Any Cyber Analyst or InfoSec Researcher understands the importance of gathering proactive and actionable threat intelligence to protect critical customer assets from attacks. To do this To do this we need to collect and store IOCs and TTPs easily and effectively giving us the ability to create rules to detect these methodologies being used in an environment.
After all anti-virus software malware detection techniques all ultimately stem from threat intelligence, whether it’s the hash of a file or looking for winword.exe spawning cmd.exe we know this is malicious owing to seeing threat actors using this activity to perform malicious actions.
This shows the importance that having a malware analysis lab has on a SOC, as its all well and good having MISP (and also necessary) but running a SOC without the ability to examine live malware samples for customers is always going to leave you on the back foot.
Especially when it’s a customer document that could contain potentially sensitive information that you should have specific customer consent to share with a 3rd party (e.g public sandbox) in which case they might as well go directly to the 3rd party. Although there are public sandboxs available which offer the ability for private scans https://any.run for example
This guide refers to manual dynamic analysis and doesn’t mention automated malware analysis tools such as cuckoo.
The What
So now its outlined why you need a Malware Analysis lab lets list what it needs to be able to do and then how to do it.
You need to be able to
- Examine potentially malicious files securely and gather IOCs/TTPs
- Not break your own shit while doing it
- Get malicious files from customers without playing Russian roulette to see if proofpoint etc. will block it
That’s pretty much it right, spoiler alert number 3 is a separate blog post
The How
First install vmware/virtualbox and download a windows 10 ISO from here https://www.microsoft.com/en-gb/software-download/windows10ISO
If you don’t get the iso download option change your user agent to apple ipad using a user agent spoofer plugin for example and then you should get the ability to download the ISO or alternatively you can build one using this site. https://uup.rg-adguard.net/index.php
The next step is to install windows 10 I recommend using 80GB of space owing to some virtualisation detection methodologies relying on HDDs of less that 60GB in size.
Once you’ve installed windows 10 now comes the good bit.
1 Navigate to https://github.com/fireeye/flare-vm and download and then extract the zip
2 open powershell as an admin and navigate to the extracted directory
3 either set your execution policy to unrestricted by running the following
Set-ExecutionPolicy unrestricted
Or powershell –ExecutionPolicy Bypass .\install.ps1
After the installation which will take a long time and multiple reboots you should have a new folder on your desktop called FLARE the contents should look something like this.
If it does congratulations it installed correctly and you have enough tools to get started. Skip the next paragraph
If it doesn’t look like that and only has one-two folders in it, you may need to manually do the following.
- Navigate to the tools folder within the flarevm zip
- Run the chocolateyinstall.ps1 powershell script
Hopefully this will fix the issue. If not, further troubleshooting will be required.
So now you’ve got all the tools I recommend downloading and run Pafish http
This GitHub link has a link to the binary directly and when run can let you know whether your environment is detected as virtualised or not and tell you how so mitigations can be put into place.
For example, you may need to edit your mac address.
Don’t be surprised if you cannot remove all signs of virtualisation. However you should still be able to get most malware samples to run with some tweaking. dont forget to add some dummy documents to the desktop and documents folder.
The tools that you’ve installed through flare VM should be all you need to perform dynamic analysis i recommend starting off with some simple ones to practice such as Process Monitor.