This project was completed to establish a isolated environment for analyzing malware from various sources used during the exploitation phase of the cyber kill chain. The lab consists of 2 virtual machines running on isolated virtual interfaces using Proxmox. The segmentation of the malware analysis VMs is managed by a pfSense firewall to secure the communication between the labs and other machines when malware is detonated.
The Windows VM for malware analysis was created using Proxmox virtualization software. To setup the Flare-VM environment in my Proxmox Windows 10 VM, the main github page was followed to install the tools for malware analysis and reverse engineering (https://github.com/mandiant/flare-vm)
For best practices, recommendations from Proxmox were followed to optimize the performance of the Win10 VM (https://pve.proxmox.com/wiki/Windows_10_guest_best_practices)
Windows 10 VM Virtual specs on Proxmox server:
Clean snapshot of the VM to revert to after malware detonation:
Flare-VM setup with available tools for malware analysis:
REMnux is a Linux tool for malware analysis and can be used for reverse engineering and studying malware designed to exploit Linux OS environments. To install the OVA Image as a new VM in my Proxmox server, I followed the steps provided on the Remnux.org setup page (https://docs.remnux.org/install-distro/get-virtual-appliance).
REMnux VM specs on Proxmox Server with clean state snapshot for reverting after malware analysis:
REMnux image running on Proxmox server with malware analysis tools:
Communication into and out of the malware analysis VMs is managed by pfSense to restrict the communication of the VMs to devices within its virtual interface IP range. This will protect other VMs from communicating with the malware analysis VM labs once malware is detonated and analysis begins.
pfSense VM setup on Proxmox Server. Malware analysis labs are segmented to a separate network via virtual linux bridge VMBR1:
Firewall rules to restrict malware analysis labs from communicating with machines outside of its subnet
