As a contrary engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation amongst numerous tweaks in addition to tools to assistance my analysis. Unfortunately trying to maintain a custom VM similar this is real laborious: tools oftentimes move out of appointment in addition to it is difficult to modify or add together novel things. There is also a constant fearfulness that if the VM gets corrupted it would live super ho-hum to replicate all of the settings in addition to tools that I’ve built upward over the years. To address this in addition to many related challenges, I direct hold developed a standardized (but easily customizable) Windows-based safety distribution called FLARE VM.
FLARE VM is a freely available in addition to opened upward sourced Windows-based safety distribution designed for contrary engineers, malware analysts, incident responders, forensicators, in addition to penetration testers. Inspired past times open-source Linux-based safety distributions similar Kali Linux, REMnux in addition to others, FLARE VM delivers a fully configured platform amongst a comprehensive collection of Windows safety tools such equally debuggers, disassemblers, decompilers, static in addition to dynamic analysis utilities, network analysis in addition to manipulation, spider web assessment, exploitation, vulnerability assessment applications, in addition to many others.
The distribution also includes the FLARE team’s world malware analysis tools such equally FLOSS in addition to FakeNet-NG.
Once yous direct hold that available, yous tin apace deploy the FLARE VM environs past times visiting the next URL inwards Internet Explorer (other browsers are non going to work):
http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1
After yous navigate to the higher upward URL inwards the Internet Explorer, yous volition live presented amongst a Boxstarter WebLauncher dialog. Select Run to maintain the installation equally illustrated inwards Figure 1.
Figure 1: FLARE VM Installation
Following successful installation of Boxstarter WebLauncher, yous volition live presented amongst a console window in addition to 1 to a greater extent than prompt to move into your Windows password equally shown inwards Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting yous to login every time.
Figure 2: Boxstarter Password Prompt
The residual of the procedure is fully automated, in addition to hence ready yourself a loving cup of java or tea. Depending on your connector speed, the initial installation takes most 30-40 minutes. Your machine volition also reboot several times due to the numerous software installation’s requirements. During the deployment process, yous volition reckon installation logs of a number of packages.
Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only way in addition to hence that malware samples would non accidentally connect to the Internet or local network. Also, direct hold a fresh virtual machine snapshot in addition to hence this build clean state is saved! The concluding FLARE VM installation should expression similar Figure 3.
Figure 3: FLARE VM installation
NOTE: If yous come across a large number of mistake messages, seek to only restart the installation. All of the existing packages volition live preserved in addition to novel packages volition live installed.
Figure 4: FLARE VM Tools
While nosotros travail to brand the tools available equally a shortcut inwards the FLARE folder, in that place are several available from command-line only. Please reckon the online documentation at http://flarevm.info for the most upward to appointment list.
First, let’s obtain to a greater extent than or less basic indicators past times looking at the strings inwards the binary. For this exercise, nosotros are going to run FLARE’s ain FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional data most the tool. You tin launch it past times clicking on the FLOSS icon inwards the taskbar in addition to running it against the sample equally illustrated inwards Figure 5.
Figure 5: Running FLOSS
Unfortunately, looking over the resulting strings inwards Figure half dozen alone 1 string actually stands out in addition to it is non clear how it is used.
Figure 6: Strings Analysis
Let’s dig a fleck to a greater extent than into the binary past times opening upward CFF Explorer inwards gild to analyze sample’s imports, resources, in addition to PE header structure. CFF Explorer in addition to a number of other utilities are available inwards the FLARE folder that tin live accessed from the Desktop or the Start card equally illustrated inwards Figure 7.
Figure 7: Opening Utilities
While analyzing the PE header, in that place were several indicators that the binary contains a resources object amongst an additional payload. For example, the Import Address Table contained relevant Windows API calls such equally LoadResource, FindResource in addition to lastly WinExec. Unfortunately, equally yous tin reckon inwards Figure viii the embedded payload “BIN” contains junk in addition to hence it is probable encrypted.
Figure 8: PE Resource
At this point, nosotros could maintain the static analysis or nosotros could “cheat” a fleck past times switching over to basic dynamic analysis techniques. Let’s travail to apace gather basic indicators past times using to a greater extent than or less other FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality past times presenting it amongst imitation services such equally DNS, HTTP, FTP, IRC in addition to many others. Please catch http://fakenet.info for additional data most the tool.
Also, let’s launch Procmon from Sysinternals Suite inwards gild to monitor all of the File, Registry in addition to Windows API activity equally well. You tin uncovering both of these oftentimes used tools inwards the taskbar illustrated inwards Figure 9.
Figure 9: Dynamic Analysis
After executing the sample amongst Administrator privileges, nosotros apace uncovering fantabulous network- in addition to host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s travail to communicate amongst evil.mandiant.com using HTTP protocol. Here nosotros capture useful indicators such equally a consummate HTTP header, URL in addition to a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact procedure communicating which is level1_payload.exe. This procedure call corresponds to the unique string that nosotros direct hold identified inwards the static analysis, but couldn’t empathize how it was used.
Figure 10: FakeNet-NG
Comparing our findings amongst the output of Procmon inwards Figure 11, nosotros tin confirm that the malware is indeed responsible for creating level1_payload.exe executable inwards the system32 folder.
Figure 11: Procmon
As constituent of the malware analysis process, nosotros could maintain excavation deeper past times loading the sample inwards a disassembler in addition to performing farther analysis within a debugger. However, I would non desire to spoil this fun for our Malware Analysis Crash Course students past times sharing all the answers here. That said all of the relevant tools to perform such analysis are already included inwards the distribution such equally IDA Pro in addition to Binary Ninja disassemblers, a overnice collection of debuggers in addition to several plugins, in addition to many others to brand your contrary applied scientific discipline tasks equally convenient equally possible.
What all this agency is that if yous desire to apace add together to a greater extent than or less package, let’s enjoin Firefox, yous no longer direct hold to navigate to the software developer’s website. Simply opened upward up a console in addition to type inwards the ascendency inwards Figure 12 to automatically download in addition to install whatsoever package:
Figure 12: Installing packages
In a few curt moments, Firefox icon is going to appear on your Desktop amongst no user interaction necessary.
Figure 13: Staying upward to date
If whatsoever of the installed packages direct hold newer versions, they volition live automatically downloaded in addition to installed.
NOTE: Don’t forget to direct hold to a greater extent than or less other build clean snapshot of an updated arrangement in addition to laid networking dorsum to Host-Only.
In these few pages, nosotros could alone scratch the surface of everything that FLARE VM is capable of; however, experience costless to leave of absence your comments, tool requests, in addition to bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/.
FLARE VM is a freely available in addition to opened upward sourced Windows-based safety distribution designed for contrary engineers, malware analysts, incident responders, forensicators, in addition to penetration testers. Inspired past times open-source Linux-based safety distributions similar Kali Linux, REMnux in addition to others, FLARE VM delivers a fully configured platform amongst a comprehensive collection of Windows safety tools such equally debuggers, disassemblers, decompilers, static in addition to dynamic analysis utilities, network analysis in addition to manipulation, spider web assessment, exploitation, vulnerability assessment applications, in addition to many others.
The distribution also includes the FLARE team’s world malware analysis tools such equally FLOSS in addition to FakeNet-NG.
How To Get It
You are expected to direct hold an existing installation of Windows seven or above. This allows yous to pick out the exact Windows version, spell level, architecture in addition to virtualization environs yourself.Once yous direct hold that available, yous tin apace deploy the FLARE VM environs past times visiting the next URL inwards Internet Explorer (other browsers are non going to work):
http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1
After yous navigate to the higher upward URL inwards the Internet Explorer, yous volition live presented amongst a Boxstarter WebLauncher dialog. Select Run to maintain the installation equally illustrated inwards Figure 1.
Figure 1: FLARE VM Installation
Following successful installation of Boxstarter WebLauncher, yous volition live presented amongst a console window in addition to 1 to a greater extent than prompt to move into your Windows password equally shown inwards Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting yous to login every time.
Figure 2: Boxstarter Password Prompt
The residual of the procedure is fully automated, in addition to hence ready yourself a loving cup of java or tea. Depending on your connector speed, the initial installation takes most 30-40 minutes. Your machine volition also reboot several times due to the numerous software installation’s requirements. During the deployment process, yous volition reckon installation logs of a number of packages.
Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only way in addition to hence that malware samples would non accidentally connect to the Internet or local network. Also, direct hold a fresh virtual machine snapshot in addition to hence this build clean state is saved! The concluding FLARE VM installation should expression similar Figure 3.
Figure 3: FLARE VM installation
NOTE: If yous come across a large number of mistake messages, seek to only restart the installation. All of the existing packages volition live preserved in addition to novel packages volition live installed.
Getting Started
The VM configuration in addition to the included tools were either developed or carefully selected past times the members of the FLARE squad who direct hold been contrary applied scientific discipline malware, analyzing exploits in addition to vulnerabilities, in addition to didactics malware analysis classes for over a decade. All of the tools are organized inwards the directory construction shown inwards Figure 4.Figure 4: FLARE VM ToolsWhile nosotros travail to brand the tools available equally a shortcut inwards the FLARE folder, in that place are several available from command-line only. Please reckon the online documentation at http://flarevm.info for the most upward to appointment list.
Sample Analysis
In gild to best illustrate how FLARE VM tin aid inwards malware analysis tasks let’s perform a basic analysis on 1 of the samples nosotros usage inwards our Malware Analysis Crash Course.First, let’s obtain to a greater extent than or less basic indicators past times looking at the strings inwards the binary. For this exercise, nosotros are going to run FLARE’s ain FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional data most the tool. You tin launch it past times clicking on the FLOSS icon inwards the taskbar in addition to running it against the sample equally illustrated inwards Figure 5.
Figure 5: Running FLOSS
Unfortunately, looking over the resulting strings inwards Figure half dozen alone 1 string actually stands out in addition to it is non clear how it is used.
Figure 6: Strings Analysis
Let’s dig a fleck to a greater extent than into the binary past times opening upward CFF Explorer inwards gild to analyze sample’s imports, resources, in addition to PE header structure. CFF Explorer in addition to a number of other utilities are available inwards the FLARE folder that tin live accessed from the Desktop or the Start card equally illustrated inwards Figure 7.
Figure 7: Opening Utilities
While analyzing the PE header, in that place were several indicators that the binary contains a resources object amongst an additional payload. For example, the Import Address Table contained relevant Windows API calls such equally LoadResource, FindResource in addition to lastly WinExec. Unfortunately, equally yous tin reckon inwards Figure viii the embedded payload “BIN” contains junk in addition to hence it is probable encrypted.
Figure 8: PE Resource
At this point, nosotros could maintain the static analysis or nosotros could “cheat” a fleck past times switching over to basic dynamic analysis techniques. Let’s travail to apace gather basic indicators past times using to a greater extent than or less other FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality past times presenting it amongst imitation services such equally DNS, HTTP, FTP, IRC in addition to many others. Please catch http://fakenet.info for additional data most the tool.
Also, let’s launch Procmon from Sysinternals Suite inwards gild to monitor all of the File, Registry in addition to Windows API activity equally well. You tin uncovering both of these oftentimes used tools inwards the taskbar illustrated inwards Figure 9.
Figure 9: Dynamic Analysis
After executing the sample amongst Administrator privileges, nosotros apace uncovering fantabulous network- in addition to host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s travail to communicate amongst evil.mandiant.com using HTTP protocol. Here nosotros capture useful indicators such equally a consummate HTTP header, URL in addition to a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact procedure communicating which is level1_payload.exe. This procedure call corresponds to the unique string that nosotros direct hold identified inwards the static analysis, but couldn’t empathize how it was used.
Figure 10: FakeNet-NGComparing our findings amongst the output of Procmon inwards Figure 11, nosotros tin confirm that the malware is indeed responsible for creating level1_payload.exe executable inwards the system32 folder.
Figure 11: Procmon
As constituent of the malware analysis process, nosotros could maintain excavation deeper past times loading the sample inwards a disassembler in addition to performing farther analysis within a debugger. However, I would non desire to spoil this fun for our Malware Analysis Crash Course students past times sharing all the answers here. That said all of the relevant tools to perform such analysis are already included inwards the distribution such equally IDA Pro in addition to Binary Ninja disassemblers, a overnice collection of debuggers in addition to several plugins, in addition to many others to brand your contrary applied scientific discipline tasks equally convenient equally possible.
Have It Your Way
FLARE VM is a constantly growing in addition to changing project. While nosotros seek to encompass equally many use-case scenarios equally possible it is only impossible due to the nature of the project. Luckily, FLARE VM is extremely tardily to customize because it was built on summit of the Chocolatey project. Chocolatey is a Windows-based bundle administration arrangement amongst thousands of packages. You tin uncovering the listing here: https://chocolatey.org/packages. In add-on to Blue Planet Chocolatey repository, FLARE VM uses our ain FLARE repository which constantly growing in addition to currently contains most twoscore packages.What all this agency is that if yous desire to apace add together to a greater extent than or less package, let’s enjoin Firefox, yous no longer direct hold to navigate to the software developer’s website. Simply opened upward up a console in addition to type inwards the ascendency inwards Figure 12 to automatically download in addition to install whatsoever package:
Figure 12: Installing packages
In a few curt moments, Firefox icon is going to appear on your Desktop amongst no user interaction necessary.
Staying upward to date
As I’ve mentioned inwards the beginning, 1 of the hardest challenges of unmanaged Virtual Machine is trying to maintain all the tools upward to date. FLARE VM solves this problem. You tin completely update the entire arrangement past times only running the ascendency inwards Figure 13.Figure 13: Staying upward to date
If whatsoever of the installed packages direct hold newer versions, they volition live automatically downloaded in addition to installed.
NOTE: Don’t forget to direct hold to a greater extent than or less other build clean snapshot of an updated arrangement in addition to laid networking dorsum to Host-Only.
Conclusion
I promise yous bask this novel costless tool in addition to volition adopt it equally to a greater extent than or less other trusted resources to perform contrary applied scientific discipline in addition to malware analysis tasks. Next fourth dimension yous demand to laid upward a novel malware analysis environment, seek out FLARE VM!In these few pages, nosotros could alone scratch the surface of everything that FLARE VM is capable of; however, experience costless to leave of absence your comments, tool requests, in addition to bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/.
