A comprehensive home lab setup designed to analyze malware, including the infamous WannaCry ransomware, and practice incident response techniques. This lab utilizes tools like FlareVM, REMnux, and Proxmox, along with pfSense, to create an isolated environment for safe malware analysis and experimentation.
- WannaCry Analysis: Perform a detailed analysis of the WannaCry ransomware, understanding its propagation, encryption mechanisms, and kill switch.
- Static and Dynamic Analysis: Utilize tools for both static and dynamic analysis of various malware samples.
- Isolated Network: A pfSense firewall is configured to ensure that malware cannot interact with external networks.
- Proxmox: Virtualization platform used to run virtual machines.
- VMware ESXi: Alternate virtualization platform, also used with pfSense as a local network interface.
- pfSense: Firewall and router software used to isolate the malware analysis environment.
- Windows 10 Enterprise VM: Installed with FlareVM for a Windows-based analysis environment.
- REMnux VM: A Linux distribution with pre-installed malware analysis tools.
-
Install Proxmox:
- Download and install Proxmox from the official website.
- Alternatively, VMware ESXi can be used for virtualization.
-
Set Up pfSense:
- Download pfSense from the official website.
- Install pfSense on a dedicated VM within Proxmox or VMware ESXi.
- Configure pfSense to act as a firewall and router for your isolated network.
-
Set Up Windows 10 Enterprise VM:
- Download the Windows 10 Enterprise ISO.
- Install Windows 10 Enterprise on a new VM in Proxmox or VMware ESXi.
- Install FlareVM by following the installation guide.
-
Set Up REMnux VM:
- Download REMnux from the official website.
- Install REMnux on a new VM in Proxmox or VMware ESXi.
-
Configure the Network:
- In Proxmox or VMware ESXi, ensure that the Windows and REMnux VMs are connected through pfSense to isolate the malware analysis environment.
- FlareVM: A collection of reverse engineering, malware analysis, and debugging tools for Windows.
- REMnux: A Linux distribution with tools for analyzing malicious software.
- pfSense: An open-source firewall and router platform used to secure the network.
- Wireshark: A network protocol analyzer used for network traffic capture and analysis.
- Cutter: Used Cutter for Static Analysis
- FLOSS: Used FLOSS as an alternative for strings on Remnux on FLARE VM
- x3dDbg: A realtime debugger used for Reverse Engineering the applications Process Monitor: An application included in Sysinternals by Microsoft for realtime monitoring the applications
-
Static Analysis:
- Disassemble WannaCry samples using IDA Pro or Ghidra.
- Analyze the ransomware’s code to understand its encryption mechanism.
-
Dynamic Analysis:
- Execute WannaCry in a controlled environment using FlareVM.
- Monitor the ransomware's behavior, including file encryption and network activity.
-
Network Analysis:
- Use Wireshark to capture WannaCry’s network traffic.
- Identify communication attempts with its command-and-control servers.
-
Exercise 1: WannaCry Static Analysis:
- Disassemble the WannaCry binary to understand its structure and functions.
- Identify the ransomware’s propagation and encryption techniques.
-
Exercise 2: WannaCry Dynamic Analysis:
- Execute WannaCry in the FlareVM environment.
- Monitor file system changes and network traffic to observe the ransomware’s behavior.
Screenshot of Proxmox/VMware ESXi with Windows 10 and REMnux VMs running.
Using Cutter Reverse Engineering Application for Static Analysis.
Using Process Monitor to observe WannaCry’s file encryption process.
Network traffic capture in Wireshark showing WannaCry’s communication attempts.
Debugging the malware realtime on Windows 10 FLare VM.
Contributions are welcome! If you have suggestions for improvements or new exercises, feel free to open an issue or submit a pull request.
This project is licensed under the MIT License. See the LICENSE file for more details.
For any questions or feedback, feel free to reach out via LinkedIn.