{"id":20,"date":"2022-04-15T04:56:48","date_gmt":"2022-04-15T04:56:48","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/glennf\/?p=20"},"modified":"2022-04-15T04:56:48","modified_gmt":"2022-04-15T04:56:48","slug":"setting-up-a-malware-analysis-lab","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/glennf\/2022\/04\/15\/setting-up-a-malware-analysis-lab\/","title":{"rendered":"Setting up a Malware Analysis Lab"},"content":{"rendered":"\n

Building a lab has been a bit more challenging than I anticipated. Before taking any safety precautions and adding malware I thought I could just create two virtual machines, put them on the same network, and get them to start talking to each other! Of course anything worth doing should be done well. I don\u2019t want to infect my machine and network with the malware I’m studying. In this tutorial I\u2019ll share a first step to setting up the malware analysis lab:  setting up a basic network of two Windows virtual machines and getting them to communicate.<\/p>\n\n\n\n

The first thing I did was download VMWare Workstation 16. The Oregon State University College of Engineering has a program with VMWare where we can download a copy of VMWare Workstation with a 1 year license. It can be downloaded here: https:\/\/it.engineering.oregonstate.edu\/download-software<\/a>. The next step is to find an iso for the operating system where you want to activate the malware. Based on the client requirements for our project I downloaded a copy of Windows XP from this link: https:\/\/archive.org\/details\/WinXPProSP3x86<\/a>.<\/p>\n\n\n\n

Once VMWare Workstation is installed we can begin creating virtual machines using the iso image. <\/p>\n\n\n\n

  1. Click on File > New Virtual Machine at the top left. For our purposes we just went with a typical installation.<\/li>
  2. Choose the iso image we downloaded from the link above.<\/li>
  3. When asked for a product key enter the Serial number from the page we downloaded the iso from. Enter a Full Name and Password for the admin user on the virtual machine.<\/li><\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    1. .Provide the virtual machine a name and a location.<\/li>
    2. Afterwards allocate disk size for your virtual machine and whether you want to split the virtual disk into multiple files. I went for the default options here.<\/li>
    3. I didn\u2019t customize the virtual machine any further for this tutorial so after that you can create your machine!<\/li><\/ol>\n\n\n\n

      It takes a while for the machine to boot up so give it a moment.<\/p>\n\n\n\n

      After you logon the VMWare tools will install as well and reboot your machine.<\/p>\n\n\n\n

      Now that your machine is created you can either create another virtual machine using a different windows xp iso or create a clone of this one. I will proceed by creating a clone. <\/p>\n\n\n\n

      1. First suspend your machine. You can find this by clicking on the drop down menu for the play button. <\/li>
      2. Next begin the process by clicking on the VM tab at the top > Manage > Clone. This brings up the Clone Virtual Machine Wizard. <\/li>
      3. We have not setup a snapshot so we will clone the current state of the machine.<\/li>
      4. I wanted the clone to not share any memory with the original so we will create a full clone.<\/li>
      5. Provide it a name and location. Then click finish. VMWare Workstation is great for making this  process much easier than installing the original!<\/li><\/ol>\n\n\n\n

        At this point we finally have two virtual machines on our network. Next we will have them communicate with each other.<\/p>\n\n\n\n

        1. On one of the virtual machines find the command prompt just like shown below Start menu > All programs > Accessories > Command Prompt.<\/li><\/ol>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          1. Once the command prompt has booted up enter \u201cipconfig\u201d into the terminal to see the IP address for that machine.<\/li><\/ol>\n\n\n\n
            \"\"<\/figure>\n\n\n\n
            1. From my clone machine I attempted to communicate with the original VM by using the ping command towards the host IP 192.168.116.131.  As you can see this was not successful.<\/li><\/ol>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
              1. To remedy this I added an exception to the Windows Firewall of the original VM. To get to the Windows Firewall go through Start > Control Panel > Network and Internet Connections > Windows Firewall. A separate window will appear for the settings. Go to the Exceptions tab and enable FIle and Printer Sharing. <\/li><\/ol>\n\n\n\n
                \"\"<\/figure>\n\n\n\n
                1. With this exception we can now ping the original VM from the clone. When we try again we can see a response this time.<\/li><\/ol>\n\n\n\n
                  \"\"<\/figure>\n\n\n\n

                  If we repeat the previous steps to have the original communicate the clone we should get the same result.<\/p>\n\n\n\n

                  \"\"<\/figure>\n\n\n\n

                  So there you have it. The next steps after this would be to isolate this network from the host computer. This is to prevent malware from infecting the host. That will be the topic for a future tutorial. Keep an eye out for the next one!<\/p>\n","protected":false},"excerpt":{"rendered":"

                  Building a lab has been a bit more challenging than I anticipated. Before taking any safety precautions and adding malware I thought I could just create two virtual machines, put them on the same network, and get them to start talking to each other! Of course anything worth doing should be done well. I don\u2019t […]<\/p>\n","protected":false},"author":12309,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/20","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/users\/12309"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":1,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":21,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/20\/revisions\/21"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}