Today I have been working on updating my malware analysis home lab. I have setup two new virtual machines within Virtual Box, I have installed Flare VM and another fresh install of Remnux.
Flare VM is customised install of Windows 10 with a bunch of malware analysis tools and Remnux is a Linux distro designed for malware analysis. This setup will allow me to detonate live malware within the Windows environment and capture changes made to the OS using snapshots. I can use various tools within Flare VM to monitor the malware's behaviour and I can use Remnux to perform code analysis and reverse engineer any malware.
In terms of networking I have isolated both the VM's from my host system, which is my iMac and assigned a the DNS address to InetSim in Remux so that any detonated malware will be tricked in to thinking it has access to the internet when in fact it doesn't. InetSim will reply to both http and https requests made by any malware to trick it in to thinking it is talking to the outside internet and even better if asked to download a second stage payload, inetsim will even carry out that action by allowing the download of a dummy exe file named the same as the file download request!
In other words, if a real malware sample requests a second stage payload called 'payme.exe', from let's say a malicious IP address such as 10.0.18.10, inetsim will reply with a static html page so the malware thinks it has reached its command and control server and then will serve a dummy harmless exe file named payme.exe. The malware will 'think' it has done its job, when in fact all it's done is allow us to analyse the network traffic and report on what it's done.
