Painless Guide to Building the Reverse Engineering and Malware Analysis Lab

15 min readJul 1, 2024

Legal Disclaimer:

The information provided in this lab-building guide is intended for educational and informational purposes only. Setting up and using a malware analysis and reverse engineering lab involves handling potentially dangerous software. It is imperative that you follow best practices and take all necessary precautions to ensure the safety and security of your systems and data.

By following this guide, you acknowledge and agree to the following:

Handle Malware with Care: Always handle malware samples with extreme caution. Mistakes in handling malware can lead to unintentional damage to your systems or data. Ensure that your lab environment is properly isolated and that no malware escapes into your network or host systems.
Precautions: Use a dedicated, isolated lab environment for all malware analysis activities. Ensure that there is no network connection between your lab environment and your host machine or the internet while working with malware.
Responsibility: The author of this guide is not responsible for any intentional or unintentional damage caused by the use or misuse of the information provided. This includes, but is not limited to, damage to computer systems, loss of data, or any other consequences that may arise from the improper handling of malware.
Legal Compliance: Ensure that your activities comply with all applicable laws and regulations. Unauthorized analysis or dissemination of malware may be illegal in your jurisdiction.

By using this guide, you agree to take full responsibility for your actions and any consequences that may result. Always exercise caution and prioritize safety when working with malware.

This is just one of way of building a malware analysis lab. There might be another better alternative available. Please drop a suggestions if any :)

Overview of the Lab:

Below is the structure of the lab we aim to achieve:

Lab Components.

REMnux VM
FLARE VM

The REMnux VM will be dedicated to reverse engineering and analyzing Linux binaries. Additionally, it will create a simulated internet connection for the Windows machine.

The FLARE VM will be dedicated to reverse engineering and analyzing Windows binaries.

Both VMs will have a network connection between them but will be isolated from the host machine and the internet while working with malware. This isolation is crucial for providing a safe environment during malware analysis.

We will then also create and configure the fake internet simulation to mimic the internet functionality, so we can analyze if malware tries to connect to the internet and what is it’s activity on internet.

Prerequisites:

Hardware Requirements:

Ram -> 8 GB minimum, 16 GB recommended
Storage -> At least 150GB of free storage

Software Requirements:

Virtual Box -> https://www.virtualbox.org/wiki/Downloads

Or you can directly download it using apt on Debian based Linux using below command:

sudo apt install virtualbox virtualbox-ext-pack

Or you can following this official guide present on Kali Linux -> https://www.kali.org/docs/virtualization/install-virtualbox-host/

Windows 10/11 ISO -> https://www.microsoft.com/en-in/software-download/windows10
REMnux -> https://remnux.org/
Flare VM -> https://github.com/mandiant/flare-vm

Setting up the VMs

Now first of all we need to install the VMs.

I. Creating Windows 10 VM

Start the Virtual Box. Click on Machine tab as highlighted below.

2. Click on ‘new’ as shown below.

3. Give any name you want and then select recently downloaded Windows ISO file as shown below and after that click on next.

4. Give any username you want, for this guide, I will left it as ‘vboxuser’ and set a strong password. After that click on next.

5. Allocate RAM and CPU cores as per availability of the resources. However I recommend at least 4GB of RAM and at least 2 CPU cores as shown below. After allocating the resources click on next.

6. Allocate at least 100GB of storage and click on next. Summary will be displayed. Click on finish on summary window.

7. VM should be automatically started if not then you can also start it manually as shown below

8. Wait while VM will start as shown below.

9. The installation for Windows will automatically start.

10. Leave everything up to Windows, It will finish setup and will be ready to use in few minutes.

11. Now that we have successfully created Windows 10 VM, We will install Virtual Box Guest additions. To know more about what is the virtual box guest additions refer to this -> https://www.virtualbox.org/manual/ch04.html.

On your Windows VM window, click on devices-> insert guest additions CD image. For any reason if it not found then you have to download it manually from here -> https://www.virtualbox.org/wiki/Downloads

Now navigate to this ISO in file explorer and run the Virtual box guest addition installation binary.

When prompted click on yes as shown below

Click on Next->Next->Install. And reboot the VM by clicking on the finish button.

Now we can use the VM in full screen.

Now make sure to enable the shared clipboard in bidirectional as well as make the drag n drop bidirectional so we can move files into VM with ease.

II. Configuring Windows VM for FLARE VM

After we have created windows vm, now it is time to setup the flare vm. But before we do that, we need to make few essential changes to our Windows VM. Now before moving further, I want you to take a snapshot of the VM so if in case we made any mistake we can revert back to freshly installed Windows.
First pause the VM as shown below

3. Then take snap shot of this.

4. After taking the snap shot, resume the VM.

5. Disable proxy auto detect setting: In the Windows search bar, search “proxy settings”.

6. Switch “Automatically detect settings” button off

7. Search “Defender”, open Defender settings and set all Defender Settings to off.

8. Click on Manage settings

9. Disable all settings as shown below.

10. Disable AV/Defender in GPO, On start menu, search ‘resmon’ as open it as shown below

11. Find ‘MsMpEng.exe’ from the list and right click on it, and suspend the process.

12. Now in search bar, search ‘run’ and open it.

13. Type ‘gpedit.msc’ and click on OK.

14. In GPO, navigate to → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Enable “Turn off Microsoft Defender Antivirus”

15. Enable it, then apply it, and then click on OK.

16. Disable the real time protection as well shown as below

17. Now, Disable Windows Firewall, Go to GPO → Administrative Templates → Network → Network Connections → Windows Defender Firewall → Domain Profile → Disable “Protect All Network Connections”

18. Disable -> Apply -> OK

19. Repeat the same for standard profile as well

20. Disable -> Apply -> OK

Bonus step: You can also download and run following powershell script to disable the defender however I prefer manual approach for better learning experience. -> https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1

III. Installing FLARE VM

Now we are done with configuration. Before moving ahead take a snapshot of the VM. This is Must, If you don’t want to lose your progress then take a snap shot now! Do not delete previous snapshot, If you want to delete it to save space on you host machine, you can do it later, for now leave it as it is.

2. Run PowerShell as administrator

3. In PowerShell run following command ->

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

The above command will download a ‘install.ps1’ file.

4. Navigate to the location of this file and unblock this file using below command ->

cd C:\Users\<username>\Desktop
Unblock-File .\install.ps1

5. Enable script execution using below command ->

Set-ExecutionPolicy Unrestricted -Force

6. Now run the script using -> .\install.ps1

7. Type ‘Y’ and continue, Enter login credentials when asked

8. When below prompt appears, just click on OK, This prompt is asking for additional tools to install, select as per your need however, as of now we will go with default tools.

9. Now sit back relax grab a cup of tea and wait for the installation to finish (Sploiler: It will take a lot of time). Your VM will restart so don’t worry when that happens.

When the Installation of the Flare VM is finished, you will se following terminal message. Press enter and exit.

10. Now we have installed Flare VM successfully!

11. Don’t forgot to take snapshot

IV. Installing and Setting up the REMnux VM

Download the REMnux .ova file from following -> https://docs.remnux.org/install-distro/get-virtual-appliance

2. Open the REMnux .ova file in Virtual Box

3. Click on the ‘Finish’ button.

4. Wait until the REMnux is imported. Then start the REMnux VM.

5. If the VBox Guest Addition is outdated in REMnux, there will be option available to upgrade, Click on upgrade to upgrade to newer version as shown below.

6. Now if you want to upgrade the distro you can follow the official guide -> https://docs.remnux.org/install-distro/keep-the-distro-up-to-date

7. Now as we are done with REMnux installation let’s take a snapshot of REMnux.

Now we are done installing of our VMs, next we will create a sandbox environment and interconnect them with each other using Virtual box’s internal network.

Then we will move on to create a fake net in REMnux to enable fake internet for our Flare VM.

Creating Sandbox Environment using Internal Network

Why We Need to Create a Sandbox Network Environment for a Malware Analysis Lab?

Creating a sandbox network environment for a malware analysis lab is essential for several reasons:

Containment of Malicious Activity
Safe Analysis
Prevent Data Exfiltration
Network Simulation
Protecting the Host System
Preventing Malware Spread
Ensuring Analysis Integrity

Now, let’s move ahead with creating internal network in virtual box.

Close all the VMs.

2. Select REMnux VM and go to the network settings.

3. In the network settings, drop down attached to menu

4. Select ‘Internal Network’, keep note of the name, Click on ‘Advanced’. In Promiscuous Mode, Select ‘Allow VMs’. Lastly click on ‘OK’ button.

5. Do the same for the Flare VM.

6. Now Start the REMnux VM, open the terminal, and run below command to know the name of the adapter.

ip a

Here, adapter name is ‘enp0s3’.

7. Now run below commands to configure the adapter to internal network and assign a static IP.

sudo ip link set enp0s3 down
sudo ip addr add 10.0.0.3/24 dev enp0s3
sudo ip link set enp0s3 up

Here,

sudo ip link set enp0s3 down will stop the adapter.
sudo ip addr add 10.0.0.3/24 dev enp0s3 will assign 10.0.0.3 IP address to the adapter ‘enp0s3’.
sudo ip link set enp0s3 up will start the adapter.

Now run the ip a command to check if the IP is assigned or not.

8. Now start the Flare VM, we have to configure the adapter of Flare VM too, So it can connect with REMnux.

In start search, search ‘ethernet’ and open ethernet settings.

9. Click on ‘change adapter options’ .

10. Right click on the adapter and select ‘properties’

11. Select Internet Protocol version 4 and click on ‘Properties’

12. Fill the details as shown below and click on ‘OK’

13. Now try to ping REMnux as shown below, you should get response from REMnux

14. Try to ping Flare VM from REMnux as shown below, you should get response from Flare VM.

15. Now try to ping Google DNS server and make sure neither REMnux nor Flare VM is able to communicate with Google DNS server indicating that they are not connected to internet and isolated.

16. We have successfully created and isolated our lab’s VMs.

Creating Fake Internet using InetSim

So what is a INetSim?

“INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.

INetSim supports simulation of the following services: HTTP, SMTP, POP3, DNS, FTP, NTP, TFTP, IRC, Ident, Finger, Syslog, ‘Small servers’ (Daytime, Time, Echo, Chargen, Discard, Quotd).” From Kali Documentation.

Why we need INetSim?

Simulating Internet Services
Capturing Malicious Traffic
Preventing Real-world Damage
Generating Detailed Reports
Customizable Responses
Testing Malware Capabilities

Now, we know what is INetSim and why we need it, let’s configure it in our lab.

In REMnux run the following command to edit the inetsim’s configuration file.

sudo nano /etc/inetsim/inetsim.conf

2. Scroll down in this file until you see DNS settings.

3. UnComment this line.

4. Scroll down, Uncomment service bind address and add loopback address to bind to all interfaces.

5. Uncomment dns default address to host adapter interface IP.

6. Now save this file and start the INetSim and check that the service is properly running.

7. Now in Flare VM, Open the browser and enter any URL for example

8. And we should get result from INetSim.

9. Congratulations, we have now fully working, isolated lab for reverse engineering and analyzing malwares.

Make sure to take snap shots of both of the VMs.

FAQs

Question: How to move files VMs?

Answer: We will drag n drop them from our host machine.

Question: How do I enable internet connectivity again?

Answer: Simple, just change the adapter from internal to bridged or NAT adapter in Virtual Box settings and remove the static IPs.

Question: Do I have to always take snap shots?

Answer: No, Only take snapshot after installing any additional tools. For example, I have added Immunity debugger tool in my Flare VM, so I have downloaded the binary in my host machine, and then move that binary to Flare VM, and deleted the previous SnapShot and took new one. This also helps in managing the storage because snap shots takes a lots of storage.

Question: I don’t want to do Malware analysis, I only want to do Reverse Engineering and I required internet connection.

Answer: Simple, just skip the isolation part of this guide and you are good to go. I use this setup for both malware analysis and reverse engineering, and whenever I require internet connectivity I will revert back the network configurations to default.

Question: Okay, I have done with setting up the lab. But how do I analyze the malware? How to safely handle the malware? What are the available tools?

Answer: Like, share and support, I will provide more guides on reverse engineering and malware analysis.