🐞 𝐒𝐓𝐄𝐏 𝐁𝐘 𝐒𝐓𝐄𝐏 𝐌𝐀𝐋𝐖𝐀𝐑𝐄 𝐀𝐍𝐀𝐋𝐘𝐒𝐈𝐒 𝐋𝐀𝐁 𝐒𝐄𝐓 𝐔𝐏
This step by step will provides a detailed guide for setting up a malware analysis lab. It covers the installation and configuration of various tools and virtual environments essential for analyzing malware in a controlled and isolated environment.
💡 𝐏𝐀𝐑𝐓 1 💡
This step by step will provides a detailed guide for setting up a malware analysis lab. It covers the installation and configuration of various tools and virtual environments essential for analyzing malware in a controlled and isolated environment.
💥 The key components include:
-
𝐇𝐲𝐩𝐞𝐫𝐯𝐢𝐬𝐨𝐫 𝐈𝐧𝐬𝐭𝐚𝐥𝐥𝐚𝐭𝐢𝐨𝐧: Instructions for installing VirtualBox, a hypervisor used to create and manage virtual machines (VMs).
-
𝐖𝐢𝐧𝐝𝐨𝐰𝐬 10 𝐎𝐒 𝐈𝐧𝐬𝐭𝐚𝐥𝐥𝐚𝐭𝐢𝐨𝐧: Steps to download, install, and configure Windows 10 on a virtual machine, which serves as a base environment for malware analysis.
-
𝐑𝐄𝐌𝐧𝐮𝐱 𝐈𝐧𝐬𝐭𝐚𝐥𝐥𝐚𝐭𝐢𝐨𝐧: Guide on setting up REMnux, a Linux distribution specifically designed for reverse-engineering and analyzing malicious software.
-
𝐅𝐋𝐀𝐑𝐄 𝐕𝐌 𝐈𝐧𝐬𝐭𝐚𝐥𝐥𝐚𝐭𝐢𝐨𝐧: Instructions for installing FLARE VM, a Windows-based security distribution designed for malware analysis.
-
𝐒𝐩𝐞𝐜𝐢𝐚𝐥 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐂𝐨𝐧𝐟𝐢𝐠𝐮𝐫𝐚𝐭𝐢𝐨𝐧: Detailed steps to create a secure network environment where the VMs can communicate with each other while being isolated from the host machine, ensuring that any malware executed does not spread to other systems.
-
𝐈𝐍𝐞𝐭𝐒𝐢𝐦 𝐒𝐞𝐭𝐮𝐩: Instructions to set up INetSim, an Internet simulator that provides fake services for analyzing malware's network behavior.
- Prerequisites
- Part 1: Hypervisor Installation (VirtualBox)
- Part 2: Windows 10 OS Installation
- Part 3: REMnux Installation
- Part 4: FLARE VM Installation
- Part 5: Special Network Configuration
- Part 6: INetSim Setup
Before starting, ensure your host machine meets the following requirements:
- OS: Windows, macOS, or Linux
- RAM: At least 16 GB (32 GB recommended)
- Storage: At least 100 GB of free disk space
- CPU: Intel VT-x or AMD-V virtualization support enabled in BIOS/UEFI
- Internet: Required for downloading tools and ISOs
⚠️ Important: Always perform malware analysis in an isolated environment. Never run malware on your host machine.
VirtualBox is a free, open-source hypervisor used to create and manage virtual machines.
-
Download VirtualBox
- Visit the VirtualBox official website
- Download the installer for your host operating system
-
Install VirtualBox
- Run the downloaded installer
- Follow the installation wizard (accept default options)
- Install the VirtualBox Extension Pack for additional features (USB 2.0/3.0, RDP, etc.)
- Download from the same page under VirtualBox Extension Pack
- Open VirtualBox → File → Preferences → Extensions → Add the pack
-
Verify Installation
- Launch VirtualBox
- Confirm the main window opens without errors
A Windows 10 VM serves as the primary analysis environment for executing and examining malware.
-
Download Windows 10 ISO
- Visit Microsoft's official page and use the Media Creation Tool to download the ISO, or download directly as an ISO file
-
Create a New VM in VirtualBox
- Open VirtualBox → Click New
- Name:
Windows10-Analysis - Type:
Microsoft Windows - Version:
Windows 10 (64-bit) - Memory: Allocate at least 4096 MB (4 GB)
- Hard Disk: Create a virtual hard disk (minimum 60 GB, dynamically allocated)
-
Configure VM Settings
- Select the VM → Click Settings
- Under Storage: Attach the Windows 10 ISO to the optical drive
- Under System → Processor: Assign at least 2 CPUs
- Under Display: Set video memory to 128 MB
-
Install Windows 10
- Start the VM
- Follow the Windows installation wizard
- Choose Custom Installation and install to the virtual disk
- Complete the initial setup (skip product key if doing a trial)
-
Install VirtualBox Guest Additions
- After Windows boots, click Devices → Insert Guest Additions CD Image in VirtualBox menu
- Run the installer inside the VM for better performance and shared clipboard
-
Take a Snapshot
- Before installing any tools, take a VM snapshot: Machine → Take Snapshot
- Name it
Clean Windows 10 Install - This allows you to revert to a clean state after each malware analysis session
REMnux is a Linux distribution tailored for reverse-engineering and analyzing malicious software.
-
Download REMnux Virtual Appliance
- Visit the REMnux official website
- Download the OVA (Open Virtual Appliance) file
-
Import into VirtualBox
- Open VirtualBox → File → Import Appliance
- Browse to the downloaded
.ovafile and click Next - Review settings and click Import
-
Configure VM Settings
- Select the REMnux VM → Click Settings
- Under System → Motherboard: Set memory to at least 2048 MB
- Under Network: Set Adapter 1 to Host-only Adapter (see Part 5 for network configuration)
-
Start REMnux
- Start the VM
- Default credentials:
remnux/malware - Update REMnux tools:
remnux upgrade
-
Take a Snapshot
- Take a snapshot named
Clean REMnux Install
- Take a snapshot named
FLARE VM is a Windows-based security distribution with a comprehensive set of malware analysis tools pre-installed.
-
Prepare a Windows 10 VM
- Use the Windows 10 VM created in Part 2, or create a fresh one
- Ensure Windows is fully updated before proceeding
-
Disable Windows Defender and Antivirus
- Go to Settings → Update & Security → Windows Security → Virus & threat protection
- Turn off Real-time protection
- Disable Tamper Protection as well
-
Download and Run FLARE VM Installer
- Open PowerShell as Administrator inside the Windows 10 VM
- Run the following commands:
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1', "$env:temp\install.ps1") Unblock-File -Path "$env:temp\install.ps1" Set-ExecutionPolicy Unrestricted -Force & "$env:temp\install.ps1"
- Follow the on-screen prompts
-
Wait for Installation to Complete
- The installation process downloads and installs numerous tools and may take 1–2 hours
- The VM will reboot several times during the process
-
Verify Installation
- After installation, verify that tools such as x64dbg, Ghidra, pestudio, and others are accessible from the desktop or Start menu
-
Take a Snapshot
- Take a snapshot named
Clean FLARE VM Install
- Take a snapshot named
This configuration creates a private network allowing the VMs to communicate with each other while remaining isolated from the host and the internet.
-
Create a Host-Only Network in VirtualBox
- Open VirtualBox → File → Host Network Manager (or Tools → Network)
- Click Create to add a new Host-Only Network (e.g.,
vboxnet0) - Configure:
- IPv4 Address:
192.168.56.1 - Subnet Mask:
255.255.255.0 - Disable DHCP server (assign static IPs manually)
- IPv4 Address:
-
Assign Host-Only Network to Each VM
- For each VM (Windows 10 / FLARE VM and REMnux):
- Go to Settings → Network
- Set Adapter 1 to Host-only Adapter and select
vboxnet0 - Disable or remove any NAT adapter to prevent internet access
- For each VM (Windows 10 / FLARE VM and REMnux):
-
Assign Static IP Addresses
- REMnux VM: Set static IP
192.168.56.101sudo nano /etc/network/interfaces # Add: # auto eth0 # iface eth0 inet static # address 192.168.56.101 # netmask 255.255.255.0 # gateway 192.168.56.1 sudo systemctl restart networking
- Windows 10 / FLARE VM: Set static IP
192.168.56.102- Go to Network Settings → Change adapter options
- Right-click the adapter → Properties → IPv4 → Set manually
- REMnux VM: Set static IP
-
Verify Connectivity Between VMs
- From the Windows VM, ping REMnux:
ping 192.168.56.101 - From REMnux, ping the Windows VM:
ping 192.168.56.102
- From the Windows VM, ping REMnux:
INetSim (Internet Simulator) simulates common internet services (HTTP, DNS, SMTP, etc.) so that malware behaves as if it has internet access, without actually connecting to the internet.
-
Install INetSim on REMnux
- INetSim is pre-installed on REMnux. Verify with:
inetsim --version
- If not installed, add it manually:
sudo apt-get update sudo apt-get install inetsim
- INetSim is pre-installed on REMnux. Verify with:
-
Configure INetSim
- Open the configuration file:
sudo nano /etc/inetsim/inetsim.conf
- Set the listening address to the REMnux IP:
service_bind_address 192.168.56.101 dns_default_ip 192.168.56.101 - Save and close the file
- Open the configuration file:
-
Start INetSim
sudo inetsim
- INetSim will start and list all simulated services (DNS, HTTP, HTTPS, SMTP, etc.)
-
Configure DNS on the Windows / FLARE VM
- Set the DNS server to point to the REMnux IP (
192.168.56.101) so that malware DNS queries are captured:- Go to Network Settings → IPv4 → DNS Server:
192.168.56.101
- Go to Network Settings → IPv4 → DNS Server:
- Set the DNS server to point to the REMnux IP (
-
Verify INetSim is Working
- From the Windows VM, open a browser and navigate to any URL
- INetSim should serve a fake response and log the request on REMnux
-
Monitor INetSim Logs
- View real-time logs:
sudo tail -f /var/log/inetsim/main.log
- Logs include all connections made by malware, including DNS lookups, HTTP requests, and more
- View real-time logs:
- Never connect the analysis VMs to your actual network or the internet.
- Always revert to a clean snapshot after each analysis session.
- Use shared folders cautiously — malware can potentially access host files through shared folders.
- Consider using a dedicated physical machine for sensitive malware analysis.
- Keep VirtualBox Guest Additions updated to minimize VM escape risks.
📄 For a detailed visual walkthrough, refer to the Malware Analysis Lab Set Up PDF included in this repository.