Home Blog

Proxmox Malware Lab

November 3, 2024

So i’ve wanted to dive into malware analysis for a while, so if you are looking to do something similar follow along as I create a environment lab to start the learning process.

Required:

  1. Proxmox knowlage
  2. Windows 10 Iso
  3. REMnux (built from scratch)
  4. Flare-VM
  5. Networking(Unifi ecosystem)

So this project count as my first real home lab deployment, I have deployed Nextcloud on a pi before (past blog), but since then my home lab has had one upgrades namely a Dell xps with the battery disconnected so it doesn’t turn into a spicy pillow, a old hp work station and a HP prodesk 400 G5, all running Proxmox.

For this blog we will be using the XPS 15 with 16Gb ram, 6 Cores 12 Threads with Proxmox installed.

Networking(Unifi ecosystem) - 1

This was the part that stumped me for A WHILE, I know I wanted to set it up on a separate VLAN as I had never done Vlanning before. This was by far the part that took me the longest as i had a Unifi Expess acting as a edge router and a netgear switch, this quickly got replaced with a Unifi flex mini switch due to simplicity.

So to set up vlans up was quite simple:

  1. Go to the web interface
  2. Network > settings > networks
  3. Create a new virtual network and set the:
    1. name: malware-labs
    2. Host address : 192.168.X.1/28 (I disabled auto scale network as 13 addresses is more than enough)
    3. Set the Vlan ID: 69 (haha funny number)
  4. I didn’t isolate the network and allowed internet access for setup
  5. I gave it a DHCP server for ease of use while setting up

Next I went to the flex mini and went to port manager, in this case Port 4 was the XPS, changed that to the new network(malware-labs).

This now allowed me to setup Proxmox on my XPS, i wont be covering that here as there are already millions of guides on this, but i would just recommend getting it from: https://www.proxmox.com/en/proxmox-virtual-environment/get-started or https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm

Another useful resources : https://community-scripts.github.io/Proxmox/

https://github.com/tteck/Proxmox

Note:

Now we have proxmox setup on a separate VLAN we want to ensure we have a linux bridge set up that is VLAN aware, this can be done by checking the box on the bridge’s config.

Flare-VM

https://github.com/mandiant/flare-vm

https://pve.proxmox.com/wiki/Windows_10_guest_best_practices

“FLARE VM (FireEye Labs Advanced Reverse Engineering Virtual Machine) is a specialized Windows-based virtual machine setup designed for malware analysis and reverse engineering”. - Chatgpt

Here is the setup for the Windows VM: alt text Follow this to set it up: https://pve.proxmox.com/wiki/Windows_10_guest_best_practices

Once installed, do a full update in windows update then temporarily disable it: https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10

Next we need to remove and disable Windows defender, I followed this one after toggling off Tamper Protection: https://github.com/AveYo/LeanAndMean/blob/main/ToggleDefender.ps1

now the VM is ready to install Flare(this can take a while dependent on speeds and what apps you install, i just went with the default):

  • Open a PowerShell prompt as administrator
  • Download the installation script installer.ps1 to your Desktop:
    • (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
  • Unblock the installation script:
    • Unblock-File .\install.ps1
  • Enable script execution:
    • Set-ExecutionPolicy Unrestricted -Force
      • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
  • Finally, execute the installer script as follow:
    • .\install.ps1
      • To pass your password as an argument: .\install.ps1 -password <password>
      • To use the CLI-only mode with minimal user interaction: .\install.ps1 -password <password> -noWait -noGui
      • To use the CLI-only mode with minimal user interaction and a custom config file: .\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui
  • Once installed take a snapshot on Proxmox. Click on the vm > Backup > Backup now Click on the vm > Snapshots > Take snapshot

REMnux:

I found the best way to install remnux on proxmox was the build it from scratch this will take a while to install. https://docs.remnux.org/install-distro/install-from-scratch

Step 1

Download the minimal Ubuntu 20.04 to Proxmox: http://archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/current/legacy-images/netboot/mini.iso

SHA-256 hash: 0e79e00bf844929d40825b1f0e8634415cda195ba23bae0b041911fde4dfe018

Here is the setup for the Linux VM: alt text

When the Ubuntu installer prompts you for details about the user it will create, select the following to stay consistent with the default configuration of REMnux: Full name: REMnux User Username: remnux Password: malware

When installing at the “Software selection” screen don’t select any software and simply press “Continue.” The REMnux installer will install the necessary packages in a later step.

Boot into your new Ubuntu system. You should find yourself at the command prompt. Login using the credentials you specified during the Ubuntu installation.

Step 2

Download the REMnux installer from the REMnux website by running this command on your new Ubuntu system:

wget https://REMnux.org/remnux-cli

Validate that the SHA-256 hash of the downloaded file to make sure it matches this expected value:

c8c6d6830cfeb48c9ada2b49c76523c8637d95dc41d00aac345282fb47021f8e

To generate the hash of your file, run:

sha256sum remnux-cli

Set up the REMnux installer by running these commands:

mv remnux-cli remnux
chmod +x remnux
sudo mv remnux /usr/local/bin

Step 2: Install Dependencies

The minimal version of Ubuntu includes very few components. Install GnuPG, so that the REMnux installer can automatically validate the signature of the REMux configuration files it will download during the installation process. You might also need to install the curl package. To do this, run:

sudo apt install -y gnupg curl

Step 3: Run the REMnux Installer

You’re now ready to install the REMnux distro.

If you’re planning to run REMnux in a local lab, kick off the installation by runing this command:

sudo remnux install

Step 4: Reboot the REMnux System

Once the REMnux installation finishes, reboot your new REMnux system by typing:

sudo reboot

After the reboot, REMnux will automatically log you in. There is no logon screen for accessing the REMnux environment, because analysts generally use REMnux on a system to which physical access is already restricted.

Step 5: Proxmox tweaks:

  1. VM > Hardware > Display > Set to > SPICE(qxl)

  2. VM > Hardware > Option > Spice Enhancements > Video Streaming: all

After this:

  1. Switch CPU type to ‘qemu32’.

  2. Boot the VM and let it fail startup. It’ll be obvious it’s not booting properly because the display will not work properly, and you’ll never see the desktop.

  3. Hard power off the VM.

  4. Switch CPU type to ‘qemu64’.

  5. Boot the VM. It should properly initialize the display and boot to the desktop.

Step 6: Upgrade the REMnux Virtual Machine

After installing the REMnux virtual machine, run the following command inside the VM as a regular, non-root user to upgrade it to the latest version of the distro:

remnux upgrade

Step 7: Take a Snapshot/Backup of the Virtual Machine

Click on the vm > Backup > Backup now Click on the vm > Snapshots > Take snapshot

Networking(Unifi ecosystem) - 2

In Unifi you can now either isolate the network or do what i did and make a one way firewall rule so that the network cant access other networks:

So to set up vlans up was quite simple:

  1. Go to the web interface
  2. Network > settings > security > Traffic & Firewall rules > Create Entry
    1. Name: Malware block
    2. Action: block
    3. Source: malware-labs
    4. Destination: All other networks
    5. Traffic direction: source the destination
    6. Schedule: Always

This now allows you to access Proxmox and the VMS with them being bale to access your network.

Other QOL

I set up RDP on Flare and Remnux:

https://www.howtogeek.com/231/turn-on-remote-desktop-in-windows/

https://www.howtogeek.com/429190/how-to-set-up-remote-desktop-on-ubuntu/