Apple M1 Mac Malware Analysis Lab (Windows 11) (Patreon)
Content
In this tutorial we will setup a free, safe, Windows 11 virtual machine (VM) that can be used for dynamic malware analysis on an M1 Apple host (M1 MacBooks, etc.) Since the new M1 chips run an ARM architecture the options for VMs are limited.
Currently (August 2022), there are no usable ARM-to-x86 translation shims for hypervisors on the M1 chip. This means that we are limited to using an ARM version of Windows for our VM. Windows 11 (ARM) provides the ability to run both 32-bit and 64-bit x86 binaries (via a technology similar to WOW64) making it the best choice for our VM.
Free Windows 11 ARM VM
Currently (August 2022), Windows provides a free Windows 11 VM via the Windows Insider Program. Signing up for the program is free an only take a minute or two. Once you are a member of the Windows Insider Program, a Windows 11 arm VHDX file will be available for download.
- Sign up as a Windows Insider (if you have not already) https://insider.windows.com/en-us/register
- Navigate to the Windows 11 on Arm Insider Preview page https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewARM64
- Select “Windows 11 Client ARM64 Insider Preview(Beta Channel)”
- The Beta Channel is the more stable release as opposed to the Dev Channel
- The Beta Channel is the more stable release as opposed to the Dev Channel
- Download the VHDX file
UTM Hypervisor
There are multiple hypervisors available for running ARM VMs on an M1 Mac, but UTM is free and will work well for our purposes. UTM can either be downloaded for free directly from the UTM website (https://mac.getutm.app/) or it can be purchased via the App Store. The application is the same, purchasing it via the App Store is just a way to support the project.
Once UTM is installed follow the Windows 11 Arm VM install instructions using the VHDX file downloaded the in the previous step. https://mac.getutm.app/gallery/windows-11-arm
Note* you will have to use the Networking does not work troubleshooting tip.
Using UTM (Read Before Proceeding)
UTM comes with some limitations that may be unfamiliar if you are used to using more polished hypervisors like VMWare.
- The VM should not be paused, instead it should be shut down using the Windows shutdown command from inside the VM.
- Instead of snapshots the entire VM must be cloned in order to save the state. It is highly recommended that you clone your initial clean VM.
- When copying files into the VM via a shared folder a multi-file copy does not always succeed (dragging a folder). Instead is is recommend to copy a singe file at a time, or zip, then copy any folders, when needed.
- There is a bug the prevents UTM from booting into Windows safe mode. Until the bug is fixed safe mode cannot be used to disable Windows Defender.
- Do not enable retina mode, though this works it slows the VM to unusable speeds.
- The Mac “Command” key is the Windows key in the VM, this will allow you to access the Start menu.
VM Preparation - Disable Windows Defender
Since we are running malware on this VM we don't want Windows Defender interfering but Windows 11 does not allow permanent disabling of Windows Defender. Our best option is to temporarily disable defender and add our C drive to the exceptions.
- Open the Start menu and type “Windows Security”
- Open The Virus & thread protection section
- Click Manage settings
- Disable Realtime Protection
- Disable Cloud-delivered Protection
- Disable Automatic Sample Submission
- Disable Tamper Protection
- Click the Add or remove exclusions link in the Exclusions section
- Click Add an exclusion and add the c:\ directory
- You may also want to add any folders that you have shared with the VM
VM Preparation - Disable Windows Update
Like Windows Defender, Windows Update cannot be presently disabled in Windows 11. Instead it can only be paused for a week. It is strongly recommended that you pause Windows Updates before installing FLARE-VM as the updates may interfere with the installation process.
- Open the Start menu and type “Settings”
- In the Settings menu click Windows Update
- Click Pause for 1 week
FLARE-VM Install
Currently (August 2022) the official FLARE-VM repository does not support Windows 11 ARM. Instead of installing from the main repository you will need to install from the OALABS fork https://github.com/OALabs/flare-vm/tree/windows11.
Make sure you are on the “windows 11” branch and download the repository to your VM (either from the website, or clone via git). Once you have downloaded the repository to your VM you can either follow the “Windows 11 Installation (arm)” Instructions in the README, or the steps below.
- Open PowerShell as an Administrator
- Navigate to the git repository
- Unblock the install file by running:
Unblock-File .\install.ps1
- Enable script execution by running:
Set-ExecutionPolicy Unrestricted
- Finally, execute the installer script as with the following arguments:
.\install.ps1 -profile_file profile_win11.json
- The FLARE-VM packages have not been tested extensively under Windows 11 ARM. Please provide feedback on GitHub if you run into any issues.
Install External Packages
Though both IDA Free, and x64dbg are installed via FLARE-VM we recommend installing the latest versions of each directly from the source once the FLARE-VM install has completed. The direct installs are often newer releases with more features.
- IDA Free https://hex-rays.com/ida-free/
- X64dbg https://sourceforge.net/projects/x64dbg/files/snapshots/
- The x64dbg release folder can simply be dragged over the FLARE-VM installed x64dbg folder to update its contents.
❓Questions / Help
If you get stuck, or you have any questions feel free to hop on our Discord and ask: https://discord.gg/oalabs