My malware laboratory

This is not going to be a tutorial on how to build your own malware laboratory but an overview about mine and what issues I stumbled upon while researching and configuring it.

It was not an easy journey, I failed, swore a lot and overall, it took me nearly 2 weeks of work and procrastination to finish it and make it functional, sorts of ...

Goal

My goal was simple: spend as little as possible while having something quite good to work with that provides reliable results and be accessible even when I am not physically at home.

Oh, and let us not forget, my main goal (and the most important one) was to automate most of the malware analysis process with something hosted by me and private, without worrying about what to share publicly.

Infrastructure

There aren’t any shenanigans or complex stuff, just a simple isolated and heavily filtered network to mess around with.

Map of my laboratory

The main players here are VMware Workstation 16 Pro and PFSense firewall and router that handles all the heavy load, assuring me that no malicious packet travels from the contaminated network to mine.

PFSense

The core of my infrastructure (and the most annoying thing) is PFSense that deals with all the routing stuff and filtering everything that goes through it.

No idea how many nights I lost messing around with its firewall rules since every time there was a virtual machine that could communicate with another inside the network even though theoretically the rules where correctly set to no behave like that.

After many attempts, I was finally able to set some dumb rules to block any traffic coming from my personal network to the laboratory, any traffic between any virtual machine inside the laboratory and any traffic between any virtual machine to my personal network.

The only thing allowed was to let my virtual machines connect to internet and that is it.

REMnux & IntelOwl

REMnux is a Linux distribution carefully built upon providing lots of useful tools for malware analysts to further statically analyze malicious content and extract any additional information that I was not able to gather during my initial assessment.

It is amazing for extracting any useful obfuscated / encrypted data from Excel, Word and PDF documents without even opening it.

Lastly, I use IntelOwl to speed up my intel gathering about a specific file, IP, domain or hash at a push of a button, contacting different services like Virus Total, AbuseIPDB and a ton of other services through my API keys.

Windows 7 & 10

Windows 10 virtual machine with FLARE tools and any other software such as Office 365 and Adobe  Reader.

I have the same setup on my Windows 7 machine except all the FLARE tools since I will be using this machine for simple testing and in case there are any compatibility issues with the malware and to gather more data with the EDR I am using.

CAPEv2 Sandbox

This is my beauty that made me stay awake for days due to poor documentation understandings.

CAPEv2 GUI, source: @CapeSandbox

Once configured correctly, it can spin up a pre-configured Windows 7 virtual machine (a virtual machine inside a virtual machine, I know that I should not do it, but I had no choice), launch the sample you provided it with from the GUI and analyse ANY calls that it makes, logging everything and formatting it into a PDF or via the web application.

LimaCharlie EDR

This was just for pure experimentation purposes, but I realised that it’s an additional support from something automated that will further gather more intel that might have been missed during other analysis.

The most interesting thing about this EDR is that you can have two FREE agents to install inside your network and control everything that is going on from their cloud platform, including incidents.

LimaCharlie Net

I only pay 6 euro per year for the storage, and it lets me use an incredible variety of tools, scanners and check any activities and processes currently running on my Windows 7 machine.

Show Comments