As a reverse engineer on the FLARE Team I rely on a customized
Virtual Machine (VM) to perform malware analysis. The Virtual Machine
is a Windows installation with numerous tweaks and tools to aid my
analysis. Unfortunately trying to maintain a custom VM like this is
very laborious: tools frequently get out of date and it is hard to
change or add new things. There is also a constant fear that if the VM
gets corrupted it would be super tedious to replicate all of the
settings and tools that I’ve built up over the years. To address this
and many related challenges, I have developed a standardized (but
easily customizable) Windows-based security distribution called FLARE VM.
FLARE VM is a freely available and open sourced Windows-based
security distribution designed for reverse engineers, malware
analysts, incident responders, forensicators, and penetration testers.
Inspired by open-source Linux-based security distributions like Kali
Linux, REMnux and others, FLARE VM delivers a fully configured
platform with a comprehensive collection of Windows security tools
such as debuggers, disassemblers, decompilers, static and dynamic
analysis utilities, network analysis and manipulation, web assessment,
exploitation, vulnerability assessment applications, and many others.
The distribution also includes the FLARE team’s public malware
analysis tools such as FLOSS and FakeNet-NG.
You are expected to have an existing installation of Windows 7 or
above. This allows you to choose the exact Windows version, patch
level, architecture and virtualization environment yourself.
Once you have that available, you can quickly deploy the FLARE VM
environment by visiting the following URL in Internet Explorer
(other browsers are not going to work):
href="http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1" target="_blank">
http://boxstarter.org/package/url?
https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1
After you navigate to the above URL in the Internet Explorer, you
will be presented with a Boxstarter WebLauncher dialog. Select
Run to continue the installation as illustrated in Figure 1.
Figure 1: FLARE VM Installation
Following successful installation of Boxstarter WebLauncher, you
will be presented with a console window and one more prompt to enter
your Windows password as shown in Figure 2. Your Windows password is
necessary to restart the machine several times during the installation
without prompting you to login every time.
Figure 2: Boxstarter Password Prompt
The rest of the process is fully automated, so prepare yourself a
cup of coffee or tea. Depending on your connection speed, the initial
installation takes about 30-40 minutes. Your machine will also reboot
several times due to the numerous software installation’s
requirements. During the deployment process, you will see installation
logs of a number of packages.
Once the installation is complete, it is highly recommended to
switch the Virtual Machine networking settings to Host-Only mode so
that malware samples would not accidentally connect to the Internet or
local network. Also, take a fresh virtual machine snapshot so this
clean state is saved! The final FLARE VM installation should look like
Figure 3.
Figure 3: FLARE VM installation
NOTE: If you encounter a large number of error messages, try to
simply restart the installation. All of the existing packages will be
preserved and new packages will be installed.
The VM configuration and the included tools were either developed or
carefully selected by the members of the FLARE team who have been
reverse engineering malware, analyzing exploits and vulnerabilities,
and teaching malware analysis classes for over a decade. All of the
tools are organized in the directory structure shown in Figure 4.
Figure 4: FLARE VM Tools
While we attempt to make the tools available as a shortcut in the
FLARE folder, there are several available from command-line only.
Please see the online documentation at href="http://flarevm.info/">http://flarevm.info for the most up to
date list.
In order to best illustrate how FLARE VM can assist in malware
analysis tasks let’s perform a basic analysis on one of the samples we
use in our Malware Analysis Crash Course.
First, let’s obtain some basic indicators by looking at the strings
in the binary. For this exercise, we are going to run FLARE’s own
FLOSS tool, which is a strings utility on steroids. Visit href="http://flosseveryday.info/">http://flosseveryday.info for
additional information about the tool. You can launch it by clicking
on the FLOSS icon in the taskbar and running it against the sample as
illustrated in Figure 5.
Figure 5: Running FLOSS
Unfortunately, looking over the resulting strings in Figure 6 only
one string really stands out and it is not clear how it is used.
Figure 6: Strings Analysis
Let’s dig a bit more into the binary by opening up CFF Explorer in
order to analyze sample’s imports, resources, and PE header structure.
CFF Explorer and a number of other utilities are available in the
FLARE folder that can be accessed from the Desktop or the Start menu
as illustrated in Figure 7.
Figure 7: Opening Utilities
While analyzing the PE header, there were several indicators that
the binary contains a resource object with an additional payload. For
example, the Import Address Table contained relevant Windows API calls
such as LoadResource, FindResource and finally WinExec. Unfortunately,
as you can see in Figure 8 the embedded payload “BIN” contains junk so
it is likely encrypted.
Figure 8: PE Resource
At this point, we could continue the static analysis or we could
“cheat” a bit by switching over to basic dynamic analysis techniques.
Let’s attempt to quickly gather basic indicators by using another
FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network
emulation tool which tricks malware into revealing its network
functionality by presenting it with fake services such as DNS, HTTP,
FTP, IRC and many others. Please visit href="http://fakenet.info/">http://fakenet.info for additional
information about the tool.
Also, let’s launch Procmon from Sysinternals Suite in order to
monitor all of the File, Registry and Windows API activity as well.
You can find both of these frequently used tools in the taskbar
illustrated in Figure 9.
Figure 9: Dynamic Analysis
After executing the sample with Administrator privileges, we quickly
find excellent network- and host–based indicators. Figure 10 shows
FakeNet-NG responding to malware’s attempt to communicate with
evil.mandiant.com using HTTP protocol. Here we capture useful
indicators such as a complete HTTP header, URL and a potentially
unique User-Agent string. Also, notice that FakeNet-NG is capable of
identifying the exact process communicating which is
level1_payload.exe. This process name corresponds to the unique
string that we have identified in the static analysis, but couldn’t
understand how it was used.
Figure 10: FakeNet-NG
Comparing our findings with the output of Procmon in Figure 11, we
can confirm that the malware is indeed responsible for creating
level1_payload.exe executable in the system32 folder.
Figure 11: Procmon
As part of the malware analysis process, we could continue digging
deeper by loading the sample in a disassembler and performing further
analysis inside a debugger. However, I would not want to spoil this
fun for our Malware Analysis Crash Course students by sharing all the
answers here. That said all of the relevant tools to perform such
analysis are already included in the distribution such as IDA Pro and
Binary Ninja disassemblers, a nice collection of debuggers and several
plugins, and many others to make your reverse engineering tasks as
convenient as possible.
FLARE VM is a constantly growing and changing project. While we try
to cover as many use-case scenarios as possible it is simply
impossible due to the nature of the project. Luckily, FLARE VM is
extremely easy to customize because it was built on top of the
Chocolatey project. Chocolatey is a Windows-based package management
system with thousands of packages. You can find the list here: href="https://chocolatey.org/packages">https://chocolatey.org/packages.
In addition to the public Chocolatey repository, FLARE VM uses our own
FLARE repository which constantly growing and currently contains about
40 packages.
What all this means is that if you want to quickly add some package,
let’s say Firefox, you no longer have to navigate to the software
developer’s website. Simply open up a console and type in the command
in Figure 12 to automatically download and install any package:
Figure 12: Installing packages
In a few short moments, Firefox icon is going to appear on your
Desktop with no user interaction necessary.
As I’ve mentioned in the beginning, one of the hardest challenges of
unmanaged Virtual Machine is trying to keep all the tools up to date.
FLARE VM solves this problem. You can completely update the entire
system by simply running the command in Figure 13.
Figure 13: Staying up to date
If any of the installed packages have newer versions, they will be
automatically downloaded and installed.
NOTE: Don’t forget to take another clean snapshot of an updated
system and set networking back to Host-Only.
I hope you enjoy this new free tool and will adopt it as another
trusted resource to perform reverse engineering and malware analysis
tasks. Next time you need to set up a new malware analysis
environment, try out FLARE VM!
In these few pages, we could only scratch the surface of everything
that FLARE VM is capable of; however, feel free to leave your
comments, tool requests, and bugs on our Github issues page here: href="https://github.com/fireeye/flare-vm">https://github.com/fireeye/flare-vm
or http://flarevm.info/.