Setting Up a Malware Analysis Environment

Inside our Zero2Automated course, we didn’t really cover how to setup a proper malware analysis environment as it is more of an advanced course rather than a beginner course. However, we had a lot of demand for a post that covers the basics, so this post is all about how I personally setup my VM! If there’s anything missing, feel free to drop me a message via Twitter, or simply comment it below!

Virtual Machines

Virtual Machine setup, like the rest of the sections, is mainly based on a) personal opinion, and b) what resources you have access to. As I want to make this post as accessible and as useful as possible, I will pretty much be talking about free resources (resources that I also use on my personal machines).

To start off with, I’d highly recommend utilizing VirtualBox. It is free, and a great hypervisor in my opinion, which I have been using since I started reverse engineering – in fact, I’ve been using it since I began my journey into Cyber Security. Regarding which OS to use, I’d definitely recommend Windows 7 x64. The reason for this is that at least for the next few years, malware will continue to target Windows 7 and Windows 10. At some point it may begin targeting Windows 10 only, but for now, a huge amount of Windows users still use Windows 7, regardless of it’s EOL status.

A x64 version of Windows 7 is also great, as you can reverse x86 and x64 binaries, compared to x86 Windows 7 which will only support x86 binaries. While a x86 VM on hand is never a bad thing, make sure to prioritize the x64 VM. 

In terms of RAM and Storage Space, that comes down to what your machine can handle, as well as what the machine is for. Dynamic Analysis Machines require a bit more RAM, and maybe more Storage than Static Analysis Machines.

For my Dynamic Analysis Machine, I allocate 4GB of RAM, and 60GB of Storage Space. For my Static Analysis Machine, I typically allocate 4GB of RAM and 60GB of Storage Space if I have the resources, otherwise I will keep the RAM to 2GB, and the storage to about 50GB.

Again, it all depends on your personal setup, plus what you want the VMs for. For a Sandbox/Behavioural Analysis VM, I’d recommend allocating 2-4GB of RAM, to avoid any anti-sandbox checks that involve RAM. I’d also recommend allocating 50GB of Storage Space, as I believe Windows 7 requires 40GB to install everything, so you should have 10GB to install any required tools. Or, you could use a VM that is designed to be a Sandbox, which will require less resources. 

Regarding Processors, I allocate 1 Processor to my Static Analysis VM, and 2 Processors to my Dynamic Analysis VM, again as an attempt to avoid anti-sandbox techniques that check to see if you have more than 1 processor core.

Tools

Static Analysis

In my personal opinion, IDA is one of the best tools for static analysis; however, I have not used many other disassemblers/decompilers out there, so I’d recommend taking this with a grain of salt, and testing out the other tools like Cutter (Radare with GUI), Ghidra, Hopper (for OSX), and Binary Ninja. These tools are all much cheaper than the IDA Pro + HexRays Decompiler + 32/64 bit Architecture license, so if you are a beginner/are reversing as a hobby, I’d recommend checking them out first!

Static Analysis isn’t just disassembly and analyzing, you can also statically analyze an executable using tools such as PEStudio and CFF Explorer, that give you all the information you could ever need about the sample from a more higher level point of view; PEStudio also checks VT to see if it can find the sample, and checks for blacklisted strings, API, symbols, etc. By using this, you can figure out if something is packed, whether it is a keylogger, whether it communicates anywhere, and a whole lot more!

While not crucial to analysis, having a text editor is also very helpful, as the regular notepad.exe isn’t the greatest. My personal favourite is Sublime Text, but again, this one’s up to you!

Dynamic Analysis

Now onto the section with a lot more tools! What tools you use typically depends on the approach you like to have, so I’ll be listing what tools I personally use, and you can fine tune those to your approach! I usually use these tools for debugging related tasks (I rarely ever perform behavioral analysis thanks to some of the tools we’ll be looking at later on), so if you normally perform behavioral analysis, you might need some additional tools.

To begin with, I use x64dbg, which is by far my favourite debugger. There are additional options, such as ImmunityDebugger or OllyDbg for the old school reverse engineers, but I prefer x64dbg.

Paired up with that, I always have ProcessHacker installed, as it is amazingly useful for tracking running processes, process memory, loaded modules, and so on. It won’t (as far as I’m aware) point out maliciously loaded DLLs or anything, so for beginners it might take a bit of searching, but for those more well-versed in malware analysis, finding malicious regions of code with it is a piece of cake.

Finally (in the list of must-have tools), PEBear is a necessity, as it allows you to manipulate executables and DLLs with ease, whether you’re unmapping them, fixing the sections, or even adding additional data to the binary! A hex editor is also a great tool to have alongside this, for when you dump an executable or DLL from memory and it hasn’t got a header or you need to manually fix some offsets – I’d recommend HXD for this.

Now for some additional tools that are great to have. First up DNSpy – this is a must have if you’re looking into .NET Malware, as it allows you to decompile the .NET binary into comprehensive .NET code. Alongside this, De4Dot is another must have. De4Dot attempts to deobfuscate a .NET binary, and even if it is obfuscated with a de4dot non-supported obfuscator, de4dot will still go ahead and rename functions to legible strings, making it so much easier to read.

Wireshark is another amazing tool to have in your arsenal, when it comes to analyzing network traffic. As long as your VM is setup correctly, you can have Wireshark intercept all communications in and out of the machine, logging all malware traffic. 

Next up, Fiddler is another great network related tool, this time a web debugging proxy that allows you to intercept and decrypt HTTPS requests by installing a self-generated certificate that will be used when performing HTTPS requests. In a lot of cases, malware can be caught out by this, however, a few strains of malware utilize their own certificates, and so Fiddler might not be able to decrypt the HTTPS traffic from the implant.

In most malware analysis cases, I’ll use the mentioned x64dbg, ProcessHacker, and PEBear, alongside IDA (unless it’s .NET), and for the more in depth analyses, I’ll have the additional tools setup for monitoring network communications, as well as some miscellaneous tools I may simply install just for a certain feature, specific to that malware variant.

Services

So, while I do have two perfectly good VMs for analysis, sometimes I want to speed up the process, so automated unpacking, automated behavioural analysis, and a list of downloaded files automatically provided to me makes everything a lot smoother. When dealing with a malicious word document, most of the time I will simply check for it in AnyRun, and download the downloaded payload, as the malicious document is only interesting if it is using a novelty technique (which they rarely do). Rather than unpack that sample, I will upload it to UnpacMe, and have the sample unpacked in a few minutes! Then I can simply focus on static analysis, writing config extractors and emulators to retrieve the next stage. The following list of services are services I use on a daily basis, so I’d highly recommend checking them out!

UnpacMe

Used for automated unpacking of different malware samples, with some exceptions – does not unpack commercial packers, but most malware isn’t packed with commercial packers, so I’d highly recommend it; I use this in most cases when looking at a malware sample, and have only had a few bugs when it was initially announced, but it is in Public Beta, so that makes sense.

AnyRun 

By far one of my favorite services in the malware analysis space. Essentially an online interactive sandbox that lets you detonate samples, and view a huge amount of information such as downloaded files, network connections, loaded modules, and more! I use this service mainly for downloading samples that have been downloaded by other malware (assuming the C2 is down), or for performing some behavioral analysis.

Hybrid Analysis

I don’t use Hybrid Analysis as much anymore, however they also offer sandbox output; while not interactive, all uploaded samples are executed in a sandbox, and you get access to the gathered information. Additional samples can also be downloaded, assuming they are not made private by the uploader.

VirusBay, Malware Bazaar, MalShare

These are great sources of malware! If you haven’t got VirusTotal access, I’d highly recommend checking out these 3 platforms, as they allow you to get access to a huge repository of malware that you can download and begin analyzing! I’ve been using VirusBay since it was made public a couple years back, and there’s a huge amount of great samples on there, from APT to APK malware!

And that pretty much wraps up this post! Hopefully you learnt a few things on how to setup your own virtual machines for analysis, as well as what services are out there for malware analysis, automated or not, so now all that’s left for you to do is go out there and start reversing!

2 thoughts on “Setting Up a Malware Analysis Environment

Leave a Reply to SublimeSol Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s