Malware Automation

BlackMega Malware Analysis VM

by David

Introduction

Convert windows virtual machine to a lab for malware analysis using ansible playbooks for automated installation of malware analysis tools and gadgets, Debloating useless windows services to reduce windows traffic noise and overwhelming running processes.

Github Repository: https://github.com/r0ttenbeef/BlackMega-VM

Requirements

Just an up and running up-to-date windows 10 or windows 11 virtual machine without bother doing any extra installation.

Also make sure to take a snapshot before running the playbook in case any damages could happen.

  • Operating System: Windows 10
  • CPU Cores: 6
  • RAM Size: 6244 MB
  • Disk Space: 100 GiB

Add your own tools

The default BlackMega VM tools are installed using Chocolaty package manager for windows for easy and fast installation, The tools list are stored in group_vars/all.yml as it’s easy to be modified as needed.

Fast Demo

A short small demonstration video after finishing blackmega-vm installation, Click the image down below.

Windows configurations before running

Before running ansible playbook there’s some changes to be made on windows machine first.

Enable Windows Remote Management (WinRM)

Ansible will use WinRM protocol to connect the windows machine.

  1. Make the network private Pasted image 20230717154700

  2. Enable WinRM from powershell (Run as Administrator) 
    winrm quickconfig
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

  3. Disable Windows Defender and Firewall Pasted image 20230717172211

  4. Disable User Account Control Settings (UAC) Pasted image 20230718003110

  5. Make sure that the user is in Administrators group Pasted image 20230722190015

Initiate the installation

After cloning the BlackMega VM repository install python winrm module.

pip install -r requirements

The hosts credentials should be stored at hosts.ini file like following example.

[windows_box]
10.0.20.5

[windows_box:vars]
ansible_user = "admin_user"
ansible_password = "pass123"
ansible_port = 5985
ansible_connection = winrm
ansible_winrm_transport = basic

Now you can start ansible playbook.

ansible-playbook start.yml -i hosts.ini

Cleanup after finishing

You can now simply revert any critical you have made like disabling WinRM, Reactivate the UAC.

In Desktop\My_Tools\Maintainance folder you will see some tools that will help you enable any disabled services like windows updates, edge blocking, etc.