The Power of the Mandiant FLARE VM for Effective Malware Analysis

In cybersecurity, effectively analyzing and mitigating threats is crucial. FLARE VM, a Windows-based security distribution, has shown to be a powerful tool for those involved in malware analysis, including reverse engineers, malware analysts, incident responders, and penetration testers. Inspired by prominent Linux-based security distributions like Kali Linux and REMnux, FLARE VM is equipped with an extensive suite of Windows security tools. This includes debuggers, disassemblers, decompilers, and utilities for static and dynamic analysis, enhancing capabilities in network analysis, web assessment, exploitation, and vulnerability assessment. Notably, it incorporates the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG, making it a comprehensive solution for tackling malware.

I am writing this article to show you the potential of FLARE VM for practical malware analysis. From preparing your system for its installation to conducting your first malware analysis, I will walk you through the steps to leverage this fantastic tool. Emphasizing its significance in sandbox environments, I’ll discuss how it helps with incident response, threat detection, and obtaining IOCs (Indicators of Compromise) within a malware analysis lab setting. This walkthrough will highlight FLARE VM’s role in reinforcing malware analysis and its adaptability and ease of maintenance, ensuring you’re ready to handle the sometimes challenging and overwhelming landscape of cyber threats.

A Brief History of the FLARE VM

The development of FLARE VM by Mandiant dates back to 2017, when it was initially created to simplify the setup and configuration of a Windows malware analysis environment. It transformed into a set of reverse engineering tools carefully curated to address everyday analysis tasks as time passed.

FLARE VM has garnered around 100,000 installations from 2018 to 2023, showcasing its adoption and reliance on the part of numerous individuals. Despite facing resource constraints, the project struggled to address 400 issues raised by the GitHub community. To enhance user experience, the FLARE VM team endeavored to streamline the installation and customization process by introducing a graphical user interface (GUI) for package selection and environment variable setup.

In response to challenges arising from maintaining the project, which led to issues with outdated and malfunctioning packages, the FLARE team embraced an open-source approach. By sharing their packages on GitHub, they invited community input to suggest tools, report bugs, and assist in implementing necessary fixes.

This open approach empowers individuals to contribute to FLARE VM with the project utilizing automated testing, updates, and releases to ensure packages are readily installable.

Why Choose FLARE VM for Malware Analysis

There are a few things to be said in favor of Mandiant FLARE VM for malware analysis, making it a preferred choice for professionals in the field. Here’s my take on why:

• Comprehensive Toolset: FLARE VM offers an impressive collection of Windows security tools tailored explicitly for malware analysis. This includes powerful debuggers, disassemblers, decompilers, and utilities for both static and dynamic analysis. Additionally, it includes tools for network analysis, web assessment, exploitation, and vulnerability assessment applications. The inclusion of the FLARE team’s public malware analysis tools, such as FLOSS and FakeNet-NG, further enhances its capabilities, providing users with a robust environment for tackling malware.
• Ease of Customization and Maintenance: One key feature that sets FLARE VM apart is its design, which is focused on customization and maintenance. Built on top of the Chocolatey project, a Windows-based package management system, FLARE VM allows for easy addition and updating of tools. This open and maintainable approach ensures that the community can quickly make tools available and keep the environment up-to-date with the latest developments in malware analysis technology. The project’s use of automatic testing, updating, and releasing processes makes packages immediately installable, streamlining the setup process for users.
• Community and Support: FLARE VM is more than just a tool; it’s a platform supported by a vibrant community of thousands of reverse engineers, malware analysts, and security researchers. This community actively uses FLARE VM to configure Windows and install an expert collection of security tools, contributing to its continuous growth and evolution 3. The platform’s reliance on technologies like Chocolatey and Boxstarter for package management and the ability to automate software installation and create repeatable, scripted Windows environments underscores its utility and flexibility 5. With roughly 70,000 installations between 2018–2022, FLARE VM has proven its reliability and effectiveness in malware analysis.

This blend of an extensive toolset, ease of customization and maintenance, and strong community support positions Mandiant FLARE VM as an indispensable asset for professionals engaged in malware analysis, incident response, and cybersecurity research.

Preparing Your System for Mandiant FLARE VM Installation

Before diving into the installation of Mandiant FLARE VM, ensuring your system meets the requirements and is appropriately configured is crucial. This preparation step is critical to a smooth installation process and optimal performance during malware analysis.

System Requirements and Pre-installation Checklist

Operating System: Ensure you have an existing Windows 10 or higher installation for the best compatibility and performance.

PowerShell Version: Verify that PowerShell 5 or higher is installed on your system. This is essential for running the installation scripts and subsequent tools included with the FLARE VM.

Hardware Specifications:

• Disk Capacity: A minimum of 60 GB, though 70–80 GB is recommended to accommodate the full suite of tools and any additional data.
• Memory: At least 2 GB of RAM is required. For optimal performance, especially when running multiple tools or analyzing complex malware, 4 GB or more is recommended.
• Processor: A minimum of two processors is suggested to ensure the smooth operation of the analysis tools.

User Account: Usernames should not contain spaces or special characters, which may cause issues with some tools or scripts.

Internet Connection: An active internet connection is necessary to download the FLARE VM and its components.

Windows Configuration:

• Disable Windows Defender and Tamper Protection, preferably via Group Policy, to prevent interference with malware analysis activities. Check this article for details: https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
• Turn off Windows Updates to maintain a stable analysis environment.

Virtual Machine Configuration (for VMware Workstation Professional users)

• Network Settings: Configure the network to host-only mode. This isolates the malware analysis environment from external networks, preventing accidental malware transmission and ensuring a contained analysis space. Remember that you will need internet access for the initial installation, though.
• 3D Acceleration: Enable this setting for smoother operation of the virtual machine and any graphical tools included in FLARE VM 7.
• Storage and RAM: Allocate at least 60 GB of hard drive space and 2 GB of RAM to the virtual machine. Adjust these settings based on the available system resources and the anticipated workload. Based on experience, 8GB of RAM or more will significantly improve your experience.

By carefully preparing your system according to these guidelines, you’re setting a solid foundation for the successful installation and operation of Mandiant FLARE VM. This preparation ensures the environment is optimized for thorough and efficient malware analysis.

Downloading and Installing Mandiant FLARE VM

To get started, follow these straightforward steps. This process will guide you through setting up a robust malware analysis environment on your system.

Downloading and Installing Mandiant FLARE VM:

Starting the Installation Process:

You can get the installation script and other details at the GitHub Repository: https://github.com/mandiant/flare-vm — Download it to your Desktop.

Running the Installation Script:

Make sure that you follow the exact steps provided in the GitHub repository to download and run the installer

• First, Open a PowerShell prompt with Administrator Privileges and run the following command, which will download the install script to your desktop

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

• You now have to unblock the installation script for it to be able to run

Unblock-File .\install.ps1

• Enable the script execution

Set-ExecutionPolicy Unrestricted -Force

Now, run the installation script. If prompted, enter your Windows account password to allow the installation to proceed.

The process takes a while to complete, and a series of reboots will occur during installation. Grab a coffee.

During the installation, you will notice folders appearing on the desktop; this is all part of the installation.

Post-Installation Configuration:

• The installation process may take anywhere between 45 minutes to a few hours, during which the machine will reboot several times.
• Once the installation is complete, ensure tools such as ‘fakenet.exe’, ‘hashcalc.exe’, ‘regshot.exe’, and ‘ghidra.bat’ are present among the installed tools. If any tools are missing, download and install them manually.
• For VMware Workstation Professional users, switching the Virtual Machine networking settings to Host-Only mode is recommended to isolate the malware analysis environment from external networks after installation. Additionally, take a fresh virtual machine snapshot to save the current state, naming it ‘flare vm snapshot’.

Remember, the FLARE VM environment is developed and carefully selected by the members of the FLARE team, ensuring you have a robust set of tools for practical and effective malware analysis. This includes a wide range of Windows security tools for debugging, disassembling, decompiling, static and dynamic analysis, and more, organized in a directory structure for easy access. Following these steps meticulously will set you up with a powerful platform for analyzing malware, enhancing your incident response and threat detection capabilities.

A few Screenshots from once the Installation was completed:

Exploring the Tools Included in Mandiant FLARE VM

In exploring the tools coming with the Mandiant FLARE VM, let’s try to understand the breadth and depth of utilities at your disposal. These tools are developed or carefully selected by the FLARE team, who bring over a decade of experience in reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes. The tools are neatly organized in the directory structure and are easily accessible from the Tools folder on the Desktop or the Start menu, ensuring a streamlined workflow for analysts.

Essential Tools and Their Functions:

• Debugging and Disassembly: Tools such as WinDbg, x64dbg, and Immunity Debugger are essential for stepping through malware code to understand its execution flow and identify critical functionalities. FLARE VM includes industry-standard tools like Binary Ninja, IDA Pro, and JD-GUI for disassembly and further analysis, which help break down the compiled binary into assembly code for examination.
• Dynamic and Static Analysis: For dynamic analysis, utilities like Procmon from Sysinternals Suite monitor File, Registry, and Windows API activity, providing insights into malware behavior during execution. The static analysis benefits from tools like PE Studio and CFF Explorer, which analyze a sample’s imports, resources, and PE header structure without executing the malware. The inclusion of FLOSS assists in extracting obfuscated strings from binaries, aiding in identifying fundamental indicators of compromise.
• Network Analysis and Emulation: Understanding a malware’s network behavior is crucial. Tools like FakeNet-NG dynamically emulate network services to trick malware into revealing its network functionality. At the same time, Wireshark and NetworkMiner allow for deep packet analysis to understand the malware’s communication patterns.

FLARE VM relies on Chocolatey and Boxstarter to automate software installation and create a repeatable, scripted Windows environment that is easy to customize. This setup ensures that all necessary tools for malware analysis are just a few clicks away under the “Tools” directory, making the environment highly adaptable for the needs of malware analysts. The comprehensive collection of tools, ranging from network manipulation, web assessment, and exploitation to vulnerability assessment applications, reinforces the VM’s capability to tackle various aspects of malware analysis. The VM’s configuration and the included tools, developed or carefully selected by the FLARE team, underscore the platform’s reliability and effectiveness in malware analysis.

Conducting Your First Malware Analysis with the Mandiant FLARE VM

To kick off your journey into malware analysis with Mandiant FLARE VM, follow these foundational steps to ensure a secure and efficient setup:

Isolate Your Environment:

• VM Communication: Make sure the virtual machines, including FLARE and any others like REMnux, are configured to only communicate with each other. This isolation is crucial to prevent any unintended spread of malware to your physical host or beyond.
• Internet Access: Restrict internet access for your malware analysis virtual machines unless absolutely essential for the analysis. This precaution further secures your analysis environment from potential threats.

Prepare Your Workspace:

• Before diving into any malware analysis, always revert to a clean snapshot of your virtual machine. This step ensures that your environment is in a known, good state and free from any alterations or infections that might have occurred during previous sessions. Name this baseline snapshot ‘flare vm snapshot’ for easy reference.

Conducting Static and Dynamic Analysis:

• Static Analysis with PE Studio: Begin with static analysis to examine the malware without executing it. Use PE Studio (Winitor) to analyze the binary’s components, such as strings, imports, exports, and more. This initial analysis can provide valuable insights without the risks that naturally come with running the malware.
• Generate Hashes: Utilize md5sum.exe and sha256sum.exe commands in Cmder on FLARE VM to create MD5 and SHA256 hashes of the malware sample. These hashes are helpful for documenting your findings and searching for any existing analysis on the same sample.
• Dynamic Analysis and Network Traffic Capture: For dynamic analysis, where you observe the malware’s behavior during execution, use tools like Wireshark on the REMnux VM to capture and analyze network traffic. This step is critical for understanding the malware’s communication patterns and potential command and control servers.

Following these simple yet essential guidelines, you lay a solid foundation for conducting thorough and safe malware analysis using Mandiant FLARE VM and REMnux. Remember, the key to practical malware analysis is a combination of preparation, isolation, and meticulous examination.

Keeping Mandiant FLARE VM Updated

Keeping Mandiant FLARE VM updated is crucial to ensure you’re equipped with the latest tools and security measures for effective and practical malware analysis. Here’s how to maintain your FLARE VM environment efficiently:

Updating FLARE VM:

Download the Latest Repository:

• Navigate to either <https://github.com/mandiant/flare-vm> or <https://flarevm.info> to access the most recent version of the FLARE VM.
• This step is essential as the FLARE team continuously supports and enhances the FLARE VM, making it the go-to distribution for security research, incident response, and malware analysis on the Windows platform.

Run the Update Command:

• Open a console window and execute the command to initiate the update process. This single command ensures that your entire system is updated, including all the tools and the FLARE VM environment.
• The update process leverages Chocolatey and Boxstarter, automating the installation and configuration of the updated security tools, thus minimizing manual effort.

Contributing to FLARE VM:

• Open-Sourced Packages: The FLARE team has made the packages for each tool open-sourced, inviting the community to contribute by adding new tools, suggesting improvements, or reporting bugs 3.
• GitHub Contributions:
• To add a new tool, you can create an issue on GitHub with the necessary information for your proposed tool. Be as specific as possible.
• Utilize GitHub Actions for testing and automation, simplifying the contribution process by automatically testing tool additions and updates. Once approved, a new package is automatically pushed to the repository, making it immediately available for installation.

Following these steps and engaging with the FLARE VM community can keep your malware analysis environment up-to-date and contribute to its growth and effectiveness. The project’s reliance on GitHub for collaboration and Chocolatey for package management makes updating and contributing a straightforward process, ensuring that FLARE VM continues to be a powerful tool for cybersecurity professionals.

FAQs

Q: How much time is required to install FLARE VM? A: Installing FLARE VM involves downloading and setting up numerous packages, which can result in multiple automatic restarts. The entire process is quite extensive and, based on personal experience, may take multiple hours to complete.

Q: What is the rationale behind using virtual machines for malware analysis? A: Virtual machines provide a secure and isolated environment crucial for malware analysis. This isolation helps prevent any potential harm the malware could bring to a live system. VMware virtual machines are favored for their flexibility and robust isolation features, making them ideal for safely analyzing malicious software.

Q: What components are included in the FLARE VM? A: FLARE VM is a specialized virtual machine developed and maintained by Mandiant, a cybersecurity company acquired by Google some time back. It is equipped with an array of tools, software, and scripts designed explicitly for malware analysis and reverse engineering tasks, providing a comprehensive environment for security professionals.

Some References

[1] — https://www.mandiant.com/resources/blog/flare-vm-the-windows-malware [2] — https://github.com/mandiant/flare-vm [3] — https://www.mandiant.com/resources/blog/flarevm-open-to-public [4] — https://www.mandiant.com/resources/blog/flare-vm-update [5] — https://medium.com/@wenray/flare-vm-windows-malware-analysis-28b120b058e0 [6] — https://medium.com/@ayorbamii/a-beginners-journey-into-dfir-using-flare-vm-openedr-access-data-ftk-and-autopsy-db118f544093 [7] — https://www.youtube.com/watch?v=BiSdnusy2AQ [8] — https://www.youtube.com/watch?v=DUzG1UDCjq4 [9] — https://subscription.packtpub.com/book/security/9781839212277/2/ch02lvl1sec05/installing-the-flare-vm-package [10] — https://hal3.medium.com/novice-guide-to-malware-analysis-ce3a2ac399e4 [11] — https://iphelix.medium.com/tool-release-flare-vm-the-windows-malware-analysis-distribution-8a4d33cfe9e [12] — https://www.mandiant.com/resources/blog/flare-tools-google-summer-of-code-2023 [13] — https://www.youtube.com/watch?v=2jPqqZFOyO0 [14] — https://github.com/mandiant/flare-vm/blob/main/install.ps1

If you like my articles. buy me a coffee to keep me going

Sigmund Brandstaetter

As usual, please contact me if you have any questions. I hope this brief look at Mandiant Flare VM was helpful to you.

OSINT|PH - Digital Forensics and Cybersecurity Consulting

LinkedIn: https://www.linkedin.com/in/sigmundbrandstaetter/