FlareVM

FLARE VM (Fully Flexible Automated Reverse Engineering Environment) is a freely available, open-source Windows-based security distribution developed by Mandiant. It is specifically designed for malware analysts, incident responders, and reverse engineers, automating the setup and maintenance of a comprehensive suite of security and analysis tools.

• It uses package managers like Chocolatey and Boxstarter to automatically install a massive library of disassemblers (e.g., IDA Free, Ghidra), debuggers, decompilers, and network analysis tools.

• Environment variables, paths, and dependencies are already configured, saving you hours of manual setup.

• Designed for virtualization, allowing you to use snapshots to roll back to a clean state after analyzing malicious samples

• Official Repository: View the source code and installation steps on the Mandiant FLARE-VM GitHub ↗.

• Read the official announcement on the Mandiant Threat Intelligence Blog ↗

• https://cloud.google.com/blog/topics/threat-intelligence/flare-vm-the-windows-malware ↗

Tools#

FlareVM has many specialized forensics, incident response, and malware investigation tools:

Reverse Engineering & Debugging#

Reverse engineering is like solving a puzzle backward: you take a finished product apart to understand how it works. Debugging is identifying errors, understanding why they happen, and correcting the code to prevent them.

• Ghidra - NSA-developed open-source reverse engineering suite.
• x64dbg - Open-source debugger for binaries in x64 and x32 formats.
• OllyDbg - Debugger for reverse engineering at the assembly level.
• Radare2 - A sophisticated open-source platform for reverse engineering.
• Binary Ninja - A tool for disassembling and decompiling binaries.
• PEiD - Packer, cryptor, and compiler detection tool.

Disassemblers & Decompilers#

Disassemblers and Decompilers are crucial tools in malware analysis. They help analysts understand malicious software’s behaviour, logic, and control flow by breaking it into a more understandable format. The tools mentioned below are commonly used in this category.

• CFF Explorer - A PE editor designed to analyze and edit Portable Executable (PE) files.
  • With the help of CFF Explorer’s comprehensive file information, investigators can generate file hashes for integrity verification, authenticate the source of system files, and validate their validity (e.g., by looking for unusual alterations).
• Hopper Disassembler - A Debugger, disassembler, and decompiler.
• RetDec - Open-source decompiler for machine code.

Static & Dynamic Analysis#

Static and dynamic analysis are two crucial methods in cyber security for examining malware. Static analysis involves inspecting the code without executing it, while dynamic analysis involves observing its behaviour as it runs. The tools mentioned below are commonly used in this category.

• Process Hacker - Sophisticated memory editor and process watcher.
• PEview - A portable executable (PE) file viewer for analysis.
• Dependency Walker - A tool for displaying an executable’s DLL dependencies.
• DIE (Detect It Easy) - A packer, compiler, and cryptor detection tool.
• PeStudio - Used for static analysis or studying executable file properties without running the files.
• FLOSS - Extracts and de-obfuscates all strings from malware programs using advanced static analysis techniques.
  • the FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) automatically extracts and de-obfuscates all strings from malware programs. Like strings.exe, it can enhance the basic static analysis of unknown binaries.
  • FLOSS also includes more Python scripts in the script’s directory, which can be used to load the script’s output into other programs like IDA Pro or Binary Ninja.

Forensics & Incident Response#

Digital Forensics involves the collection, analysis, and preservation of digital evidence from various sources like computers, networks, and storage devices. At the same time, Incident Response focuses on the detection, containment, eradication, and recovery from cyberattacks. The tools mentioned below are commonly used in this category.

• Volatility - RAM dump analysis framework for memory forensics.
• Rekall - Framework for memory forensics in incident response.
• FTK Imager - Disc image acquisition and analysis tools for forensic use.

Network Analysis#

Network Analysis includes different methods and techniques for studying and analysing networks to uncover patterns, optimize performance, and understand the underlying structure and behaviour of the network.

• Wireshark - Network protocol analyzer for traffic recording and examination.
• Nmap - A vulnerability detection and network mapping tool.
• Netcat - Read and write data across network connections with this helpful tool.

File Analysis#

File Analysis is a technique used to examine files for potential security threats and ensure proper file permissions.

• FileInsight - A program for looking through and editing binary files.
• Hex Fiend - Hex editor that is light and quick.
• HxD - Binary file viewing and editing with a hex editor.

Scripting & Automation#

Scripting and Automation involve using scripts such as PowerShell and Python to automate repetitive tasks and processes, making them more efficient and less prone to human error.

• Python - Mainly automation-focused on Python modules and tools.
• PowerShell Empire - Framework for PowerShell post-exploitation.

Sysinternals Suite#

The Sysinternals Suite is a collection of advanced system utilities designed to help IT professionals and developers manage, troubleshoot, and diagnose Windows systems.

• Autoruns - Shows what executables are configured to run during system boot-up.
• Process Monitor (ProcMon) - Monitors and logs real-time process/thread activity
• Process Explorer (Procexp) - Provides information about running processes.
  • Process Explorer offers in-depth insights into the active processes running on your computer.
  • It allows you to delve into the inner workings of your system, providing a comprehensive list of currently running processes and their linked user accounts.
  • If you’ve ever been curious about which program is accessing a specific file or folder, Process Explorer can provide us with that information.
  • We can also monitor what other processes are being spawned, such as from a Word document, an LNK file, or even an ISO file, as threat actors typically abuse these.