Kamran Saifullah

Kamran Saifullah

Cyber Security Enthusiast

AOML - Setting Up FlareVM & REMNUX

4 minute read

The Art of Malware Analysis Series

In this series, we are going to go through the “Art of Malware Analysis” course which you can get enrolled at the following URL.

https://courses.ask-academy.live/courses/take/the-art-of-malware-analysis

This is going to be a series, where i am going to cover some gists from the course and following which you can also get started with the malware analysis and set up your own lab environement.

Downloading & Installing Windows 10/11 Evaluation

The first thing to do is to download and install the Windows 10 or 11 as per your choice. However, i am going to install Windows 10 for the sake of this course and for my daily use.

https://www.microsoft.com/evalcenter/download-windows-10-enterprise

Once you have this downloaded, just follow the screen and have it installed.

Installing Windows Terminal

I am personally not a fond of Windows Default CMD, so i am just going to hop onto the Windows Store and install the Windows Terminal.

https://apps.microsoft.com/detail/9n0dx20hk701?rtc=1&hl=en-qa&gl=QA

Just have it installed and it should be done in less than a minute.

Installing Chocolatey

Finally, we will install Chocolatey so that we can install a number of softwares like we do on the linux environment.

https://chocolatey.org/install

Use the below PowerShell Script and paste in the Administrator PowerShell Terminal.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Turning Off Microsoft Defender

Having all the previous tools installed, we will simply disable the Windows Defender. Go to Windows Security and turn off all of it one by one.

Once done, we need to make some changes in the Group Policies. Open up the Edit Group Policy and do the following.

1. Turning off MS Defender Antivirus

2. Supress All Notification

3. Turn off Real Time Protection

4. Scan all Downloaded Files and Attachments

4. Monitor File and Program Activity on The Computer

Finlly, restart your machine.

Installing Other Tools

Once restarted open up your terminal and start doing the following.

  1. Installing Git

choco install git

  1. Downloading FlareVM

git clone https://github.com/mandiant/flare-vm.git

  1. Setting Execution Policy (Administrative Terminal)

Set-ExecutionPolicy Unrestricted

  1. Installing FlareVM

.\install.ps1

  1. Practicing Patience

Because this is going to install the following.

010editor.vm|14.0.1
7zip.vm|0.0.0.20240425
7zip-15-05.vm|15.5.0.20240507
7zip-nsis.vm|23.1.0.20240507
7z-nsis.vm|23.1.0
adconnectdump.vm|0.0.0.20240412
aleapp.vm|3.2.2
amcacheparser.vm|1.5.1.20240411
apimonitor.vm|2.13.0.20220224
apktool.vm|2.9.3
appcompatcacheparser.vm|1.5.0.20240411
arsenalimagemounter.vm|3.11.282
asreproast.vm|0.0.0.20240412
autopsy.vm|4.21.0
azurehound.vm|2.1.9
badassmacros.vm|1.0.0
bindiff.vm|8.0.0.20240402
blobrunner.vm|0.0.5.20240411
blobrunner64.vm|0.0.5.20240411
bloodhound.vm|4.3.1.20240411
bloodhound-custom-queries.vm|0.0.0.20240412
bstrings.vm|1.5.2.20240411
burp-free.vm|0.0.0.20240217
bytecodeviewer.vm|2.12.0
c3.vm|0.0.0.20240412
capa.vm|7.0.1.20240411
certify.vm|1.1.0.20240412
chainsaw.vm|2.9.0
cmder.vm|1.3.24.20240217
codetrack.vm|1.0.3.20230526
common.vm|0.0.0.20240514
confuserex.vm|1.6.0.20230713
covenant.vm|0.0.0.20240412
credninja.vm|2.3.0.20240412
cryptotester.vm|1.7.1.20240411
cutter.vm|2.3.4.20240411
cyberchef.vm|10.18.3
cygwin.vm|3.5.3
dcode.vm|5.6.24123.20240507
de4dot-cex.vm|4.0.0.20240411
debloat.vm|0.0.0.20240327
dependencywalker.vm|2.2.6000
dex2jar.vm|2.3.0.20240411
didier-stevens-beta.vm|0.0.0.20240226
didier-stevens-suite.vm|0.0.0.20240226
die.vm|3.7.20240217
dll-to-exe.vm|1.1.0
dnlib.vm|4.0.0
dnspyex.vm|6.5.0.20240411
dokan.vm|2.1.0
dotdumper.vm|1.1.0.20240411
dotnet-6.vm|0.0.0.20240507
dotnettojscript.vm|0.0.0.20240412
dumpert.vm|0.0.0.20240412
egress-assess.vm|0.0.0.20240412
event-log-explorer.vm|5.5.0.20240321
evilclippy.vm|1.3.0.20240412
evtxecmd.vm|1.5.0.20240411
exeinfope.vm|0.0.7.20240411
exiftool.vm|12.84.0
explorersuite.vm|0.0.0.20230925
extreme_dumper.vm|4.0.0.20240411
ezviewer.vm|2.0.0.20240411
fakenet-ng.vm|3.2.0.20240425
fiddler.vm|5.0.20242
fiddlerclassic.vm|5.0.20211.20240417
file.vm|0.0.0.20240411
flarevm.installer.vm|0.0.0.20230626
floss.vm|3.1.0
ftk-imager.vm|4.7.1.20231207
fuzzdb.vm|0.0.0.20240412
gadgettojscript.vm|2.0.0.20240412
garbageman.vm|0.2.4.20240411
getlapspasswords.vm|0.0.0.20240125
ghidra.vm|11.0.3
gobuster.vm|3.5.0.20240411
googlechrome.vm|0.0.0.20240425
goresym.vm|2.7.4
gowitness.vm|2.5.1.20240112
group3r.vm|1.0.59
hashcat.vm|6.2.6.20240410
hasher.vm|2.0.0.20240411
hashmyfiles.vm|0.0.0.20240411
hayabusa.vm|2.11.0.20240411
hollowshunter.vm|0.3.9.20240411
hxd.vm|2.5.0.20230925
ida.diaphora.vm|3.2.0
ida.plugin.capa.vm|7.0.1.20240425
ida.plugin.comida.vm|0.0.0.20240507
ida.plugin.dereferencing.vm|0.0.0.20240430
ida.plugin.flare.vm|0.0.0.20240513
ida.plugin.hashdb.vm|1.9.0
ida.plugin.ifl.vm|1.4.4
ida.plugin.lighthouse.vm|0.0.0.20240507
ida.plugin.sigmaker.vm|1.0.2
idafree.vm|8.3.0.20240325
idr.vm|0.0.0.20230627
ifpstools.vm|2.0.2.20240411
ilspy.vm|8.2.0
imhex.vm|1.33.2
innoextract.vm|1.9.0.20240411
innounp.vm|0.50.0.20230710
installer.vm|0.0.0.20240402
internal-monologue.vm|0.0.0.20240412
inveigh.vm|2.0.10.20240411
invokedosfuscation.vm|1.0.0.20240412
invokeobfuscation.vm|1.8.2.20240412
isd.vm|1.5.0.20240217
jlecmd.vm|1.5.0.20240411
js-deobfuscator.vm|0.0.0.20240516
juicypotato.vm|0.1.0
jumplist_explorer.vm|2.0.0.20240411
keethief.vm|0.0.0.20240412
kerbrute.vm|1.0.3
kernel-ost-viewer.vm|21.1.0
kernel-outlook-pst-viewer.vm|20.3.0
ldapnomnom.vm|1.2.0
lecmd.vm|1.5.0.20240411
libraries.python3.vm|0.0.0.20240425
logfileparser.vm|2.0.0.20240411
magika.vm|0.5.1
mailsniper.vm|0.0.0.20230712
malware-jail.vm|0.0.0.20240419
map.vm|0.0.0.20240416
memprocfs.vm|5.9.4.20240411
merlin.vm|2.1.3
metasploit.vm|6.3.30.20230811
mfasweep.vm|0.0.0.20230710
mft_explorer.vm|2.0.0.20240411
mftecmd.vm|1.2.2.20240411
microburst.vm|0.0.0.20240412
microsoft-windows-terminal.vm|1.19.10302.20240217
mimikatz.vm|2.2.0
minidump.vm|0.0.0.20230711
nanodump.vm|0.0.0.20240412
nasm.vm|2.16.3
netcat.vm|1.12.0
netgpppassword.vm|1.0.0
net-reactor-slayer.vm|6.4.0.20230621
networkminer.vm|2.8.1.20240411
nmap.vm|7.93.20230418.20240102
nodejs.vm|0.0.0.20240516
notepadplusplus.vm|8.6.5
notepadpp.plugin.compare.vm|2.0.2
notepadpp.plugin.jstool.vm|1.2312.0
notepadpp.plugin.xmltools.vm|3.1.1.20231219
npcap.vm|1.73.0
obfuscator-io-deobfuscator.vm|0.0.0.20240514
offvis.vm|1.0.0.20240411
ollydbg.ollydumpex.vm|1.80.0
ollydbg.plugin.ollydumpex.vm|1.80.0
ollydbg.plugin.scyllahide.vm|0.0.0.20230210
ollydbg.scyllahide.vm|0.0.0.20230210
ollydbg.vm|1.10.0.20230418
ollydbg2.ollydumpex.vm|1.80.0
ollydbg2.plugin.ollydumpex.vm|1.80.0
ollydbg2.plugin.scyllahide.vm|0.0.0.20230210
ollydbg2.scyllahide.vm|0.0.0.20230210
ollydbg2.vm|2.1.0.20230418
onenoteanalyzer.vm|0.0.0.20240226
openjdk.vm|0.0.0.20240202
openvpn.vm|2.6.10
outflank-c2-tool-collection.vm|0.0.0.20240412
payloadsallthethings.vm|0.0.0.20240412
pdbresym.vm|1.3.4
pdbs.pdbresym.vm|0.0.0.20240417
pdfstreamdumper.vm|0.9.634.20240226
peanatomist.vm|0.2.11931.20240411
pebear.vm|0.6.7.20240208
pecmd.vm|1.5.0.20240411
peid.vm|0.95.0.20240411
pesieve.vm|0.3.9.20240305
pestudio.vm|9.58.0.20240411
petitpotam.vm|0.0.0.20240412
pkg-unpacker.vm|1.0.0.20240419
pma-labs.vm|0.0.0.20240411
powercat.vm|0.0.0.20240217
powermad.vm|0.0.0.20240412
powersploit.vm|0.0.0.20240412
powerupsql.vm|0.0.0.20240412
powerzure.vm|0.0.0.20240412
procdot.vm|1.22.57
processdump.vm|2.1.1.20240217
psnotify.vm|0.2.4.20231020
putty.vm|0.81.0
python3.vm|0.0.0.20231019
rbcmd.vm|1.5.0.20240411
recentfilecacheparser.vm|1.5.0.20240411
recmd.vm|2.0.0.20240507
reg_export.vm|1.3.0.20240217
regcool.vm|2.0.0.20240408
registry_explorer.vm|2.0.0.20240411
regshot.vm|1.9.1.20240411
resourcehacker.vm|0.0.0.20240423
rla.vm|2.0.0.20240507
routesixtysink.vm|0.0.0.20240412
rpcview.vm|0.3.1.20240411
rubeus.vm|2.3.1.20240412
rundotnetdll.vm|2.2.0.20240411
safetykatz.vm|0.0.0.20240412
sbecmd.vm|2.0.0.20240411
scdbg.vm|0.0.0.20240411
sclauncher.vm|0.0.5
sclauncher64.vm|0.0.5
sdb_explorer.vm|2.0.0.20240411
seatbelt.vm|1.2.0.20240412
seclists.vm|2024.1.0.20240412
setdllcharacteristics.vm|0.0.1.20240411
sfextract.vm|2.1.0
sharpcliphistory.vm|1.0.0
sharpdpapi.vm|1.11.3.20240412
sharpdump.vm|0.0.0.20240412
sharpexec.vm|0.0.0.20240412
sharphound.vm|2.4.1
sharplaps.vm|1.1.0
sharpsecdump.vm|0.0.0.20240412
sharpup.vm|0.0.0.20240412
sharpview.vm|0.0.0.20240412
sharpwmi.vm|0.0.0.20240412
shellbags_explorer.vm|2.0.0.20240411
shellcode_launcher.vm|0.0.0.20240217
situational-awareness-bof.vm|0.0.0.20240412
sliver.vm|1.5.42
snaffler.vm|1.0.150
spoolsample.vm|0.0.0.20240412
sqlecmd.vm|1.0.0.20240411
sqlitebrowser.vm|3.12.2
sqlrecon.vm|3.3.0
srumecmd.vm|0.5.1.20240411
statistically-likely-usernames.vm|0.0.0.20240412
stracciatella.vm|0.7.0.20240412
streamdivert.vm|1.1.0.20240411
sumecmd.vm|0.5.2.20240411
sysinternals.vm|0.0.0.20240306
systeminformer.vm|3.0.7353.20240411
syswhispers2.vm|0.0.0.20240412
syswhispers3.vm|0.0.0.20240412
teamfiltration.vm|3.5.0.20240411
telnet.vm|0.0.0.20230317
testdisk.vm|7.2.0
timeline_explorer.vm|2.0.0.20240507
tor-browser.vm|13.0.14
total-registry.vm|0.9.7.20240228
truestedsec-remote-ops-bof.vm|0.0.0.20240412
unhook-bof.vm|0.0.0.20240412
uniextract2.vm|2.0.0.20240411
upx.vm|4.2.3.20240411
vbdec.vm|1.0.917.20240217
vcbuildtools.vm|0.0.0.20240217
vcredist140.vm|0.0.0.20231019
visualstudio.vm|17.6.1.20240217
vnc-viewer.vm|7.7.0
vscmount.vm|1.5.0.20240411
vscode.vm|1.85.2.20240507
whisker.vm|0.0.0.20240412
windbg.vm|0.0.0
windows-terminal.vm|1.19.10573.20240402
windump.vm|0.3.0
winscp.vm|6.1.1
wireshark.vm|4.2.4
wmimplant.vm|0.0.0.20240125
wxtcmd.vm|1.0.0.20240411
x64dbg.dbgchild.vm|10.0.0
x64dbg.ollydumpex.vm|1.80.0
x64dbg.plugin.dbgchild.vm|10.0.0
x64dbg.plugin.ollydumpex.vm|1.80.0
x64dbg.plugin.scyllahide.vm|1.4.0
x64dbg.plugin.x64dbgpy.vm|1.0.59.20240124
x64dbg.scyllahide.vm|1.4.0
x64dbg.vm|2024.1.6.20240123
x64dbgpy.vm|1.0.59.20240124
yara.vm|4.5.0

Installing Microsoft Office 2019 Using Chocolatey

choco install microsoft-office-deployment

Installing WinMerge

Came across another great tool for checking differences in two files.

https://winmerge.org/?lang=en

Being Happy

Once everything is downloaded and installed, you should be happy, but to add more happiness take a fresh snapshot of the VM and save it because you will have to roll back everytime you are finished with the analysis.

Downloading RemNUX

Similarly, download and onboard your REMNux and update it using the below command.

https://remnux.org/

remnux upgrade

remnux update

In case of troubleshooting run the following.

sudo apt update
sudo apt autoremove
sudo apt --fix-broken install

Configuring Both Machines

Once we have both of the OS installed, we simply need to take a fresh snapshot and then put them into HOST-ONLY mode, so they only commuicate with each other and not over the internet, the reason being we want it to be fairly restricted so that we don’t compromise our host OS.

Then, take the current IP address of REMNUX, and set it as a DNS.

Finally verify the same.

That’s all and now we are good to rock and roll.