forked from mandiant/flare-vm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathflarevm_malware.ps1
215 lines (184 loc) · 10.8 KB
/
flarevm_malware.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
# FLARE VM - Malware Analysis Edition
Write-BoxstarterMessage " ______ _ _____ ______ __ ____ __ "
Write-BoxstarterMessage " | ____| | /\ | __ \| ____| \ \ / / \/ |"
Write-BoxstarterMessage " | |__ | | / \ | |__) | |__ _____\ \ / /| \ / |"
Write-BoxstarterMessage " | __| | | / /\ \ | _ /| __|______\ \/ / | |\/| |"
Write-BoxstarterMessage " | | | |____ / ____ \| | \ \| |____ \ / | | | |"
Write-BoxstarterMessage " |_| |______/_/ \_\_| \_\______| \/ |_| |_|"
Write-BoxstarterMessage " M A L W A R E A N A L Y S I S E D I T I O N "
Write-BoxstarterMessage " "
Write-BoxstarterMessage " Version 1.0 "
Write-BoxstarterMessage " ________________________________________________________"
Write-BoxstarterMessage " Developed by "
Write-BoxstarterMessage " Peter Kacherginsky "
Write-BoxstarterMessage " FLARE (FireEye Labs Advanced Reverse Engineering) "
Write-BoxstarterMessage " _______________________________________________________ "
Write-BoxstarterMessage " "
Write-BoxstarterMessage "This download configuration script is provided to assist cyber security analysts"
Write-BoxstarterMessage "in creating handy and versatile toolboxes for malware analysis environments. It"
Write-BoxstarterMessage "provides a convenient interface for them to obtain a useful set of analysis"
Write-BoxstarterMessage "tools directly from their original sources. Installation and use of this script"
Write-BoxstarterMessage "is subject to the Apache 2.0 License."
Write-BoxstarterMessage " "
Write-BoxstarterMessage "You as a user of this script must review, accept and comply with the license"
Write-BoxstarterMessage "terms of each downloaded/installed package listed below. By proceeding with the"
Write-BoxstarterMessage "installation, you are accepting the license terms of each package, and"
Write-BoxstarterMessage "acknowledging that your use of each package will be subject to its respective"
Write-BoxstarterMessage "license terms."
Write-BoxstarterMessage ""
Write-BoxstarterMessage "List of package licenses:"
Write-BoxstarterMessage ""
Write-BoxstarterMessage "http://www.ollydbg.de/download.htm, http://www.ollydbg.de/download.htm,"
Write-BoxstarterMessage "https://github.com/x64dbg/x64dbg/blob/development/LICENSE,"
Write-BoxstarterMessage "http://go.microsoft.com/fwlink/?LinkID=251960,"
Write-BoxstarterMessage "https://www.hex-rays.com/products/ida/support/download_freeware.shtml,"
Write-BoxstarterMessage "https://docs.binary.ninja/about/license/#demo-license,"
Write-BoxstarterMessage "https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt,"
Write-BoxstarterMessage "https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt,"
Write-BoxstarterMessage "https://www.jetbrains.com/decompiler/download/license.html,"
Write-BoxstarterMessage "https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt,"
Write-BoxstarterMessage "http://www.oracle.com/technetwork/java/javase/terms/license/index.html,"
Write-BoxstarterMessage "https://github.com/java-decompiler/jd-gui/blob/master/LICENSE,"
Write-BoxstarterMessage "https://www.vb-decompiler.org/license.htm, http://kpnc.org/idr32/en/,"
Write-BoxstarterMessage "https://www.free-decompiler.com/flash/license/,"
Write-BoxstarterMessage "https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx,"
Write-BoxstarterMessage "https://mh-nexus.de/en/hxd/license.php,"
Write-BoxstarterMessage "https://www.sweetscape.com/010editor/manual/License.htm,"
Write-BoxstarterMessage "http://www.ntcore.com/exsuite.php, http://wjradburn.com/software/,"
Write-BoxstarterMessage "http://ntinfo.biz, https://www.sublimetext.com,"
Write-BoxstarterMessage "https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE,"
Write-BoxstarterMessage "http://vimdoc.sourceforge.net/htmldoc/uganda.html,"
Write-BoxstarterMessage "http://www.gnu.org/licenses/gpl-2.0.html,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE,"
Write-BoxstarterMessage "http://www.7-zip.org/license.txt,"
Write-BoxstarterMessage "http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html,"
Write-BoxstarterMessage "http://www.gnu.org/copyleft/gpl.html,"
Write-BoxstarterMessage "https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt,"
Write-BoxstarterMessage "https://www.gnu.org/copyleft/gpl.html,"
Write-BoxstarterMessage "http://upx.sourceforge.net/upx-license.html,"
Write-BoxstarterMessage "http://technet.microsoft.com/en-us/sysinternals/bb469936,"
Write-BoxstarterMessage "http://www.rohitab.com/apimonitor,"
Write-BoxstarterMessage "http://whiteboard.nektra.com/spystudio/spystudio_license,"
Write-BoxstarterMessage "http://www.slavasoft.com/hashcalc/license-agreement.htm,"
Write-BoxstarterMessage "http://www.gnu.org/licenses/gpl-2.0.html,"
Write-BoxstarterMessage "http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/,"
Write-BoxstarterMessage "http://exeinfo.atwebpages.com,"
Write-BoxstarterMessage "https://www.python.org/download/releases/2.7/license/,"
Write-BoxstarterMessage "https://www.microsoft.com/en-us/download/details.aspx?id=44266,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt,"
Write-BoxstarterMessage "http://msdn.microsoft.com/en-US/cc300389.aspx,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE"
###############################################################################
# Configure system
###############################################################################
# Boxstarter options
$Boxstarter.RebootOk=$true # Allow reboots?
$Boxstarter.NoPassword=$false # Is this a machine with no login password?
$Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot
# Basic setup
Update-ExecutionPolicy Unrestricted
Disable-MicrosoftUpdate
Set-WindowsExplorerOptions -EnableShowProtectedOSFiles -EnableShowFileExtensions
Set-TaskbarOptions -Size Small
Disable-BingSearch
###############################################################################
# Install Chocolatey packages
###############################################################################
# Configure FLARE chocolatey feed
$flare = "https://www.myget.org/F/flare/api/v2"
###############################################################################
# Install packages
# Set up Chocolatey
cinst chocolatey # Install chocolatey base package
if (Test-PendingReboot) { Invoke-Reboot }
cmd.exe /c choco sources add -n=flare -s "https://www.myget.org/F/flare/api/v2" --priority 1
cmd.exe /c choco feature enable -n allowGlobalConfirmation
cmd.exe /c choco feature enable -n allowEmptyChecksums
cinst flarevm -s $flare # FLARE VM specific configurations
# Packages requiring reboot
cinst powershell
cinst dotnet4.6.2
# Debuggers
cinst ollydbg -s $flare # OllyDbg 1.10
cinst ollydbg.ollydump -s $flare # OllyDump plugin
cinst ollydbg.ollydumpex -s $flare # OllyDumpEx plugin
cinst ollydbg2 -s $flare # OllyDbg 2.0
cinst ollydbg2.ollydumpex -s $flare # OllyDumpEx plugin
cinst x64dbg -s $flare # x64dbg
cinst windbg -s $flare # WinDbg x86, x64, .NET
cinst windbg.kenstheme -s $flare # Ken's WinDbg theme
cinst windbg.ollydumpex -s $flare # OllyDumpEx plugin
cinst windbg.pykd -s $flare
# Disassemblers
cinst idafree -s $flare # IDA Free
cinst binaryninja -s $flare # Binary Ninja Demo
# .NET
cinst ilspy -s $flare # ILSpy
cinst dnspy -s $flare # dnSpy
cinst dotpeek -s $flare # dotPeek
cinst de4dot -s $flare # de4dot
# Java
cinst javaruntime # JRE
cinst jd-gui -s $flare # JD-GUI
# VB
cinst vbdecompiler -s $flare # VB Decompiler Lite
# Delphi
cinst idr.small -s $flare # IDR (small edition)
# Flash
cinst ffdec -s $flare # FFDec
# Hex Editors
cinst fileinsight -s $flare # FileInsight
cinst hxd -s $flare # HxD
cinst 010editor -s $flare # 010 Editor
# PE
cinst peid -s $flare # PEiD
cinst explorersuite -s $flare # CFF Explorer
cinst peview -s $flare # PEview
cinst die -s $flare # DIE
# Text Editors
cinst --ignore-checksums sublimetext3 # Sublime Text 3
cinst --ignore-checksums notepadplusplus # NotePad++
cinst --ignore-checksums vim # Vim
# Utilities
cinst unxutils # Unix Utils
cinst checksum # Hash Calculator
cinst 7zip.install # 7-Zip
cinst putty # Putty
#cinst npcap # Npcap NOTE: Breaks WinDivert
cinst wireshark.flare -s $flare # WireShark
cinst rawcap # RawCap
cinst wget # Wget
cinst upx # UPX
cinst sysinternals.flare -s $flare # Sysinternals wrapper
cinst apimonitor -s $flare # API Monitor
cinst spystudio.flare -s $flare # SpyStudio
cinst hashcalc -s $flare # HashCalc
cinst regshot -s $flare # RegShot
cinst offvis -s $flare # OffVis
cinst exeinfope -s $flare # ExeInfo PE
# Python
cinst python2 --package-parameters '/InstallDir:"C:\Program Files\Python27"' # Python 2.7 - Using private version
cinst python -s $flare --version 2.7.13
choco pin add -n=python --version 2.7.13
cinst vcpython27 # Microsoft Visual C++ Compiler for Python 2.7
# PyKD requires installation of 32-bit Python in 64-bit systems in order to function properly
if(Get-OSArchitectureWidth -Compare 64) {
cinst python2.nopath -s $flare --x86 --package-parameters '/InstallDir:"C:\Program Files (x86)\Python27"'
}
# Python Modules
cinst hexdump -source python
cinst pefile -source python
cinst winappdbg -source python
cinst pycrypto -source python # Cryptographic modules for Python
cinst cryptography -source python # Cryptography for humans
cinst https://github.com/williballenthin/vivisect/zipball/master -source python # Vivisect
# Python Tools
cinst oletools -source python # Python tools to analyze OLE and MS Office files
cinst fakenet-ng.python -s $flare # FakeNet-NG
cinst floss.python -s $flare # FLOSS
cinst https://github.com/fireeye/flare-qdb/zipball/master -source python # FLARE-QDB
# Visual C++ Redistributable Packages
cinst vcredist2008
cinst vcredist2010
cinst vcredist2012
cinst vcredist2013