Setting Up and Using FlareVM for Malware

Analysis
This guide provides detailed steps and commands to set up FlareVM on a Windows virtual machine (VM) and perform malware analysis, including static and dynamic analysis
techniques. It also includes instructions for maintaining a secure environment and documenting findings.

Prerequisites
Before installing FlareVM, ensure the following:

Virtualization Software: Install VirtualBox (https://www.virtualbox.org/ (https://www.virtualbox.org/)) or VMware Workstation (https://www.vmware.com/products/workstation-

player.html (https://www.vmware.com/products/workstation-player.html)).
Windows ISO: Download a Windows 10 or 11 ISO from Microsoft’s official site (https://www.microsoft.com/en-us/software-download/windows10ISO
(https://www.microsoft.com/en-us/software-download/windows10ISO)). An evaluation copy is sufficient (https://www.microsoft.com/en-us/evalcenter/download-windows-10-
enterprise (https://www.microsoft.com/en-us/evalcenter/download-windows-10-enterprise)).
System Requirements:
At least 4GB RAM (8GB recommended).
Minimum 2 CPU cores (4 preferred).
At least 60GB disk space (dynamic allocation preferred).
Internet connection for initial setup.
User Account: Create a user account without spaces or special characters (e.g., "analyst").
Malware Samples: Obtain samples from trusted sources like https://github.com/ytisf/theZoo (https://github.com/ytisf/theZoo) (password-protected ZIP files recommended).

Step 1: Set Up a Windows Virtual Machine

1. Install Virtualization Software:

Download and install VirtualBox or VMware Workstation.

For VirtualBox, navigate to the official site, download the latest version, and follow the installation prompts.
For VMware, select the Windows host option and install.

2. Create a Windows VM:

Open VirtualBox/VMware and click "New" to create a VM.

Name: "FlareVM".
Select the Windows 10/11 ISO file.
Allocate resources:
RAM: 8GB (minimum 4GB).
Disk: 60GB (dynamic).
CPU: 2–4 cores.
Set network to NAT for installation (change to Host-Only later).
Start the VM and follow the Windows installation prompts. Choose "domain join instead" and set up a user account (e.g., username: "analyst", password: "Passw0rd!").

3. Take a Snapshot:

After Windows installation, power off the VM.

In VirtualBox, go to "Machine" > "Take Snapshot", name it "Clean Windows", and save.
In VMware, use "Snapshot" > "Take Snapshot".

Step 2: Configure Windows for FlareVM

To prevent interference with malware analysis, disable Windows Defender, Tamper Protection, and automatic updates.

1. Disable Windows Defender and Tamper Protection:

Open the Start menu, search for "Windows Security", and open it.
Go to "Virus & threat protection" > "Virus & threat protection settings" > "Manage settings".
Turn off "Real-time protection" and "Tamper Protection".
For permanent disabling via Group Policy:
Press Win + R, type gpedit.msc, and press Enter.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus >
Real-time Protection.
Double-click "Turn off real-time protection", select "Enabled", and click "Apply".
 Navigate to Microsoft Defender Antivirus, double-click "Turn off Microsoft Defender Antivirus", select "Enabled", and click "Apply".

2. Disable Windows Updates:

In Group Policy Editor (gpedit.msc), navigate to Computer Configuration > Administrative Templates > Windows Components > Windows
Update.
Double-click "Configure Automatic Updates", select "Disabled", and click "Apply".
Alternatively, go to Settings > "Update & Security" > "Windows Update" > "Advanced options" and pause updates.

3. Disable Proxy Auto-Detect:

Go to Settings > "Network & Internet" > "Proxy".

Under "Automatic proxy setup", turn off "Automatically detect settings".

4. Take a Snapshot:

Power off the VM and take another snapshot named "Pre-FlareVM Config".

Step 3: Install FlareVM

1. Download FlareVM Installer:

Open PowerShell as Administrator (right-click Start menu > "Windows PowerShell (Admin)").

Run the following command to download the installer script:

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environ

This saves install.ps1 to the Desktop.

2. Unblock the Script:

Navigate to the Desktop directory in PowerShell:

cd $env:USERPROFILE\Desktop

Unblock the script:

Unblock-File .\install.ps1

3. Enable Script Execution:

Allow PowerShell scripts to run:

Set-ExecutionPolicy Unrestricted

Confirm with Y if prompted.

4. Run the Installer:

Execute the installer:

.\install.ps1

The installation may take 2–3 hours, involve multiple reboots, and prompt for your Windows password. Follow on-screen prompts and select default tool options unless
customization is needed.

5. Post-Installation:

After installation, a terminal message will display: "Installation has finished. Press enter to close".
Change the VM network to Host-Only to isolate it:
In VirtualBox, go to VM Settings > "Network" > "Adapter 1" > set to "Host-Only Adapter".
In VMware, set the network to "Host-Only".
Take a snapshot named "FlareVM Installed".

Step 4: Set Up REMnux (Optional for Network Analysis)

 For advanced analysis, pair FlareVM with REMnux, a Linux-based VM for network simulation and fake DNS services.

1. Download and Install REMnux:

Download the REMnux OVA file from https://docs.remnux.org/install-distro/get-virtual-appliance (https://docs.remnux.org/install-distro/get-virtual-appliance).

In VirtualBox, go to "File" > "Import Appliance", select the OVA, and import.
Start the REMnux VM to ensure it runs.

2. Configure Host-Only Network:

Set both FlareVM and REMnux VMs to use a Host-Only Adapter in VirtualBox/VMware.
Verify isolation:

In FlareVM, open Command Prompt and run:

ping 8.8.8.8

This should fail, confirming no internet access.

Ping the REMnux VM’s IP (e.g., 10.52.116.128) to confirm connectivity:

ping 10.52.116.128

3. Set Up Fake DNS on REMnux:

In REMnux, open a terminal and edit the INetSim configuration:

sudo nano /etc/inetsim/inetsim.conf

Uncomment start_service dns and set:

service_bind_address 0.0.0.0
dns_default_ip 10.52.116.128

Save and exit (Ctrl+X, Y, Enter).

Start INetSim:

sudo inetsim

In FlareVM, set the REMnux VM’s IP as the DNS server:

Go to "Network Connections" > "Ethernet" > "Properties" > "Internet Protocol Version 4 (TCP/IPv4)" > "Properties".
Set "Preferred DNS server" to 10.52.116.128.

Verify by opening Chrome in FlareVM and navigating to http://10.52.116.128.

Step 5: Perform Malware Analysis

FlareVM includes tools like PEStudio, Procmon, Wireshark, and FLOSS for static and dynamic analysis. Below are steps for basic analysis workflows.

Static Analysis
Static analysis examines malware without executing it.

1. Generate Hashes:

Transfer a malware sample (e.g., sample.exe) to the VM (use a password-protected ZIP).

Open Cmder (pre-installed in FlareVM) and run:

md5sum.exe sample.exe
sha256sum.exe sample.exe

Check hashes on VirusTotal (https://www.virustotal.com/ (https://www.virustotal.com/)) to identify known malware.

2. Analyze with PEStudio:

 Open PEStudio (Winitor) from the Start menu.
Load sample.exe and review:
Imports: Suspicious APIs (e.g., CreateToolhelp32Snapshot, VirtualAlloc).
Strings: URLs, file names, or registry keys.
Entropy: High entropy (>7.2) may indicate packing.
Note findings for documentation.

3. Extract Strings with FLOSS:

Open a command prompt and run:

floss.exe sample.exe > strings.txt

Review strings.txt for URLs, IPs, or function names. Use MalAPI.io to interpret suspicious APIs.

4. Examine PE Headers:

Open CFF Explorer and load sample.exe.

Check DOS Header (e_magic), File Header, and Section Headers for anomalies (e.g., unusual section sizes or virtual memory).

Dynamic Analysis
Dynamic analysis involves executing malware in a controlled environment.

1. Monitor Network Traffic:

Start Wireshark (pre-installed) and select the Host-Only adapter.

Begin capturing traffic.
On REMnux, ensure INetSim is running for fake DNS/HTTP services.
Execute sample.exe (ensure a snapshot exists to revert).

2. Monitor System Activity:

Open Procmon (Sysinternals Suite) and set a filter:

Go to "Filter" > "Filter" > "Process Name" > "contains" > enter sample.exe > "Add" > "OK".
Run sample.exe and observe file, registry, and API activity.
Save findings as a CSV for documentation.

3. Use FakeNet-NG:

Launch FakeNet-NG from the taskbar to simulate network services (DNS, HTTP, etc.).
Run sample.exe and monitor FakeNet-NG logs for network requests (e.g., connections to evil.mandiant.com).

4. Debugging:

Use x64dbg or WinDbg for code-level analysis.

Load sample.exe and step through execution to identify key functions or payloads.

5. Revert to Snapshot:

After analysis, revert to the "FlareVM Installed" snapshot to reset the environment.

Step 6: Document Findings

Document all steps, tools used, and findings (e.g., hashes, strings, network activity).
Save notes in a text file or use a tool like The Hive Project for structured documentation.
Example structure:
Sample: sample.exe
Hashes: MD5, SHA256
Static Analysis: PEStudio findings, FLOSS strings
Dynamic Analysis: Procmon logs, Wireshark captures
IOCs: URLs, IPs, registry keys

Step 7: Safety and Best Practices

Isolation: Always use Host-Only networking during analysis.
Snapshots: Take snapshots before and after major changes or malware execution.
Secure Storage: Store malware in password-protected ZIPs.
No Physical Host Execution: Never run malware on your physical machine.
Regular Updates: Update FlareVM tools via GitHub (https://github.com/mandiant/flare-vm (https://github.com/mandiant/flare-vm)).

Additional Resources
FlareVM GitHub: https://github.com/mandiant/flare-vm (https://github.com/mandiant/flare-vm)
REMnux Documentation: https://docs.remnux.org/ (https://docs.remnux.org/)
Video Tutorial: https://www.youtube.com/watch?v=BiSdnusy2AQ (https://www.youtube.com/watch?v=BiSdnusy2AQ)
Malware Samples: https://github.com/ytisf/theZoo (https://github.com/ytisf/theZoo)
SANS Poster (Hunt Evil): https://www.sans.org/posters/hunt-evil/ (https://www.sans.org/posters/hunt-evil/)