As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years. To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM.
FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.
The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG.
How To Get It
You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself.
Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work):
After you navigate to the above URL in the Internet Explorer, you will be presented with a Boxstarter WebLauncher dialog. Select Run to continue the installation as illustrated in Figure 1.
Figure 1: FLARE VM Installation
Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time.
Figure 2: Boxstarter Password Prompt
The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages.
Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only mode so that malware samples would not accidentally connect to the Internet or local network. Also, take a fresh virtual machine snapshot so this clean state is saved! The final FLARE VM installation should look like Figure 3.
Figure 3: FLARE VM installation
NOTE: If you encounter a large number of error messages, try to simply restart the installation. All of the existing packages will be preserved and new packages will be installed.
Getting Started
The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4.
While we attempt to make the tools available as a shortcut in the FLARE folder, there are several available from command-line only. Please see the online documentation at http://flarevm.info for the most up to date list.
Sample Analysis
In order to best illustrate how FLARE VM can assist in malware analysis tasks let’s perform a basic analysis on one of the samples we use in our Malware Analysis Crash Course.
First, let’s obtain some basic indicators by looking at the strings in the binary. For this exercise, we are going to run FLARE’s own FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional information about the tool. You can launch it by clicking on the FLOSS icon in the taskbar and running it against the sample as illustrated in Figure 5.
Unfortunately, looking over the resulting strings in Figure 6 only one string really stands out and it is not clear how it is used.
Let’s dig a bit more into the binary by opening up CFF Explorer in order to analyze sample’s imports, resources, and PE header structure. CFF Explorer and a number of other utilities are available in the FLARE folder that can be accessed from the Desktop or the Start menu as illustrated in Figure 7.
While analyzing the PE header, there were several indicators that the binary contains a resource object with an additional payload. For example, the Import Address Table contained relevant Windows API calls such as LoadResource, FindResource and finally WinExec. Unfortunately, as you can see in Figure 8 the embedded payload “BIN” contains junk so it is likely encrypted.
At this point, we could continue the static analysis or we could “cheat” a bit by switching over to basic dynamic analysis techniques. Let’s attempt to quickly gather basic indicators by using another FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality by presenting it with fake services such as DNS, HTTP, FTP, IRC and many others. Please visit http://fakenet.info for additional information about the tool.
Also, let’s launch Procmon from Sysinternals Suite in order to monitor all of the File, Registry and Windows API activity as well. You can find both of these frequently used tools in the taskbar illustrated in Figure 9.
After executing the sample with Administrator privileges, we quickly find excellent network- and host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s attempt to communicate with evil.mandiant.com using HTTP protocol. Here we capture useful indicators such as a complete HTTP header, URL and a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact process communicating which is level1_payload.exe. This process name corresponds to the unique string that we have identified in the static analysis, but couldn’t understand how it was used.
Comparing our findings with the output of Procmon in Figure 11, we can confirm that the malware is indeed responsible for creating level1_payload.exe executable in the system32 folder.
As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible.
Have It Your Way
FLARE VM is a constantly growing and changing project. While we try to cover as many use-case scenarios as possible it is simply impossible due to the nature of the project. Luckily, FLARE VM is extremely easy to customize because it was built on top of the Chocolatey project. Chocolatey is a Windows-based package management system with thousands of packages. You can find the list here: https://chocolatey.org/packages. In addition to the public Chocolatey repository, FLARE VM uses our own FLARE repository which constantly growing and currently contains about 40 packages.
What all this means is that if you want to quickly add some package, let’s say Firefox, you no longer have to navigate to the software developer’s website. Simply open up a console and type in the command in Figure 12 to automatically download and install any package:
Figure 12: Installing packages
In a few short moments, Firefox icon is going to appear on your Desktop with no user interaction necessary.
Staying up to date
As I’ve mentioned in the beginning, one of the hardest challenges of unmanaged Virtual Machine is trying to keep all the tools up to date. FLARE VM solves this problem. You can completely update the entire system by simply running the command in Figure 13.
If any of the installed packages have newer versions, they will be automatically downloaded and installed.
NOTE: Don’t forget to take another clean snapshot of an updated system and set networking back to Host-Only.
Conclusion
I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM!
In these few pages, we could only scratch the surface of everything that FLARE VM is capable of; however, feel free to leave your comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/.
Keywords: malware, threat research, open source, vm, open source tools, fakenet, floss, peter Kacherginsky, distribution
Article Link: http://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html