Malware Analysis Network Setup Guide

2022-07-11
3 min read
Featured Image

Introduction

While I was first setting up my malware analysis lab I had to do some tedious troubleshooting and searching for information yielded too little (sometimes too much) information about how to properly set up an internal network so in an attempt to help those who just want to set up the lab (and to keep the notes of the process to myself) I wrote this post.

We will be setting up an Internal Network with virtualbox running on a Windows host (the process for a Linux host machine is virtually the same) that will allow network interactions between a Remnux VM and a Windows VM.

The end result will be something like this:

internal

Host Machine Setup

Create Internal Network in VirtualBox App

This step should be done in both the remnux and the windows virtual machines.

  • Open the Virtual Machine settings
  • Select the Network Tab
  • Select Internal Network in the drop down menu
  • Rename the default intnet name to whatever you want to (malware in our case)

app_setup

Create a DHCP server with vboxmanage.exe

First we must find vboxmanage.exe, it should be located in this location C:\Program Files\Oracle\VirtualBox if you chose the default installation path Note: It must be run with cmd.exe as powershell has some issues parsing the flags

Now run the following command:

vboxmanage.exe dhcpserver add —netname malware —ip 10.10.10.1 —netmask 255.255.255.0 —lowerip 10.10.10.2 —upperip 10.10.10.5 —enable

You can run the following command to verify that the new DHCP server has been correctly created.

vboxmanage.exe list dhcpserver

Analysis VM (Remnux v7) Configuration.

Install ifupdown

This step is pretty straight forward, just run:

sudo apt install ifupdown

Configure the /etc/network/interfaces file

First we need to get the interface’s name:

ifconfig

The Name of the interface should be something like “enp0s3”, knowing the name now we can edit the “/etc/network/interfaces” file by adding the following (if the file does not exist, reboot the VM after installing ifupdown) :

auto enp0s3
iface enp0s3 inet static
	address 10.10.10.2
	netmask 255.255.255.0

Windows VM Configuration.

Now we must assign an IP to our Windows VM and set our Analysis VM as the Default Gateway.

Go to Control Panel > Network and Sharing Center > Change Adapter Settings then:

  • Right Click the interface and select properties.
  • Select Internet Protocol Version 4 and click Properties.
  • Manually configure the IP address, subnet mask, DHCP server and the Preferred DNS Server.

win_setup

Conclusion

And that’s all, after all this setup network interactions coming from the infected Virtual Machine will go through the Analysis Machine while being completely isolated from your host’s network, you can now analyze the traffic or even simulate responses to the malware requests using tools like FakeDNS and inetsim :)

Happy Hunting!

Avatar

Alpharivs

Eternal Cybersecurity student with love for Malware and CTFs