← Back to Vault Sandbox Setup Guide

Building Your Malware Lab

A proper sandbox environment is essential for safe malware analysis. This guide covers setting up isolated virtual machines with the right tools.

SECTION 01

Why Use a Sandbox?

A sandbox is an isolated environment where you can execute and analyze malware without risking your real systems or network. Think of it as a controlled blast zone.

Never analyze malware on your host machine. Even "looking at" a sample can trigger execution through previews, thumbnail generation, or AV scanning. Always use isolation.
Isolation
Malware can't escape to infect real systems
Snapshots
Instantly restore to clean state
Monitoring
Capture all system changes
Network Control
Intercept C2 traffic safely
SECTION 02

Choose Your Analysis VMs

For malware analysis, you'll typically want both a Windows victim VM (where malware runs) and a Linux analysis VM (for tools and network simulation).

REMnux

Linux Analysis Distribution

REMnux is a Linux distribution purpose-built for reverse engineering and malware analysis. It comes pre-loaded with 600+ tools for static analysis, network analysis, and memory forensics.

INCLUDED TOOLS
Ghidra Radare2 Volatility YARA Wireshark oletools pefile INetSim
Download REMnux →

FlareVM

Windows Analysis Environment

FlareVM transforms a Windows VM into a malware analysis powerhouse. It's a collection of scripts that installs 140+ security tools automatically via Chocolatey and Boxstarter.

INCLUDED TOOLS
x64dbg IDA Free Process Hacker PEStudio Procmon Autoruns CFF Explorer HxD
Get FlareVM →
SECTION 03

Network Isolation

Network isolation is critical. Malware often tries to contact C2 servers, spread laterally, or exfiltrate data. You must contain this traffic.

RECOMMENDED NETWORK ARCHITECTURE
Host Machine
Host-Only Network
Malware VM
1

Create Host-Only Network

In VirtualBox/VMware, create an isolated virtual network that cannot reach the internet or your LAN.

2

Disable Shared Folders

Turn off any folder sharing between host and guest VMs. Malware could escape via shared directories.

3

Use INetSim for Fake Services

Run INetSim on your REMnux VM to simulate internet services (HTTP, DNS, SMTP) and capture malware traffic.

# VirtualBox: Create host-only network
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 10.0.0.1 --netmask 255.255.255.0

# Configure VM to use host-only adapter
VBoxManage modifyvm "MalwareVM" --nic1 hostonly --hostonlyadapter1 vboxnet0
For Behavioral Analysis Only: If you need real internet (to see actual C2 traffic), use a VPN endpoint that can be burned, on a physically isolated network. Never route malware traffic through your regular network.
SECTION 04

VM Configuration & Anti-Detection

Many malware samples detect VMs and sandbox environments, then refuse to run. Here's how to make your analysis VM less detectable while staying safe.

Remove VM guest additions/tools (or rename VMware/VBox processes)
Allocate realistic resources (4GB+ RAM, 2+ CPU cores)
Create "normal" user files (documents, browser history)
Set realistic hostname and username (not "Malware-Analysis")
Install common software (Office, browsers, Adobe Reader)
Disable Windows Defender / AV (to allow malware to run)
Take a CLEAN SNAPSHOT before any analysis 
# Registry changes to hide VM artifacts (run as admin)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation" /v SystemProductName /t REG_SZ /d "Dell OptiPlex 7090" /f
reg add "HKLM\HARDWARE\Description\System\BIOS" /v SystemManufacturer /t REG_SZ /d "Dell Inc." /f
SECTION 05

Essential Analysis Tools

Beyond REMnux and FlareVM, here are the must-have tools you'll use daily:

Static Analysis

PEStudio
Initial PE triage
Ghidra
Disassembly & decompilation
strings / FLOSS
String extraction
Detect It Easy
Packer detection

Dynamic Analysis

x64dbg
Debugging
Process Monitor
System activity
Wireshark
Network capture
Process Hacker
Process inspection

Document Analysis

oletools
Office macros
pdf-parser
PDF analysis
ViperMonkey
VBA emulation
zipdump
Archive inspection
SECTION 06

Best Practices

DO
Take snapshots before every analysis session. Label them clearly with dates.
DON'T
Never copy malware samples to shared folders or removable media.
DO
Use password-protected ZIPs (password: "infected") when storing samples.
DON'T
Don't bridge your analysis VM to your production network - ever.
DO
Document everything - screenshots, hashes, timestamps, observations.
DON'T
Don't rush. Malware can have time-delayed payloads or VM detection.
Pro Tip: Create a "base" snapshot after initial setup, then analysis-specific snapshots. This makes it easy to restore to clean + configured state.

Training Complete!

Congratulations! You've completed the Dark Arts introductory training. You now have the foundation to safely analyze malware. Remember: with great knowledge comes great responsibility.

Return to Vault
← Previous: Malware Families Back to Vault