Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/thequietlife/malware-analysis

🦠 Notes on setting up a malware analysis lab
https://github.com/thequietlife/malware-analysis

homelab malware-analysis threatintel

Last synced: 3 months ago
JSON representation

🦠 Notes on setting up a malware analysis lab

Awesome Lists containing this project

README 

        
### 🚧 Setting up my anti-evasion analysis lab



1. 🧰 Resources:

- [Kyle Cucci's Evasive Malware: Understanding Deceptive and Self-Defending Threats](https://nostarch.com/evasive-malware). This book was released in 2024 so I figured the lab set up would be really helpful

- [Michael Sikorski and Andrew Honig's Practical Malware Analysis](https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901). It was released 10 years ago so I didn't want to rely on it for the lab set up. I am using it for the other sections

- 📺 YouTube! e.g how to create a virtual hard drive, info on MAC addresses, how to install REMnux

- Google: searching for error messages, reading solutions and trying them.

  

2. 💻 Host Machine: I have set up ubuntu on my old apple iMac. Kyle Cucci suggested that when analysing malware it is best to not use the same OS as the malware. Windows malware use Linux or MacOS. This involved using balenaEtcher to flash a OS image to a USB drive (create bootable USB drive). It's pretty cool to bring a 2017 iMac back to life with a fresh OS. 





2017 iMac with ubuntu as the operating system




3. 🖥️ Hypervisor: I have set up Oracle VirtualBox

   





2017 iMac with Oracle VirtualBox installed




4. 🪛 Added a virtual machine - Microsoft Windows 10





2017 iMac with Microsoft Windows 10 virtual machine



5. 🎻 Tweaking VM settings





Windows 10 virtual machine showing settings

 

Today I learnt more about MAC addresses. The generate a random MAC address button in VirtualBox uses a range that is associated with VMs.  The aim is to avoid being detected as a VM. Instead with a MAC address prefix, I generated a new MAC address. 💅 

Paused Windows updates for 7 days and other virus protection settings (need to keep this date in mind)

  

6. 🐧 Installed REMnux, a Linux VM





Image of REMnux desktop, also shows applications on the VM

  

A command line driven VM that I will use along with the Windows 10 VM.



7. Created snapshots of both VMs - "clean" versions of the VM

- ✨ The lab is pretty much set up

- Next: more setting changes to further conceal the Windows VM.



8. More tweaks to help conceal the Windows VM

- rename computer