Creating a VM for Malware Analysis in VirtualBox

0. Introduction

This tutorial creates a Windows 10 virtual machine (VM) on VirtualBox that can be used for malware analysis. It is important to configure the VM properly so that malware will not leak onto your host computer, network, or the internet.

I made this tutorial for the Reverse Engineering Fundamentals (CSEC 202) course at Rochester Institute of Technology (RIT). As of January 2022, the class does not provide setup instructions for students who do not want to use VMware, which is often buggy and difficult to set up on Linux machines.

I am not liable for any mishaps if something fails or no longer works; please read my legal disclaimer. The post was created to assist RIT’s Spring 2022 CSEC 202 course.

1. Install VirtualBox

2. Download a Windows 10 Education ISO

I installed mine from Azure for Education (AFE). If you are a student at RIT, you should log in to AFE using your RIT account. Your RIT account will allow you to obtain a product license. If you do not have access to AFE, you will need to find another way to download a Windows 10 VM.

Software -> search "Windows 10 Education, version 21H1 – DVD" -> download

Once the download starts, click “view product key.” Copy the product key and store it somewhere safe. The installer will ask you for the product key.

There may be free Windows 10 VMs elsewhere, but I do not know about them. If you found a free and legal way to download Windows 10 VMs, please reach out; I will add a link to it in this post.

3. Organize the host environment

a. Rename the ISO

Once the VM downloads, add a prefix by renaming the ISO:

virtual_box_malware_[rest of name].iso

A detailed ISO name will remind you that this VM has malware installed on it and that it should not be reused or opened elsewhere.

b. Folder setup

In your home directory, create a folder to store the ISO. Move the ISO to that folder.

Here is my folder path on my Linux host machine:

/home/olivia/virtual_boxes_vm/CSEC202/windows_malware_vm/

In the windows_malware_vm folder, I stored the windows ISO. I will reference this structure throughout the rest of this post. It is fine if your structure differs.

🌸👋🏻 Let’s take this to your inbox. You’ll receive occasional emails about whatever’s on my mind—offensive security, open source, academics, boats, software freedom, you get the idea.

4. Install the ISO

Open VirtualBox, click “New,” and install the Windows 10 ISO located in the windows_malware_vm folder.

Memory: 4096 MB
Hard disk: Create a virtual hard disk now
Hard disk file type: VHD
Storage on physical hard disk: fixed size
Disk space: 80 GB of space
If prompted, assign 2 core processors and or 2 GB of RAM.

After this, you should see the VirtualBox home menu and your VM.

5. Login to the VM

Once your Windows 10 VM is ready, power it on and follow the installer.

Do not use your personal Microsoft account or create a new Microsoft account. Log in using the “Domain Join” option in the bottom left corner.

Then, create a local account. Local accounts are separate from Microsoft accounts.

6. Ping test

Open the command prompt, and ping 8.8.8.8. If your prompt looks similar to the image below, continue with the next step. I will explain why this is important later.

7. Install VirtualBox Guest Additions

Perform this inside the VirtualBox malware analysis VM:

Settings -> Devices -> Insert Guest Additions CD Image ...

Then, reboot and log in to the same VM.

Windows file manager -> CD Drive VirtualBox Guide Additions -> VBoxWindowsAdditions

Follow the installer. Then, reboot and log in to the VM.

8. Install ALL Windows VM Updates

Settings -> Updates & Security -> Windows Updates -> Install now

9. Install .Net Framework 3.5 on the VM

Search “windows features” in the home screen search bar.

10. Attachable media

Ensure mouse integration is on, so that you do not get any attachable media infected; I read that this is the safest setting, but I honestly have no idea. You can toggle mouse capture by clicking the right-ctrl key. You will know if your mouse integration is off because you will not be able to move your mouse outside the VM.

11. Secure folder sharing

a. Create the folder on the host

You will need to transfer files from your host to your VM through a shared folder. On your host machine, create a folder to store files you want to share with the VM. I titled my folder CSEC202_shared. Here is where I stored my files on my Linux host machine:

/home/olivia/virtual_boxes_vm/CSEC202/windows_malware_vm/CSEC202_shared

If you are in CSEC202, you will be downloading zipped files from MyCourses and storing them on your host. Specifically, you will store the files in your shared folder. Be careful NOT to unzip anything on your host.

For test purposes, create a file called hi.txt inside the shared folder.

b. Add the folder to the VM

Next, we need to safely add the folder to the VM by setting the permissions to “read-only.” The “read-only” permission prevents the VM from making changes to the host, but allows the VM to download any content located in the folder.

Inside the VirtualBox home:

Settings -> Shared Folders -> "+" folder icon

Here are my configurations:

Folder path (host):
~/virtual_boxes_vm/CSEC202/windows_malware_vm/CSEC202_shared
Folder name: CSEC202_shared
Check read-only
Check auto-mount
Mount-point (VM):
- General format: C:\Users\[username]\Desktop\[foldername]
- My folder path: C:\Users\csec202\Desktop\CSEC202_shared
Check make permanent

If successful, you should see hi.txt in the specified location on the VM. You should not be able to edit the original file in the folder. However, you should be able to copy hi.txt into a different location and then edit it. Furthermore, you should be able to add more files to your host’s shared folder, and they will appear in the VM.

12. Disable network settings

Inside the VirtualBox home:

Settings -> Network -> Not attached

Check that the settings work by pinging 8.8.8.8 inside the VM. If your ping works, your settings did not save! In other words, pinging 8.8.8.8 should not work after you make this change.

13. Snapshot the clean VM

Snapshots allow you to revert your machine to a previous state. It is like a backup for a VM. Take a snapshot of the VM and name it something like “CSEC202 Windows 10 Clean Import.”

In VirtualBox overhead settings:

Machine -> Take snapshot

14. Conclusion

Your VirtualBox malware analysis VM should be ready for CSEC202! If the VM is configured properly, it should be completely isolated from your host, WiFi, and internet.

Tips from the CSEC202 course slides:

Take snapshots regularly, so that you do not have to repeat labs.
Do NOT attempt to download anything inside your VM. All downloads should be done on your host machine and transferred to the host using your shared folder.

I hope you enjoyed this tutorial on how to create a malware analysis VM in VirtualBox.