

Flare VM setup completed! 🖥️

Note 🚨📝: Rename your virtual windows operating system (OS)

Some malicious software makes various checks in order to avoid running in a sandbox environment. One of these checks is to check the hostname.

Since most sandboxes have hostnames such as Sandbox, Malware, Cuckoo, VM, or default names because the most of the malwares are programmed not to run on systems with these hostnames.

We should make your VM look like a normal user’s system as much as possible so that you can avoid anti-analysis techniques. Using a random name for the hostname can help us in bypassing such checks.

To modify the device name, go to ‘Settings → System → About,’ and then click the ‘Rename this PC’ button.

======(Part-3)======

* Setting up an Isolated🛡️Network for LAB *

REMnux: REMnux is a specialized Linux distribution designed for malware analysts and reverse engineers. Developed by Lenny Zeltser, REMnux is a free and open-source operating system that provides a curated collection of tools and resources for analyzing and dissecting malicious software.

Before setting up the network adapter, a REMnux VM (Linux-based network simulator) is required to function as a fake DNS server for this lab.

→ Download REMnux OVA File from the official website:

Link: https://docs.remnux.org/install-distro/get-virtual-appliance

• Now import REMnux OVA file in VirtualBox, start the REMnux VM, and make sure that REMnux VM is running properly.

Now, FlareVM and REMnux are both operational. Let’s create a Host-only network adapter to fully isolate our lab from the host and external network.

Step-1. Goto VirtualBox → Tools > Create > Yes

Step-2. Select newly created adapter > Adapter > Configure Address

Assign custom IP to the Adapter IPV4 address which completely different from your host or main network. also assign network mask.

Step-3. Select newly created adapter > DHCP Server > Configure Address

Assign IP addresses and rage to the DHCP server in the same range as previous and click Apply. Select yes in the prompt the adapter will created and enabled.

Step-4. Change FlareVM network adapter from NAT to Host-only Adapter.

Select newly created adapter which is “VirtualBox Host-Only Ethernet Adapter #2”

Step-5. Change REMnux network adapter from NAT to Host-only Adapter.

Again Select newly created adapter which is “VirtualBox Host-Only Ethernet Adapter #2”

Step-6. Both VMs are now set up on the Host-only adapter for internal communication. Now we will test the network and internet connections with the ‘ping’ command.

Both VMs can ping each other and are unable to ping the outside world which is perfectly fine as per our LAB requirenments.

Step-7. Next, we will set up a fake DNS server to resolve the DNS query for malware. For example, downloading some second-stage payload from the remote server.

Checking the default services that are running on a REMnux server. we can see that the DNS service is not running by default.

Step-8. We should enable the DNA service. For that, we open the inetsim. conf file to enable the DNS service.

Opening inetsim.config file

Scroll down inetsim.config file and enable the DNS service.

Set service bind address to 0.0.0.0

Set default DNS server IP (REMnux VM IP)

Now press ctrl+o then press enter to save changes and then ctrl+x to exit.

Now the DNS service is running on REMnux server.

Step-9. Next, we will configure the Fake DNS server IP on FlareVM.

Set Preferred DNS Server IP. In this LAB our REMnux VM will be serves as DNS server.

Step-10. Testing our REMnux server is configured & working as required.

Our REMnux setup is completed and working perfectly, and we have a functional fake DNS server.

Step-11. Server Response from our fake DNS server (REMnux-VM)

Inetsim default binary file is downloaded which is not harmful. That will help malware analysts uncover the malware behavior if it is downloading malicious payload from a remote server.

→ Your isolated lab environment is now ready. Enjoy! 🕵️‍♂️

Important Note! Take a good snapshot before detonating💣malware.

Thank you so much ❤️ for reading my blog..!