This repository is for educational and student purposes only. It documents my own self-directed study of malware analysis.
The labs here involve handling live, harmful malware samples. This work must be carried out responsibly, inside a fully isolated environment, by someone who understands what they are doing. If you do not already have a working knowledge of malware analysis and safe sample handling, do not follow this lab, please skip it. This is non-negotiable.
I accept no responsibility for any misuse of the information, techniques, or scripts in this repository, or for any damage, data loss, or infection resulting from following it.
I am based in and operate solely under the laws of New Zealand. I make no claim as to the legality of these activities anywhere else. You alone are responsible for ensuring your own compliance with the laws of your jurisdiction.
For more information, please vitit:
Self-directed malware analysis study based on Practical Malware Analysis (Sikorski & Honig) and Evasive Malware (Cucci, 2024). All labs are conducted in an isolated VirtualBox environment following safe handling practices.
Author: Emilio Mardones (@Ofendor) — Network Engineering graduate & cybersecurity practitioner, Auckland NZ.
My goal across this lab series is to build practical competency in threat intelligence, incident response, and reverse engineering by documenting every step of a real, repeatable malware analysis workflow — from building a contained environment to acquiring, fingerprinting, and analysing live samples.
| # | Lab | Category | Tools | Status |
|---|---|---|---|---|
| 01a | Lab Setup & Safe Analysis Environment | Setup | VirtualBox, Windows LTSC, REMnux | ✅ |
| 01b | FLARE-VM Troubleshooting Log | Troubleshooting | Chocolatey, Python, DISM | ✅ |
| 02a | Sample Acquisition | Acquisition | 7-Zip, unrar, Linux | ✅ |
| 02b | Hash Verification & Threat Intelligence | Static | PEview, strings, VirusTotal | ✅ |
| 02c | SIEM Integration & NAT Simulation | Infrastructure | Wazuh SIEM, INetSim, DNSChef | ✅ |
| 03 | Static Analysis — String Extraction | Static | strings, FLOSS | 🔄 |
| 04 | Behaviour Analysis | Dynamic | Process Monitor, Wireshark, x64dbg | 🔄 |
The lab runs across four isolated virtual machines on a single Windows host. Static and dynamic analysis are deliberately separated to prevent cross-contamination between clean inspection work and live malware execution.
| VM | OS | Role |
|---|---|---|
| Static-Wind10-FLARE | Windows 10 Enterprise LTSC 2021 | Static analysis workstation |
| Dynamic-Wind10-FLARE | Windows 10 Enterprise LTSC 2021 | Malware detonation target |
| Analyst-REMnux | REMnux Linux | Network gateway + Linux tooling |
| Support-Kali | Kali Linux | Optional supplementary tools |
The Windows VMs reach REMnux through an internal-only network (malware-lab), with no route to the host or the internet. REMnux runs INetSim and DNSChef to simulate internet services, so samples believe they are online while remaining fully contained. A Wazuh SIEM provides centralised detection and telemetry across the analysis hosts.
malware-analysis-lab/
├── README.md
├── lab-01-setup/
│ ├── images/ # screenshots referenced by the notes
│ ├── lab-01-setup-notes.md # 01a — environment design & hardening
│ └── lab-02-troubleshooting-log.md # 01b — FLARE-VM install troubleshooting
└── lab-02-basic-static-analysis/
├── images/
├── linux/ # Wazuh agent install (Linux)
│ └── 1-install-agent.sh
├── windows-scripts/ # Wazuh agent install/config (Windows)
│ ├── 1-install-agent.ps1
│ ├── 2-configure-agent.ps1
│ ├── 3-verify-agent.ps1
│ ├── 4-install-ssh-temporary.ps1
│ └── 5-remove-ssh-temporary.ps1
├── start-lab.sh # REMnux INetSim + DNSChef startup helper
├── 01-lab-02-sample-acquisition.md # 02a
├── 02-lab-02-hash-verification.md # 02b
└── 03-lab-02-siem-integration-and-NAT-simulation.md # 02c
These labs are educational and conducted under strict containment. Core operating rules:
- No malware ever touches the host machine, under any circumstances.
- Samples are sourced only from recognised research repositories (Sikorski PMA lab files, MalwareBazaar, VirusShare).
- The dynamic VM is reverted to a clean snapshot after every detonation session.
- The analysis network is internal-only — no NAT, no host bridge, no external route during analysis.
- Work follows guidance aligned with NIST and ISO security practices and New Zealand legal/compliance frameworks.
- Sikorski, M. & Honig, A. — Practical Malware Analysis, No Starch Press
- Cucci, K. — Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats, 2024
- Kleymenov, A. & Thabet, A. — Mastering Malware Analysis, Packt Publishing
- Mandiant FLARE-VM — https://github.com/mandiant/flare-vm
- REMnux — https://docs.remnux.org
- abuse.ch MalwareBazaar — https://bazaar.abuse.ch · VirusTotal — https://www.virustotal.com