Malware Analysis Lab

Malware Analysis Lab setup

Contents:

• Setting up the environment.
• Isolating the lab from production environment.
• Checking VM sandbox against VM detection.

Setting up the environment

Let’s setup Virtual machine to emulate a real device for setting up the malware analysis lab.

Installing windows 7 in VMWare Workstation

Create a new virtual machine as shown below and choose how you want to install windows 7, either from installation media or ISO Image.

And customize your virtual machine hardware prior to beginning the Windows 7 virtual machine Operating System (OS). For instance,  you can add disks size or remove unnecessary hardware such as floppy drives and sound cards.

Isolating the lab from production environment

Network Setting

Put an extra effort to configure the malware analysis lab in a way that minimizes the risk of the malicious program escaping from your lab to the host/production.  And a malware escape happens not only because of the potential vulnerability that could allow an escape from the virtualized system which can be fixed most of the time by using latest VMs, but also due to  possible miss configuration and user errors. To this end , use the host-only networking mode for interconnecting the guest OS.

This configuration works well however, it has the weakness of allowing the physical host and Guest systems to interact with each other through a virtual network adapter that VMware installs onto the physical host. Therefore, for safety reasons we need to define a dedicated virtual network.

• Make sure a host only networking mode is selected.
• Go to the virtual machine edit menu and select Virtual Network Editor.

• Repeatedly click the change settings button until it allow us to modify the host-only setting.
• When the Virtual Network editor re-open, It will have all the three modes namely Bridged, Host-only, and NAT.
• In the  VMnet Information section select the host only option.
• Uncheck the “connect a Host virtual adapter to this network”.
• Check “Use local DHCP Service to distribute IP address to VMs”.
• And Finally click ok.

After this setting change the guest OS ,not to talk to the host OS over the network.

Disable Shared Folder Option:

1. Make sure to shutdown your VM.
2. Select the virtual machine and select VM > Settings.
3. On the Options tab, select Shared Folders.
4. Select Disabled to disable folder sharing.
5. And Click OK to save your changes.

Checking VM sandbox against VM detection

Malwares nowadays check if it is being analyzed or not. And the checks are made in a number of generic and specific tests to reveal the presence of VM. This is because some malware refuses to execute/operate correctly when being executed inside a VM. For this purpose , we use a tool called “Paranoid Fish” (pafish) , a tool for detecting malware analysis environments, imitating what malware will do to detect if it is being analyzed.

Let’s run the pafish test as an administrator and a result should display as it shown below.  And the detection of VM presence are indicated a red font word “Traced”. Thus, we have to reconfigure the VMware to hide the presence of VM know by the malware.

In order to reduce the detectability of our VMware by malware , we should add/modify the following configuration to Windows 7 x64.vmx to the end of the configuration file.

cpuid.disable_apicExtRegs = "TRUE"  
monitor_control.enable_fullcpuid="TRUE"  
cpuid.1.eax = "0---:----:----:----:----:----:----:----"  
cpuid.1.ecx = "0---:----:----:----:----:----:----:----"  
cpuid.1.edx = "0---:----:----:----:----:----:----:----"  
monitor_control.restrict_backdoor = "true"   
monitor_control.disable_directexec = "true"  
monitor_control.disable_chksimd = "true"  
monitor_control.disable_ntreloc = "true"  
monitor_control.disable_selfmod = "true"  
monitor_control.disable_reloc = "true"  
monitor_control.disable_btinout = "true"  
monitor_control.disable_btmemspace = "true"  
monitor_control.disable_btpriv = "true"  
monitor_control.disable_btseg = "true"  
monitor_control.enable_extended_core = "true"  
monitor_control.enable_paravirt = "true"  
monitor_control.virtual_rdtsc = "false"  
isolation.tools.getPtrLocation.disable = "true"  
isolation.tools.getVersion.disable = "true"  
SMBIOS.reflecthost = "TRUE"  
SMBIOS.assettag = "IBM Corporation"  
SMBIOS.useShortSerialNumber = "TRUE"  

Now, we have a secured and controlled Malware analysis lab and we can proceed with analyzing a Malware.

And remember to use the latest VMware software, updated and patched. Besides , make sure that your VMware version is free of Virtual Machine Escape vulnerability. Virtual Machine Escape is the process of a malware breaking out of a virtual machine and interacting with the host operating system, which can lead to infections and malware execution in the host machine. And If your analysis requires an internet network connection remember to use an isolated network connection from the production network.

SHOWPIN 122 in 1 Precision Computer Screwdriver Kit, Laptop Screwdriver Sets with 101 Magnetic Drill Bits, Electronics Tool Kit Compatible for Tablet, PC, iPhone, PS4 Repair

(5120)

30% Off $26.99 $18.99 (as of 25/06/2024 15:32 GMT -04:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Powerful Functions: 122 in 1 precision screwdriver set contains 98 screwdriver bits, 3 Torx TR screwdriver bits and 21 auxiliary tools, such as screwdriver handle, flexible shaft, extension rod, magnetizer, magnetic pad, cleaning brush etc. Own this ... read more

Compressed Air Duster, 3 Gear to 51000RPM Cordless Electric Air Duster, 6000mAh Rechargeable Air Blower with LED Light for Laptop Computer Keyboard Cleaning Pet Hair Crumb Replaces Compressed Air Can

$29.98 (as of 25/06/2024 15:32 GMT -04:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

TRUE 51000RPM: Our air duster adopters the most advanced motor, the maximum speed can reach TRUE 51000RPM, low energy consumption and longer lifespan. Great to help you deep cleaning, computers, Camera, electronic products, or for inflation. The cool... read more

Baseus USB C to HDMI Adapter, 4K@60Hz USB C Docking Station, 7 in 1 USB C Hub with 3 USB-A, PD 100W, TF/SD Card Reader, USB C Dock Compatible for iPhone 15/Mac/Dell/Acer/HP/ASUS/Steam Deck/Rog Ally

50% Off $39.95 $19.99 (as of 25/06/2024 15:32 GMT -04:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

【7-in-1 Design】USB hub for laptop with 1 HDMI port, 3 USB3.0 ports, 1 SD/TF card slot, and 1 USB-C PD port, excellent connectivity to satisfy all your expansion needs at once, much higher efficiency at work. 【4K@60Hz Ultra Clarity】USB c to hdmi adapt... read more

ASUS Vivobook 15.6” FHD Laptop, AMD Ryzen 3 3250U, 8GB RAM, 128GB SSD, Windows 11 Home in S Mode, Transparent Silver, M515DA-WS33

$319.33 (as of 25/06/2024 15:28 GMT -04:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

【Day-to-day Productivity】: This Windows laptop equipped with Windows 11 Home in S Mode, an AMD Ryzen 3 Processor, and AMD Radeon graphics, is designed to deliver a fast and smooth experience. 【Enhanced Protection】: Crafted with exceptional durability... read more