Setting Up a Malware Analysis Lab
Security and Pentest Home Lab Environment
In this module, we’ll set up the Malware Analysis Lab. The lab will consist of two virtual machines—one for Windows-based malware analysis (Flare VM) and one for Linux-based malware analysis (REMnux).
🔧 Creating Additional Network Interfaces (VBox CLI)
By default, the VirtualBox GUI supports only four network interfaces. However, we can configure up to 8 interfaces per VM using the VBoxManage CLI.
✅ Add VBoxManage to Environment Variables
VirtualBox CLI binary is called VBoxManage.exe. It’s typically located at:
1
C:\Program Files\Oracle\VirtualBox
- Open the Start menu and search for “Environment Variables”.
- Click Edit environment variables for your account.
- In the top pane, select the
Pathvariable and click Edit. - Click New and paste the path to VirtualBox.
- Click OK to save and exit.
To test if it worked, open PowerShell and run:
1
VBoxManage list vms
🛠️ Adding a New Interface to pfSense
Before adding, make sure the pfSense VM is powered off. Replace "pfSense" with your actual VM name if needed.
1
2
3
4
VBoxManage modifyvm "pfSense" --nic5 intnet
VBoxManage modifyvm "pfSense" --nictype5 virtio
VBoxManage modifyvm "pfSense" --intnet5 "LAN 3"
VBoxManage modifyvm "pfSense" --cableconnected5 on
CLI-created interfaces won’t appear in the GUI. You must use CLI to manage them.
🧩 Enabling Interface in pfSense
Start the pfSense VM. Press 1 to Assign Interfaces.
1
2
3
4
5
6
7
Should VLANs be set up now? n
Enter the WAN interface name: vtnet0
Enter the LAN interface name: vtnet1
Enter the Optional 1 interface name: vtnet2
Enter the Optional 2 interface name: vtnet3
Enter the Optional 3 interface name: vtnet4
Proceed? y
Now assign an IP to OPT3:
- Press
2to Set interface(s) IP address. - Select
OPT3(option 5). - Answer prompts:
1
2
3
4
5
6
7
8
IPv4 via DHCP? n
IPv4 address: 10.99.99.1
Subnet bit count: 24
IPv6 via DHCP6? n
IPv6 address: [Press Enter]
Enable DHCP server? y
DHCP range: 10.99.99.11 – 10.99.99.243
Revert to HTTP? n
✏️ Rename the Interface in GUI
- Launch Kali Linux and access pfSense web UI.
- Go to
Interfaces -> OPT3. - Rename description to
ISOLATED, then click Save and Apply Changes.
🔐 Interface Firewall Rules
- Navigate to
Firewall -> Rules. - Open the
ISOLATEDtab, then click Add. - Set:
1
2
3
4
5
Action: Block
Address Family: IPv4+IPv6
Protocol: Any
Source: ISOLATED net
Description: Block access to everything
Save and Apply Changes.
This ensures malware in the ISOLATED subnet can’t spread to other systems.
🔁 Reboot pfSense
Go to Diagnostics -> Reboot and click Submit.
🧪 Flare VM Setup (Windows)
We’ll use Windows 10 Enterprise ISO to install Flare VM.
📥 Download ISO
Visit Microsoft Evaluation Center and download the 64-bit Enterprise ISO (~5GB).
🖥️ Create the VM
- In VirtualBox, click
Tools -> New. - Set a name, attach ISO, and skip unattended installation.
- Configure:
- Memory: 4096MB
- Disk: 100GB
📂 Add to Group
- Right-click VM → Move to Group → New → Rename to
Malware Analysis. - Move this group into
Home Lab.
⚙️ VM Settings
- Go to
System -> Motherboard:- Boot Order: Hard Disk, then Optical
- Uncheck Floppy
- Leave Network Adapter as NAT (for now)
💽 Install Windows
Install Windows 10 selecting:
- “Domain join instead”
- A name without spaces or special characters
Allow Internet access when prompted.
📦 Install Guest Additions
Install and eject Guest Additions ISO (see Part 7 for steps).
📸 Snapshot #1
- Shut down VM.
- Hamburger menu → Snapshots → Take.
- Name the snapshot appropriately.
🔧 Flare VM Pre-Install Config
Flare VM requires:
- Windows Updates disabled
- Windows Defender disabled
🔕 Disable Windows Updates
- Open
Settings -> Update & Security. - Click Pause updates for 7 days.
🛡️ Disable Windows Defender
- Download the script:
1
Invoke-WebRequest "https://raw.githubusercontent.com/jeremybeaume/tools/master/disable-defender.ps1" -OutFile $HOME\Downloads\disable-defender.ps1
- Enter Safe Mode via
msconfig:- Enable
Safe boot→ Restart
- Enable
- Run script in PowerShell (Admin):
1
2
3
4
cd .\Downloads\
Unblock-File .\disable-defender.ps1
Set-ExecutionPolicy Unrestricted -Force
.\disable-defender.ps1
- Disable Safe Boot and reboot.
Defender will now show as disabled.
🏷️ Rename VM
Open This PC -> Properties -> Rename this PC. Set a new name and restart.
📸 Snapshot #2
Take a new snapshot after renaming and rebooting the VM.
🧰 Flare VM Installation
Open PowerShell (Admin) and run:
1
2
3
4
5
Invoke-WebRequest "https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1" -OutFile $HOME/Downloads/install.ps1
cd $HOME/Downloads
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1
- Select
debloat.vmfor installation. - The VM will reboot multiple times.
- Click Finish when the install completes.
- Reboot once more.
🔒 Post-Install: OpenSSH
- Open
Add or remove programs. - Go to Optional Features → Add a Feature.
- Install OpenSSH Server.
Verify both Client and Server appear in the installed list.
🌐 Move Flare VM to ISOLATED Subnet
- Shut down VM.
- Go to
Settings -> Network. - Set:
- Attached to: Internal Network
- Name: LAN 3
📸 Snapshot #3
Take a new snapshot before moving on.
You can now delete the ISO if not needed.
🧪 REMnux Setup (Linux)
📥 Download REMnux OVA
Go to REMnux OVA Download and download the .ova file (~5GB).
📦 Import OVA
- Click
Tools -> Import. - Select the OVA file.
- Ensure:
- Memory: 4096MB
- MAC Policy: Generate new MAC addresses
📂 Add to Group
Move the VM to: Home Lab -> Malware Analysis
⚙️ VM Settings
- Boot Order: Hard Disk, then Optical
- Uncheck Floppy
🚀 Post-Install Configuration
- Start the REMnux VM.
- Upgrade Guest Additions:
Devices -> Upgrade Guest Additions - In Terminal:
1
remnux upgrade
Reboot after update.
🌐 Move REMnux VM to ISOLATED Subnet
- Shut down VM.
- Go to
Settings -> Network. - Set:
- Attached to: Internal Network
- Name: LAN 3
📸 Snapshot
Take a final snapshot of the REMnux VM.
✅ Summary
We now have a functional Malware Analysis Lab with:
- ✅ Isolated network (pfSense controlled)
- ✅ Flare VM (Windows)
- ✅ REMnux (Linux)