Extracting secrets from malicious code in a Windows VM works (almost) without prior knowledge. In the first of two parts, we help set up the analysis environment.
At first glance, anyone who wants to analyze malware only seems to have two options: Either they are satisfied with information that is returned by locally installed virus monitors or online analysis services such as VirusTotal. Or he spends an inordinate amount of time learning assembler, assimilating poorly documented operating system internals, and grappling with complex, often expensive, reverse engineering frameworks.
You don’t want to use the latter option, but you don’t want to be blocked by Windows Defender with messages like “Trojan:Win32/Vigorf.A” either? Would you like to take the analysis of Windows malware into your own hands instead of just poring over ready-made reports? Then just do it! Basic knowledge of Windows, networking and ideally also VirtualBox, a rough idea of ​​how malicious code works and a healthy respect for the associated dangers are enough to get started as a beginner.
In this first of two parts, we will walk you through the step-by-step setup of a free analysis environment in Oracle’s VirtualBox. For this we use a freely available Windows 10 VM with a 90-day trial license. We explain how to effectively seal off the virtual machine to protect the host system from malware that is prone to outbreaks. We also shut down Windows Defender and give tips on disguising the test VM as a “normal system” against sandbox detection mechanisms.
