How to set up a Malware Analysis Virtual Machine

How to set up a Malware Analysis Virtual Machine

So you want to analyze some malware and you don’t fancy doing that on the computer that you use day to day? Oh, and you don’t want to spend money on setting up a lab? And we all know time is money so we don’t want waste that either. This is a basic guide to setting up a simple (free) malware analysis virtual machine.

Setting up a Hypervisor

First you are going to need a Hypervisor to run your virtual machine. There are a lot of choices out there; Hyper-V, VMWare, Parallels, etc. I recommend virtualbox. It’s free, supported on Windows, MacOS, and Linux, and has snapshot features that come in handy for reverting your virtual machine after infecting it. Like most software these days, installation is an exercise in pressing next.

Getting a (legitimate) Guest Operating System

So we are going to need a copy of Windows, and Window licenses cost money. Well, lucky for us Microsoft offers developer virtual machines for Windows 7, 8, & 10 for free. I know, right?! Mircosoft giving Windows away for free? What’s the catch? These virtual machines expire after 90 days. But that really isn’t an issue as we will be using the snapshot feature in virtualbox to take a snapshot that we can revert back to after we infect our machine. I recommend one of the Win7(x86) images.

Once you have downloaded the virtual machine image from Mircosoft you need to import it.

Import Appliance
Import Appliance

Accept all the defaults for the image, I do recommend selecting “Reinitialize the MAC address of network card” though.

Reinitialize the MAC address
Reinitialize the MAC address

Once the import is finished take a snapshot. Now we’re ready to power up and starting installing our tools.

Analysis Tools

If you are just getting started with malware analysis I recommend install the following tools. These will give you the essentials you need to perform basic static and dynamic analysis. Once you have your tools installed I recommend taking another snapshot. Each time you are ready to do a new analysis revert to this snapshot and you’ll have a ready to go analysis machine. Also, if you ever need to update or add to your tools you can revert to this snapshot install and update, and take a new snapshot.

Process Monitor (procmon)

Process Explorer

Strings

HxD

PEStudio

PPEE

DIE

Resource Hacker

regshot

Process Hacker

ssdeep

Some Notes

You’re going to be working with live malware. BE CAREFUL. Take your time and double check yourself. Accidentally infecting your host machine is no fun. I recommend making sure you are running an up to date Antivirus on your host machine. Also to give yourself additional protection change the network for the virtual machine to the ‘Internal Network’. This will protect other devices on your network from malware that tries to spread via the network. And Finally, Have Fun!