Skip to content

Ofendor/malware-analysis-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malware Analysis Lab

VirtualBox Windows 11 Windows 10 LTSC FLARE-VM REMnux Kali Linux Ubuntu Chocolatey DISM Python PowerShell Bash Wazuh INetSim DNSChef 7-Zip unrar PEview strings VirusTotal Joe Sandbox Trend Micro Obsidian Markdown Mermaid Git GitHub


⚠️ Disclaimer — Read This First

This repository is for educational and student purposes only. It documents my own self-directed study of malware analysis.

The labs here involve handling live, harmful malware samples. This work must be carried out responsibly, inside a fully isolated environment, by someone who understands what they are doing. If you do not already have a working knowledge of malware analysis and safe sample handling, do not follow this lab, please skip it. This is non-negotiable.

I accept no responsibility for any misuse of the information, techniques, or scripts in this repository, or for any damage, data loss, or infection resulting from following it.

I am based in and operate solely under the laws of New Zealand. I make no claim as to the legality of these activities anywhere else. You alone are responsible for ensuring your own compliance with the laws of your jurisdiction.

For more information, please vitit:

  1. https://www.giac.org/paper/gsec/4001/zealand-information-technology-security-legislation/106400
  2. https://www.police.govt.nz/advice-services/cybercrime-and-internet/cybercrime

Self-directed malware analysis study based on Practical Malware Analysis (Sikorski & Honig) and Evasive Malware (Cucci, 2024). All labs are conducted in an isolated VirtualBox environment following safe handling practices.

Focus Environment Host Status

Author: Emilio Mardones (@Ofendor) — Network Engineering graduate & cybersecurity practitioner, Auckland NZ.

My goal across this lab series is to build practical competency in threat intelligence, incident response, and reverse engineering by documenting every step of a real, repeatable malware analysis workflow — from building a contained environment to acquiring, fingerprinting, and analysing live samples.


Lab Index

# Lab Category Tools Status
01a Lab Setup & Safe Analysis Environment Setup VirtualBox, Windows LTSC, REMnux
01b FLARE-VM Troubleshooting Log Troubleshooting Chocolatey, Python, DISM
02a Sample Acquisition Acquisition 7-Zip, unrar, Linux
02b Hash Verification & Threat Intelligence Static PEview, strings, VirusTotal
02c SIEM Integration & NAT Simulation Infrastructure Wazuh SIEM, INetSim, DNSChef
03 Static Analysis — String Extraction Static strings, FLOSS 🔄
04 Behaviour Analysis Dynamic Process Monitor, Wireshark, x64dbg 🔄

Environment

The lab runs across four isolated virtual machines on a single Windows host. Static and dynamic analysis are deliberately separated to prevent cross-contamination between clean inspection work and live malware execution.

VM OS Role
Static-Wind10-FLARE Windows 10 Enterprise LTSC 2021 Static analysis workstation
Dynamic-Wind10-FLARE Windows 10 Enterprise LTSC 2021 Malware detonation target
Analyst-REMnux REMnux Linux Network gateway + Linux tooling
Support-Kali Kali Linux Optional supplementary tools

The Windows VMs reach REMnux through an internal-only network (malware-lab), with no route to the host or the internet. REMnux runs INetSim and DNSChef to simulate internet services, so samples believe they are online while remaining fully contained. A Wazuh SIEM provides centralised detection and telemetry across the analysis hosts.


Repository Structure

malware-analysis-lab/
├── README.md
├── lab-01-setup/
│   ├── images/                              # screenshots referenced by the notes
│   ├── lab-01-setup-notes.md                # 01a — environment design & hardening
│   └── lab-02-troubleshooting-log.md        # 01b — FLARE-VM install troubleshooting
└── lab-02-basic-static-analysis/
    ├── images/
    ├── linux/                               # Wazuh agent install (Linux)
    │   └── 1-install-agent.sh
    ├── windows-scripts/                     # Wazuh agent install/config (Windows)
    │   ├── 1-install-agent.ps1
    │   ├── 2-configure-agent.ps1
    │   ├── 3-verify-agent.ps1
    │   ├── 4-install-ssh-temporary.ps1
    │   └── 5-remove-ssh-temporary.ps1
    ├── start-lab.sh                          # REMnux INetSim + DNSChef startup helper
    ├── 01-lab-02-sample-acquisition.md       # 02a
    ├── 02-lab-02-hash-verification.md        # 02b
    └── 03-lab-02-siem-integration-and-NAT-simulation.md   # 02c

Safe Handling & Scope

These labs are educational and conducted under strict containment. Core operating rules:

  • No malware ever touches the host machine, under any circumstances.
  • Samples are sourced only from recognised research repositories (Sikorski PMA lab files, MalwareBazaar, VirusShare).
  • The dynamic VM is reverted to a clean snapshot after every detonation session.
  • The analysis network is internal-only — no NAT, no host bridge, no external route during analysis.
  • Work follows guidance aligned with NIST and ISO security practices and New Zealand legal/compliance frameworks.

References


⚠️ This repository documents defensive analysis of malware in an isolated lab. No malicious binaries are hosted here. All samples are referenced by hash, not distributed.

About

Self-directed malware analysis study based on Practical Malware Analysis (Sikorski & Honig) and Evasive Malware (Cucci, 2024). All labs are conducted in an isolated VirtualBox environment following safe handling practices.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors