Malware Lab Setup

Malware analysis should always be done with caution. Also, in order to trick the most sophisticated malware into executing, one needs to make it believable that malware is on a real host.

The host machine doesn’t really matter. However I would recommend either Linux or macOS for Windows malware analysis and a Windows - for Linux/macOS malware in case the VM solution in use has a sandbox-escape vulnarebility. This way the malware won’t be able to run on the host even if it manages to escape (unless this is some cross-platform solution ðŸ˜Đ).

  • VBox: REMnux + Windows VM. See here for more detail.
  • Parallels: Kali + Windows VM + macOS VM. This is my config since I do macOS reversing as well.
  • Separate physical forensics machine with no network access. An option, since this way you don’t need to worry about tricking smart malware equipped with anti-virtualisation techniques into running. As a drawback, you’d have to reinstall the system pretty often 😊.


REMnux is a Linux distribution that was specifically designed for malware analysis. It has a lot of useful tools installed. However all (or most of them) will run on other versions of Linux. So, for me, for example, it’s easier to user a Kali or Ubunti VM and install required tools when needed. Besides, there is no ARM version of REMnux anyway, so I don’t have a choice really.


No matter what setup you are going to use, there are several settings that are required for any of them.

  • Configure network
    • Create a separate host-only interface that is isolated from the host
    • Add this interface to the VMs that will be used for analysis (usually 2)
  • Create VMs.
    • Victim. Windows, Linux, macOS
    • Fake server (Kali or REMnux)
      • Enable DNS server (it could be iNetSim or some real DNS server running)
    • Separate the host from the VMs
      • Disable clipboard sharing
      • Disable drag-n-drop between the host and the guest
      • Disable shared folders (this one can be configured to share malware files and disabled once the analysis has begun)
  • Take a snapshot of all the VMs before use.


Network Config

Create a separate host-only interface that is isolated from the host. Note the IPs that are used. For example:

  • DHCP
  • for range
  • netmask


Using the above configs for the network interface:

  • service_bind_address
  • dns_default_ip
  • run with inetsim

If the malware tries to download something, iNetSim has a feature to support this fake request. It has a precomiled binary that will be downloaded.


Similar to iNetSim but for Windows.

Victim machine

  • Set the DNS server address to the machine’s that runs iNetSim ( in the example above).
  • macOS
  • Windows
    • ProcMon (Sysinternals) to analyse API calls (file, registry and network activity)

Safety Tips

  • VM separated
  • malware has rogue extention
  • malware password protected

Info Gathering -x 2 -X 211027 -q45laaehd2 -o 0 -d /home/remnux/malware/windows_2/ -v 1 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe -v 2 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe -v 3 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe -v 4 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe, -v 5 -V -v 6 -V -v 7 -V -v 8 -V ab4d6a82cafc92825a0b88183325855f0c44920da970b42c949d5d5ffdcc0585 -v 9 -V cc2d791b16063a302e1ebd35c0e84e6cf6519e90bb710c958ac4e4ddceca68f7.exe -v 10 -V /home/remnux/malware/hash_list_3.txt -v 11 -V /home/remnux/malware/hash_list_3.txt -v 12 -V 9d26e19b8fc5819b634397d48183637bacc9e1c62d8b1856b8116141cb8b4000 -v 13 -V /largefiles/4b3b46558cffe1c0b651f09c719af2779af3e4e0e43da060468467d8df445e93 -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8.exe -a 2 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 -a 3 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 -a 4 -A malware1.apk -a 4 -A 82eb6039cdda6598dc23084768e18495d5ebf3bc3137990280bc0d9351a483eb -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46 -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46.elf -a 6 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe -a 7 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe -a 8 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe -a 9 -A malware_7.apk -a 10 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2.elf -a 11 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e -a 12 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e -a 13 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e -a 14 -A d90a5552fd4ef88a8b621dd3642e3be8e52115a67e6b17b13bdff461d81cf5a8 -a 15 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2 -l 1 -L d3dcc08c9b955cd3f68c198e11d5788869d1b159dc8014d6eaa39e6c258123b0 -l 2 -l 3 -l 4 -l 5 -l 6 -j 1 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6 -j 2 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6 -j 3 -J -j 4 -J Qakbot -j 5 -J Emotet -j 5 -J Icedid -j 6 -j 7 -p 1 -P 1999ba265cd51c94e8ae3a6038b3775bf9a49d6fe57d75dbf1726921af8a7ab2 -p 2 -P 301524c3f959d2d6db9dffdf267ab16a706d3286c0b912f7dda5eb42b6d89996.exe -p 3 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306 -p 4 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306.exe -p 5 -P -p 6 -P -p 7 -P -p 8 -P Qakbot -y 1 -y 2 -y 3 -y 4 -Y com.spaceship.netprotect -y 5 -Y -v 1 -V 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792.apk -n 1 -N 10 -n 2 -N -n 3 -N -n 4 -N 6d1756aa6b45244764409398305c460368d64ff9 -o 0 -n 5 -N -m 1 | more -m 2 | more -m 3 | more -m 4 -M apt41 | more -m 5 | more -m 6 -M win.qakbot -m 7 -M 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d -m 8 -M win.qakbot -b 1 -B c9d7b5d06cd8ab1a01bf0c5bf41ef2a388e41b4c66b1728494f86ed255a95d48 -b 2 -B Revil | more -b 3 -B f34d5f2d4577ed6d9ceec516c1f5a744 -b 4 -B 100 -b 4 -B time | more -b 5 -B bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a -b 6 -B 10 | more -b 7 -B -b 8 -B Magecart | more -b 9 -B "Cobalt Strike" -b 10 | more -x 1 -X score:10 | more -x 1 -X 71382e72d8fb3728dc8941798ab1c180493fa978fd7eadc1ab6d21dae0d603e2 -x 2 -X 220315-qxzrfsadfl -x 3 -X cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e -x 4 -X -x 5 -X 220315-xmbp7sdbel -x 6 -X 220315-xmbp7sdbel -x 7 -X 220315-xmbp7sdbel


There are several options for reversing malware:

  1. IDA Pro (free for x86 only)
  2. radare2 + plugins ( all archs and free, but CLI
  3. Cutter (radare2 + GUI)

Useful - scdbg. Windows ❗ïļ

Python, Powershell for decrypting stuff.

📚 Edicational


  • ðŸ”Ĩ - Windows API functions and their usage in malicious payloads.




Jupyter - Cool stuff, but nothing macOS or Cloud relevant. Would be very useful to create my own notebook for Cloudtrail, access.log etc analysis and for macOS triage in future as well. Combining Michael Leclair’s script with this technque (+ adjusting for macOS instead).



Any.Run Windows only (free - W7 and 32 bit). No macOS or 64 Windows. Cuckoo



Expand… Something here