Flare-VM Sandbox Guide: Creating an Isolated Lab Environment for Malware Analysis & Reverse Engineering
🛡️Your Key to a Secure Sandbox for Malware Research🔍
Welcome to my guide on creating a local sandbox an isolated lab environment for malware analysis and reverse engineering. This step-by-step tutorial covers VirtualBox setup, creating Windows-10 VM, FLARE-VM configuration, REMnux installation, and network isolation. With clear instructions and screenshots, you’ll have a secure environment for honing your cybersecurity skills and analyzing malware effectively.
======(Part-1)======
* Creating Windows-10 VM in VirtualBox *
a). Download and Install Virtual Box:
- VirtualBox Download Link: https://www.virtualbox.org/wiki/Downloads
b). Download Windows 10 from the official website:
- Windows ISO Download Link: https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise
After downloading the ISO file, open the virtual box and create a new virtual machine.
Now run the PMAT-VM.
Windows installation setup is completed and the VM is ready, let’s start the VM.
Now Reboot the system.
======(Part-2)======
* Downloading and Configuring the Flare VM *
FLARE-VM: FLARE-VM is a purpose-built virtual machine created & maintained by FireEye, a cybersecurity company. It comes pre-configured with a variety of tools, software, and scripts commonly used for malware analysis and reverse engineering tasks. These tools include disassemblers, debuggers, memory analysis tools, and various utilities for analyzing and dissecting malware samples.
It provides a controlled and isolated environment for security analysts to safely analyze potentially malicious software without risk to their own systems. It’s a valuable resource for those working in the field of cybersecurity and malware analysis to better understand and defend against threats.
Flare-VM GitHub Repo: https://github.com/mandiant/flare-vm
Download & Install Chrome browser: https://www.google.com/chrome/
Optional: Take a Snapshot of the VM, if anything went wrong during installation, so you can revert back your clean VM.
→ Run the PowerShell window as an administrator, change the directory to the desktop.
First we need to download some important packages.
1). Download the VCLibs package. run command: “wgethttps://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -usebasicparsing -o VCLibs.appx”
2). Download the Windows Terminal MSIX bundle. run command: “wget https://github.com/microsoft/terminal/releases/download/v1.15.3465.0/Microsoft.WindowsTerminal_Win10_1.15.3465.0_8wekyb3d8bbwe.msixbundle -UseBasicParsing -o winterminal.msixbundle”
3). In a PowerShell admin window, add the VCLibs package. run command: “Add-AppxPackage [C:\path\to\downloaded\VCLibs.appx]”
4). In a PowerShell admin window. run command: “Add-AppxPackage [C:\path\to\downloaded\winterminal.msixbundle]”
→ Prior to Flare-VM installation, we must adjust Windows VM proxy, firewall, and Defender settings. Here are the steps:
i). Disable proxy auto detect setting
- In the Windows search bar, search “proxy settings”,
- Switch "Automatically detect settings" button off
ii). Disable Tamper Protection
- Search "Defender", open Defender settings and set all Defender Settings to off
iii). Disable AV/Defender in GPO
- In Windows search bar, search "group policy"
- In GPO, navigate to → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Enable “Turn off Microsoft Defender Antivirus”
iv). Disable Windows Firewall
- GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Domain Profile → Disable “Protect All Network Connections”
- GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Standard profile → Disable “Protect All Network Connections”
Note: If Windows Defender is not disabled correctly, it may cause issues during the FlareVM installation. To address this, you can also use the following utility to completely disable Windows Defender in your Windows 10 VM.
Download link: https://www.sordum.org/9480/defender-control-v2-1/
→ Run the following commands to download and install FLARE-VM:
Step-1. In PowerShell Admin prompt, run:
(New-Object net.webclient).DownloadFile(‘https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
Step 2- Change directories to the Desktop and run: Unblock-File .\install.ps1
Step 3- Run: Set-ExecutionPolicy Unrestricted
Step 4- Run: .\install.ps1 -customConfig
Note: Ensure a stable internet connection for the Flare VM installation; download times may vary based on your internet speed, so please be patient.
Flare VM setup completed! 🖥️
Note 🚨📝: Rename your virtual windows operating system (OS)
Some malicious software makes various checks in order to avoid running in a sandbox environment. One of these checks is to check the hostname.
Since most sandboxes have hostnames such as Sandbox, Malware, Cuckoo, VM, or default names because the most of the malwares are programmed not to run on systems with these hostnames.
We should make your VM look like a normal user’s system as much as possible so that you can avoid anti-analysis techniques. Using a random name for the hostname can help us in bypassing such checks.
To modify the device name, go to ‘Settings → System → About,’ and then click the ‘Rename this PC’ button.
======(Part-3)======
* Setting up an Isolated🛡️Network for LAB *
REMnux: REMnux is a specialized Linux distribution designed for malware analysts and reverse engineers. Developed by Lenny Zeltser, REMnux is a free and open-source operating system that provides a curated collection of tools and resources for analyzing and dissecting malicious software.
Before setting up the network adapter, a REMnux VM (Linux-based network simulator) is required to function as a fake DNS server for this lab.
→ Download REMnux OVA File from the official website:
Link: https://docs.remnux.org/install-distro/get-virtual-appliance
- Now import REMnux OVA file in VirtualBox, start the REMnux VM, and make sure that REMnux VM is running properly.
Now, FlareVM and REMnux are both operational. Let’s create a Host-only network adapter to fully isolate our lab from the host and external network.
Step-1. Goto VirtualBox → Tools > Create > Yes
Step-2. Select newly created adapter > Adapter > Configure Address
Step-3. Select newly created adapter > DHCP Server > Configure Address
Step-4. Change FlareVM network adapter from NAT to Host-only Adapter.
Step-5. Change REMnux network adapter from NAT to Host-only Adapter.
Step-6. Both VMs are now set up on the Host-only adapter for internal communication. Now we will test the network and internet connections with the ‘ping’ command.
Step-7. Next, we will set up a fake DNS server to resolve the DNS query for malware. For example, downloading some second-stage payload from the remote server.
Step-8. We should enable the DNA service. For that, we open the inetsim. conf file to enable the DNS service.
Now press ctrl+o then press enter to save changes and then ctrl+x to exit.
Step-9. Next, we will configure the Fake DNS server IP on FlareVM.
Step-10. Testing our REMnux server is configured & working as required.
Step-11. Server Response from our fake DNS server (REMnux-VM)
→ Your isolated lab environment is now ready. Enjoy! 🕵️♂️
Important Note! Take a good snapshot before detonating💣malware.
Thank you so much ❤️ for reading my blog..!