Creating a malware analysis lab locally 👨‍🔬 🔬

Introduction

As I was doing a CTF based on detecting log4j attacks with ransomware khonsari recently I came across a lot of the hurdles of setting up forensic tools like Autopsy, pdfid, dotNet based debuggers and reverse engineering tools to solve the challenges.

TLDR, I just want the quick VM for my CTF!! Go there -> https://github.com/brootware/flarevm-up

This took a lot of time! More than a day perhaps to troubleshoot, look around for articles on how to set up on windows as I am currently using a mac. At first, I tried to use Autopsy on mac but the features were severely lacking as the software is exposed via a web browser on localhost.

There has to be a better way to solve this and gotta be ready the next time I do such blue team CTF. So basically the very manual and time consuming steps are:

1. Setup windows VM (either locally with VirtualBox or in the cloud with Azure. More on setting up in the cloud in part 2 of this)
2. Read the documentation on installing each tool needed for malware analysis
3. Install each tool
4. Troubleshoot during the installation. Repeat.

Enter flare-vm by mandiant

flareVM is a PowerShell install script created by mandiant. The tool itself is pretty great. But setting up a sandbox VM locally and installing the tool takes a lot of time! (4-5 hours, trust me I timed this). The nature of malware analysis also requires you to dispose of the VM and have a fresh re-install whenever it is needed. If you have multiple devices or just want to have a fresh re-install after a malware analysis lab, going through that would waste a lot of time. So here are the three main points to recap:

• Spin up a fresh VM as and when it is needed.
• Have a consistent setup on multiple devices.
• Lesser time spent on setting up the sandbox VM.

The goal here is to make it easy to spin up a machine in an automated manner. To achieve this, I used Vagrant and Virtualbox. I imaged the installed VM using Vagrant CLI and VirtualBox to upload the box to vagrant cloud for easier distribution. This also allows users to easily spin up the lab VMs consistently across multiple devices.

Imaging the Flare-VM for consistency and distribution

This is the most tedious part of making this project. Before starting, make sure your local device have enough space (more than 60GB) for this imaging process else you will run into errors. Do note that I will not be going into much details as most of these steps can be easily googled. Below are the steps

• A fresh windows 10 VM has to be installed from an ISO image downloaded from the Microsoft website.
• Disable real-time protection
• Disable cloud-delivered protection
• Disable automatic sample submission
• Add the directory C:\ to the exclusion list
• Once the fresh VM is installed in VirtualBox, the flare-vm install script is run as below.

wget https://raw.githubusercontent.com/mandiant/flare-vm/master/install.ps1 -outfile install.ps1
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted
.\install.ps1

• After about 4-5 hours, the VM is ready to be imaged using Vagrant.
• As this is a Windows VM, there are some pre-requisite configurations needed to be done. The detailed steps are documented on Vagrant website. https://www.vagrantup.com/docs/boxes/base#base-windows-configuration
• Once base windows configuration is done, virtual box guest additions must be installed.
• We are ready to package the box. Using the Vagrant CLI below where my-vm is the VM name given in VirtualBox. Make sure your device has enough space for the package. (I was stuck here for hours before I come across a blog to resolve.)

vagrant package --base my-vm --output flareVm.box

• This will take about an hour. The process will output a flareVm.box file that can be uploaded to Vagrant cloud.

Uploading to Vagrant cloud

Uploading to Vagrant cloud is a fairly simple process. I followed the blog here to upload and publish the flareVm box. You can find the uploaded flareVm box at https://app.vagrantup.com/rootware/boxes/flareVm.

How to spin up flare-vms locally

To make it much much easier, I created a GitHub repository with recommended Vagrantfile configurations to easily spin up the flare-vm with one line.

You can find the repository at https://github.com/brootware/flarevm-up.

Make sure you have vagrant and virtualbox installed on your device.

Run the below commands and let vagrant and VirtualBox do their magic!

git clone https://github.com/brootware/flarevm-up.git && cd flarevm-up
vagrant up

Conclusion

This concludes the part 1 of creating a malware analysis lab locally on your device without incurring additional cost. In part 2 of this I will be going through the process of imaging it in Azure using Azure’s native image builder capability and sharing the image via azure compute gallery. This approach allows you to have the flexibility of using the sandboxed cloud VM for labs. You can read part 2 here https://brootware.github.io/posts/creating-a-malware-analysis-lab-in-the-cloud/.

Some great sources I used to build the box.

• https://www.vagrantup.com/docs/boxes/base
• https://www.vagrantup.com/docs/providers/virtualbox/boxes
• https://coder-question.com/cq-blog/1534
• https://blog.ycshao.com/2017/09/16/how-to-upload-vagrant-box-to-vagrant-cloud/