Setting up an UNDETECTABLE VM for Malware Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

heo buddy my name is Eric and today I'm going to teach you how to create the perfect modern malware analysis virtual machine on VMware Workstation uh so I'm setting this up again because I I kind of broke my other one and I didn't have a good backup so I thought I would make a video out of it so I so first of all we want to use this because we do not want to install VMware tools uh you can and I mean sometimes I'll do it when I'm making a YouTube video on the malare isn't VM aware but there's no benefit for actual malware analysis so of course we're going to use Windows 10 I'm going to use the ltsc version uh malware stealth I'm going to cool this VM uh give it more than 200 gbt because it's very rare for a real computer to have less similarly give it 8 gbes and one thing that's quite important is that you do not use an mvme disc because for whatever reason in VMware you can only spoof the vendor ID if you use a scuzzy disc I I don't know why uh but it works that way and you cannot change that without reinstalling windows so we have to go to finish evidently because it doesn't the M knows better than we do they think so what we do is we copy this we remove the mvme and then we add a scuzzy now we just have to install Windows if you didn't forget to mount the iso which I did so M the iso the other thing you need to do is change the MAC address so that that fingerprint doesn't exist because VMware always uses a default I didn't do this and I noticed when I ran PA fish so you'll see that later in the video but we just do this we can just click generate and then uh change this to something else and there you go Mac address is no longer fingerprinted okay now if you want to create a Windows account without creating a Microsoft account at least on Windows 10 uh you can go do join instead and that will avoid the mess so now the Telemetry you actually do want to get rid of not because not because of like conspiracy theories but because if we are doing Network level analysis we do not want Microsoft's Telemetry whatever they're doing to be spamming our Network feed so we are going to kill as much of that as possible because it serves absolutely no useful purpose Microsoft is not going to be getting any useful data from these VMS so nobody is losing so this is on and0 shut up 10 this will just reduce the Telemetry this is a totally optional step but if you're going to do network analysis this is going to make your life easier I'm not going to bother with a storeo because this is VM and I'm going to set it to recommended and somewhat recommended uh and I'm going to even go a bit further on some of these because this is a VM we do not care about security features this also uh if you're using a version where it would be supported this would be like the one case where I actually think using something like Atlas OS is perfectly fine uh do it if if that's something you want to use just for the sake of uh hygiene I'm just going to use this then we want to go to group policy you can also do this using the registry if you have a version of Windows that does not support group policy want to go to Windows components you want to go to Microsoft Defender just going to make this a bit bigger so that we can actually read it antivirus turn off Microsoft Defender antivirus now we are antivirus free and now the next thing we got to do is VMR Halen loader this is a kernel driver which functions basically like a root kit except rather than hiding a virus it hides your VM it's really cool stuff uh it's a bit out of date but it still works quite well so what you do is download the zip uh this will get you past most detectors pretty much every commercial protector only thing like you're obviously not you're not going to run Riot vild on this but why do you want to I mean I mean unless you're like a cheat developer uh that's not really that big of an interest pretty much everything that is not right at Vanguard you you can run perfectly fine so now we've got the root kit enabled so now uh the GitHub for that will include some instructions on how you can modify your VM settings which I'm going to do so we're going to shut down the VM and then we're going to use a text editor you can can use Vim you can use Nano if you're on Windows you can use notepad it doesn't matter uh on Linux you don't need administrator privileges and this is where the folder is going to be it's going to be in your user directory and then VMware and then the name of your VM and you can just do the name of your vm. vmx doesn't matter where you do it in Vim I always just enter a big number and do J and that's how you go to the bottom of the file probably a smaller way I'm not a Vim expert now we copy this and we also want to go and find our uh scuzzy zero and for whatever reason scuzzy customization options work I've tried this with other things it doesn't so that's why we needed scuzzy product ID and this is what the SSD is going to be called we can call this whatever we want Mal is only going to be searching for bad things so we can put bogus things in here so we could for example put Parker systems SSD the only trouble in doing that is it's going to create a fingerprint so you're probably better off putting the name of a real company but it genuinely doesn't matter I just unless they're going to bother I I think that's where I could declare I'd made it is if they were to Blacklist that and then I could just change a letter and then it'd be fine and here we go I love it uh okay so it duplicates that when you're looking at it but there you go this is completely unique uh this is not a VM according to this now we can also we can try out uh paranoid fish but before we do anything else with this system uh we should probably take a snapshot that way we don't lose this system if we do anything dumb do snapshot take snapshot there we go now uh we can do anything we want we can you can install malware uh we can run paish now we're good here is PA Fish Oh wrong file we have to go to the releases page if we actually want the EXC my bad oh and even with Defender gone uh SM screen still doesn't like it but that's okay we can just run it anyways this may be a malicious file I don't know why I guess cuz malare might use it so now we can run the checks and see how many we're passing okay now this one seems to be the trickiest I saw someone who went really deep into Linux uh kernel hacking and edited some stuff to get KVM not to trigger it but that one I've seen pretty much no one uh these ones uh depending on how we do it we will pass uh on uh but we wouldn't pass on an automated oh and I forgot to do the MAC address so that's the final piece that we missed but there we go pretty much everything else is okay so I'll just change the MAC address it's going to be all for this video now if you're wanting something to watch next because of course it's something that goes with this if you want to see how I do the network Dynamic analysis and capture every single packet and decrypt https I'm going to have the video where I show that uh up on the end screen so you can watch that next I hope you enjoyed it please subscribe bye

Info

Channel: Eric Parker

Views: 51,088

Rating: undefined out of 5

Keywords: vm, virtual, virtual machine, reverse engineering, malware analysis

Id: koWipFDgD6c

Channel Id: undefined

Length: 8min 3sec (483 seconds)

Published: Wed Jun 12 2024