What is Malware Analysis?

An average desktop computer uses a powerful Antivirus to stop malware and protect the user. However, some of the most damaging viruses/malware throughout history are what’s called “0 day” exploits. These are vulnerabilities that have not been discovered yet, thus the software/OS manufacturer has no knowledge this vulnerability exists. Malware analysis is a practice that answers the question: “What happens if my antivirus does not detect new malware? “

Malware analysis involves using tools and methods to study suspicious files and understand their behavior, purpose, and potential risks. This process helps detect and address threats effectively. Security teams often analyze malware in a controlled environment, like a sandbox, to determine if a file is harmful and assess its impact.

Key reasons for malware analysis include:

• Identifying the source of an attack
• Ranking incidents by severity
• Improving incident response efficiency
• Evaluating potential damage
• Enhancing threat detection efforts

Malware analysis is crucial for cybersecurity as it helps reduce false positives, understand the scope of an attack, and gather actionable insights during and after an incident. It provides valuable information to classify malware, prevent future attacks, and learn from past incidents by identifying attack patterns and behaviors. This knowledge helps improve defenses against similar threats.

What is a Malware Analysis Environment?

A Malware Analysis Environment is a system that allows Cybersecurity experts to safely contain malware, and study its actions without risk of infection to other devices or compromise of sensitive data. There are many different types of environments one can create, but for this project we will be working with Virtual Machines. Other types of Analysis environments include using cloud servers, or privately controlled servers specifically engineered to report network activity and contain malware.

This document was a great read on understanding the benefits and drawbacks of different types of environments and what is next to come for the future of malware analysis environments: https://www.giac.org/paper/gcih/1202/malware-analysis-environment-design-artitecture/109281

We should also mention there are two types of Malware Analysis. Static and Dynamic Analysis: Static Analysis refers to investigating malware while it is not running. This often means simply opening up the code that makes up the malware to observe what actions are taking place. Dynamic Analysis allows us to observe malware while it is actively running. This can give us a better idea of what actions take place and the order of operations for the malware. Our environment will hopefully allow the analysis in both Static and Dynamic.

Setup Process

Our goal today is to set up an environment hosted primarily on Linux and that will use virtual machines to contain malware. I began by completely wiping my HP Laptop and fresh installing Ubuntu. This gave me a device that is still safe to use for regular applications, but will also be the host for Malware Analysis.

• Dual Boot Ubuntu and Windows
  • Create a bootable USB with Ubuntu using Etcher.
  • Fresh install Ubuntu as the only OS on the device, OR Install Ubuntu alongside Windows by disabling Secure Boot in BIOS. This allows you to switch between operating systems for flexibility.

Note that other Linux flavors can be used in its place, other Linux OS versions should be able to handle the VM process we are using. I simply chose Ubuntu for ease of use and its familiar desktop applications.

• Install VirtualBox on Ubuntu
  • Use the terminal to update packages (sudo apt update) and install VirtualBox (sudo apt install virtualbox).
  • VirtualBox will host the VMs for malware analysis.

VirtualBox is used to create and manage virtual machines (VMs), which are essential for malware analysis. By running malware in a VM, you isolate it from your host system, preventing it from causing harm. VirtualBox also allows you to take snapshots, enabling you to revert to a clean state after analyzing malicious software.

• Set Up a Windows 10 VM (Flare VM)

• Download a Windows 10 Enterprise ISO from Microsoft’s evaluation center.
• Create a new VM in VirtualBox with at least 4GB RAM (8GB recommended) and 80GB storage.
• Install Windows 10, skipping Microsoft account login by selecting “Domain Join.”
• Disable Windows Defender permanently using a script (only for this Windows VM). I had to use 2 separate tools to achieve this as the script below gave me errors initially. I first ran Sordum to disable defender temporarily, and then Jeremy Baume’s tool to permanently disable defender, however Sordum may not be necessary for some users.
• https://www.sordum.org/9480/defender-control-v2-1/
• https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1
• Install Flare VM, a pre-configured reverse engineering environment, using PowerShell scripts. Installation process of Flare VM is pictured above.
• After Flare VM is finished, we should see the text log pictured below. My installation took around 2 hours.
• Take a snapshot of the Windows 10 VM after Flare VM is installed for easy rollback.

Flare VM is a pre-configured Windows environment packed with tools for reverse engineering and malware analysis. It provides everything needed to analyze malware behavior, such as debuggers, disassemblers, and network analysis tools. Disabling Windows Defender is critical because it could interfere with malware execution or even remove the malware before you can analyze it. By using a VM, the malware is confined to this isolated environment, preventing it from escaping to your host system.

• Set Up a Linux VM (REMnux)

• Download the REMnux OVA file (a pre-configured Linux distro for malware analysis).
• Import REMnux into VirtualBox and verify it runs correctly.
• Take a snapshot of REMnux for future use.

REMnux is a Linux distribution designed for analyzing malware. It includes tools for network traffic analysis, file inspection, and reverse engineering. By running REMnux in a separate VM, you create an additional layer of isolation. REMnux acts as a controlled environment where you can safely monitor and analyze network traffic generated by the malware without risking exposure to your host system or external networks.

• Configure Networking Between VMs

• Set up a host-only network in VirtualBox to isolate the VMs from your main system.
• Assign static IP addresses:
  • REMnux: 192.168.56.21 (acts as the gateway and DNS server).
  • Flare VM / Windows: 192.168.56.20.

• Ensure all network traffic from Windows / Flare VM routes through REMnux for interception and analysis.
• We can Test the connection by running a Python HTTP server on REMnux and accessing it from Flare VM.

Configuring a host-only network ensures that all traffic from the Windows VM (Flare VM) routes through REMnux. This setup allows you to intercept and analyze network requests made by the malware, such as command-and-control communications or data exfiltration attempts. By isolating the VMs from your main network, you prevent the malware from reaching the internet or other devices, keeping your analysis environment secure and contained.

Summary: Building the Environment and Professional Value

Setting up a secure malware analysis environment has been a great learning experience. This setup creates a safe space to study malware without risking the host system or network. By isolating malware in virtual machines (VMs) and routing all traffic through REMnux, we ensure the malware can’t escape or cause harm. Taking VM snapshots keep the environment secure and make it easy to reset after analysis.

Through this project, I’ve gained practical skills that are useful in IT and cybersecurity jobs. For example:

• Virtualization: Managing VMs in VirtualBox and isolating environments is a key skill for handling dangerous software safely.
• Networking: Setting up host-only networks and routing traffic through REMnux taught me how to control and analyze network traffic, which is important for securing systems.
• Malware Analysis Tools: Using Flare VM and REMnux introduced me to tools for reverse engineering, debugging, and network forensics, which are used in real-world threat analysis.
• Problem-Solving: Troubleshooting issues like network configuration and VM settings improved my ability to solve technical problems, a skill that’s valuable in any IT role.

This project shows my ability to build secure systems and work with advanced tools. Although this is a more simple project, these skills are directly applicable to jobs like malware analyst, incident responder, or security engineer, where safely analyzing threats is critical. It also highlights my ability to document and explain technical processes, which is important for teamwork and sharing findings with others.

Overall, this setup demonstrates my growing IT and cybersecurity skills, proving I can create secure environments and handle complex challenges in a professional setting.