\n\nThis page has been machine-translated from the original page.
\n
This article documents the setup process for FLARE VM, a Windows distribution designed for malware analysis.
\nFLARE VM is an open-source, Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensics investigators, and penetration testers.
\nStarting from Version 3.0, it also supports Windows 10.
\nReference: mandiant/flare-vm
\nReference: FLARE VM Update | Mandiant
\n\nBonus: Tools Installed with FlareVM
\nFlareVM will be installed on a virtual machine with the following specifications:
\nWindows 10 Pro 1903 English
\nWhile I haven’t tested it personally, I’ve seen articles mentioning that FlareVM installation fails on Windows 10 versions newer than 1903, so I used 1903 for this setup.
\nAccording to mandiant/flare-vm, the system requirements are as follows:
\nNote that the 60GB requirement refers to available storage space after OS installation, not the total VM storage capacity.
\nRequirements\n60 GB Hard Drive\n Additional space needed after VM is downloaded/installed\n2 GB RAMBasically, you can follow the steps in the article below:
\nReference: How To Uninstall, Disable, and Remove Windows Defender
\nIn my environment (1903), to disable Defender, I also needed to disable the Tamper Protection feature.
\nThe following article is helpful:
\nReference: Windows 10 Windows Defenderを完全に無効化する-パソブル
\nAlthough not a requirement, I also disabled Windows Firewall while I was at it.
\nBefore proceeding with FlareVM installation, take a snapshot of the VM.
\nDownload FlareVM 3.1 from the Release page below:
\nReference: Releases · mandiant/flare-vm
\nExtract the downloaded FlareVM file on the VM.
\nNavigate to the extracted folder in PowerShell running with administrator privileges and execute the following commands in order:
\nInternet connection is required.
\nUnblock-File .\\install.ps1\nSet-ExecutionPolicy Unrestricted\n.\\install.ps1 -password <password>If successful, installations and setups will proceed sequentially like this:
\nFinally, install additional packages and change the network settings to a host-only adapter.
\nWhen deploying FlareVM for malware analysis, make sure to verify that the environment is completely isolated from the network.
\nFirst, install the tools listed as additional packages in the article below:
\nchoco install exiftool, trid, grep, stirling-jp, sakuraeditor, irfanview, irfanviewplugins, hashtab, audacity, winmerge, teraterm, fiddler, sqlitebrowser, ultravnc, gnuwin32-coreutils.installReference: FLARE VM を使って Windows10 に解析環境を構築する - setodaNote
\nI installed exiftool and fiddler, among others, as I use them frequently.
\nI also installed Windows Terminal, Noriben, and PowerToys additionally.
\nNoriben doesn’t work properly with FlareVM’s default settings, so the configuration described here is required.
\nThe tools deployed with FlareVM are listed in the Readme.
\nReference: mandiant/flare-vm
\nHere are some interesting tools I picked out and summarized:
\nI’ve used these two tools when Android app challenges appeared in CTFs.
\nThey can extract APK files and decompile them into a readable Java-like format.
\nI hadn’t used RetDec before, but it appears to be an OSS decompiler developed by Avast.
\nIt can decompile ELF and PE files, and can also output decompilation results in Python-like language as well as C. Amazing.
\nReference: avast/retdec: RetDec is a retargetable machine-code decompiler based on LLVM.
\nReference: avastのretdecをインストールする - Qiita
\nVarious disassemblers are included.
\nI hadn’t used Cutter before, but it disassembles quite cleanly.
\nThe dark mode is also nice.
\nReference: rizinorg/cutter: Free and Open Source Reverse Engineering Platform powered by rizin
\nILSpy and dnSpy are standard tools, but there are quite a few others too.
\nde4dot appears to be a deobfuscation tool. Should be useful for malware analysis.
\nReference: de4dot/de4dot: .NET deobfuscator and unpacker.
\nThis is my first time learning about AutoIt. Is it similar to VBScript?
\nReference: AutoIt - Wikipedia
\nThere’s even a decompiler for Flash.
\nI’ll repeat this 100 times: Volatility is a memory forensics tool.
\nI wondered what the difference from ChatEngine was, but it can be used from the CLI. Convenient.
\nReference: volatilityfoundation/volatility: An advanced memory forensics framework
\nMy favorite Tweak isn’t included…
\nThere’s even a Java deobfuscation tool.
\nI haven’t encountered it in CTFs yet, but I wonder if it’s commonly used in malware analysis.
\nThere’s a tool specifically for scanning Office file malware.
\nReference: OfficeMalScanner - Microsoft Office Files Malware Scanner
\nI often use PEiD and PeStudio, but there are quite a few others.
\nI’ll try them out sometime.
\nSeems like a collection of Kali tools like netcat that can be used on Windows.
\nReference: windows-binaries | Kali Linux Tools
\nI want to add VSCode manually…
\nHTTrack can recursively download websites and build a pseudo mirror site locally.
\nReference: 【画像付き】httrackでホームページを丸ごとダウンロードする使い方
\nOmitted.
\nThere are several hash tools included, but Hashcat isn’t there.
\nI set up FlareVM, which I’ve been curious about for a while.
\nIt was very instructive to learn that custom distributions like this can be created on Windows as well.
","fields":{"slug":"/malware-flarevm-setup-en","tagSlugs":["/tag/malware-en/","/tag/flare-vm-en/","/tag/備忘録/","/tag/english/"]},"frontmatter":{"date":"2021-12-01","description":"This article documents the setup process for FLARE VM, a Windows distribution designed for malware analysis.","tags":["Malware (en)","FlareVM (en)","備忘録","English"],"title":"Installing FlareVM 3.1 Malware Analysis Distribution on Windows 10","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/malware-flarevm-setup-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}