How I build the malware analysis and reverse engineering Flare VM
Though everything is well documented in their GitHub repo (https://github.com/mandiant/flare-vm), but still I want to make it as the step by step guide so that if anyone has trouble while reading the GitHub instruction, they can read this writeup to fire up the vm with a sure shot.
Flare vm is designed for reverse engineer’s who are looking for a curated malware analysis and reverse engineering tools.
So let’s get started.
- First of all, you need to prepare a windows 10 or greater vm. As per their docs flare vm should only work on vm. Not physical machine. There are plenty of tutorial available in YouTube how to make windows 10 vm. Please watch any of those.
https://www.microsoft.com/en-us/software-download/windows10
From the above link you can create windows 10 iso file. - When your windows 10 setup is done, then at the time of providing username, make sure username does not contain any space or any special character. For example, correct usernames: mahim or avi or flare. wrong username: flare vm. Username requires administrative privileges; don’t worry your created user will be automatically put into the Administrators group.
- Powershell version required 5 or above. Latest windows already have version 5 or above. You can still check it using $psversiontable command in powershell session.
- We have assigned disk space as 300 GB because you may need to take snapshots often. Also we have assigned ram as 8 GB and cpu core 4 for smooth performance.
- You must have internet connection on that vm. Once the vm is installed you should set the network settings as host only. This is recommended.
- Temper protection, anti-malware, real time protection should be turned off. Windows update should be disabled. We will discuss more on this soon.
Now let’s first see how we can disable windows update via group policy which is the effective way to do this:
- Click on the start buttion and type gpedit.msc this will launch local group policy editor.
- Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- Double-click the Configure Automatic Updates policy on the right side and Disable the configuration.
This is the only thing that you need to do for disabling windows update.
Now you need to disable windows defender permanently.
- Open resource monitor (resmon.exe) and look for MsMpEng.exe
Right click and suspend the process. Please note, when I do this then my VM got stuck for infinity and did not come back. I had to power off my vm forcibly. After that I found that this process not running.
2. Now click on start menu and type windows security.
Turn off real time protection and tamper protection.
3. Now we need to permanently disable defender and real time protection as told earlier.
Now you are all set to go.
Main part:
Now open poweshell with administrator privilege and run the below commands one by one.
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")In your Desktop the install.ps1 script will be downloaded.- Unblock the script:
Unblock-File .\install.ps1 - Enable script execution:
Set-ExecutionPolicy Unrestricted -Force - Finally, execute the installer script as follow:
.\install.ps1
After a while this script will ask you to provide the user password. Provide the password and get a cup of coffee. It will also pop up with a list of tools that you want to customize or not. I kept the default by hitting ok. It will take some time may be 2 hours +.
During this time your system will reboot multiple times and resume to complete its pending script installation tasks.
Once the install has finished just enter to exit out from the session. You should see something like the above image. Now edit the network setting and make it host only.
Thanks. I hope you like this write up. Next we will see how we can utilize this vm in our malware analysis and reverse engineering tasks. Please subscribe below and share it with your network.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
