You will install your operating system on the C: drive and place all your scripts and tools on the D: drive. Use a small SSD (256GB) and create two partitions so you have a C: and D: drive. A spindle drive can take up to an hour to hash 150,000 files (normal for Windows 10) whereas an SSD can do it in 15 minutes or less. Since malware analysis includes full filesystem hashing when evaluating malware, the faster the hard drive the better. Most hardware you have will work, an older PC with 16GB RAM or more and most importantly a Solid State Drive (SSD). The first order of business is to build a system. Step One – The hardware and operating system
If you want to tweak your VM to improve Anti-VM detection by the malware, it will just take more configuration not covered by this article. Whether you agree or not, the same configuration covered in this article could or should be used for a VM that you want to evaluate malware on as well. Knowing that, and experiencing this in my own analysis, detonating malware on a bare metal system just like a production system in your environment, is the best way to go by far for basic malware analysis. In 2016 the Symantec ISTR stated 22% in Q4 of 2015. Symantec reported in their 2015 Information Security Threat Report (ISTR) that 28% of malware in 2014 was VM aware. In classes I teach on ‘ Malware Discovery and Basic Malware Analysis’ I use a particular malware sample in the labs that detects virtual machines and does not detonate on them. If you want to take a deeper dive into advanced malware analysis, you can build a system first to learn malware discovery, then build on this configuration by adding additional tools for advanced analysis and reverse engineering.īare metal/ bare bones or virtual machine? This article will not cover the more advanced analysis or reverse engineering. This article discusses building a system to detonate Windows malware in order to evaluate the behavior and artifacts that are created.
If you want to evaluate Windows malware effectively you will need a system that is properly configured to do so.
0 kommentar(er)
