HOME
Icon

FLARE VM + REMnux Malware Analysis Lab

A fully isolated malware analysis environment used for static and dynamic reverse engineering. This lab is built on an internal-only VirtualBox network with no NAT or bridge access, allowing malware to execute safely while still exposing behavior, persistence, and network intent.

  • FLARE VM (Windows) — primary reverse engineering & debugging workstation
  • REMnux (Linux) — network simulation, traffic capture, and analysis tooling
  • Kali (Linux) — primary capture the flag workstation
  • Internal VirtualBox Network — host-isolated, no internet access

❭❭ Tooling Used ❬❬

Static Analysis

  • Ghidra — disassembly, decompilation, cross-references
  • Cutter (radare2) — graph view, quick inspection
  • PE-bear — PE headers, imports, sections
  • PE-Studio — indicators, suspicious API usage
  • Detect It Easy (DIE) — compiler, packer, entropy detection
  • strings — quick triage of embedded indicators
  • YARA — rule creation and pattern validation

Dynamic Analysis (Windows)

  • System Informer — process, thread, module, and handle inspection
  • Procmon — file system, registry, and process activity tracing
  • x64dbg — breakpoints, stepping, API behavior analysis
  • service.msc — service-based persistence inspection
  • Autoruns — startup & persistence artifact review

Networking & Traffic Analysis

  • Wireshark — packet capture & protocol inspection
  • INetSim (REMnux) — fake internet services for beaconing analysis
  • Fake DNS / HTTP services — observe callbacks without real connectivity

Behavior & OS-Level Monitoring

  • Sysmon — persistent logging of process, network, and registry events
  • Process & injection tracking — CreateProcess, CreateRemoteThread, etc.
  • Filesystem & registry diffing — pre/post execution comparison

❭❭ What This Lab Enables ❬❬

  • Safely execute real malware samples without host risk
  • Trace Windows API behavior during runtime
  • Observe persistence mechanisms (services, registry, startup)
  • Analyze attempted DNS, HTTP, and TCP callbacks
  • Debug binaries at the instruction & API level
  • Document malware behavior for reports and research

❭❭ Purpose ❬❬

This lab is the foundation of my reverse engineering workflow. It supports malware triage, Windows internals research, behavioral analysis, and detection-focused experimentation. All findings are documented through structured analysis reports and write-ups.

ezloomdev 2025