In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation. For malware analysis, OS may vary, some malwares may only work on certain OS, so it's better to have several of them. Personally, I have XP SP3 with all updates that was available and Windows 7 x64. 

Also definitely, no one would like to do malware analysis on their main OS, so I personally use Debian as my main OS, inside Debian, I installed VirtualBox and I use it as main software for virtualization. I highly recommend it.

1) Install VirtualBox in your main operating system. Create an empty folder called shared and share new folder you've created for guest OS.

2) Install a new fresh Windows version of your choice and update it. I usually update because sometimes I also do Windows patch analysis on these machines, so I need to have up-to-date patches to be able to do proper bindiffing.

3) Install VirtualBox guest addition.

4) Install and configure required softwares, here is my list:

• Go to Explorer -> Folder options -> Uncheck hide extensions for known file types, uncheck Hide protected operating system files and choose Show hidden files, folder and drives.
• Install Chrome (no one would like to work with IE) and instantly download and install AdBlock plus.
• Download and install Winrar/7Zip or both which I prefer both.
• Install Visual Studio 2008/2010/2012/2013. I personally install VS2008 and sometimes VS2010 too (together). But latest version of VS should work.
• Install latest version of Python 2.7. It just works fine and IDA Pro likes it. Then download and save this file and run python get-pip.py. Add C:\Python27 and C:\Python27\scripts to your PATH. Open new command prompt and run "pip install yara", "pip install pycrypto", "pip install winappdbg", "pip install pefile" and finally download and install jsunpack manually.
• Install Notepad++. 
• Create a folder called Tools in C:\
• Download and extract RDG packer detector to C:\Tools\RDG. When you run it for first time, it tries to setup context menu which I choose yes. If you do so, you'll be able to right-click on binaries and let RDG scan it easily.

• Download and install CFF Explorer. Run CFF Explorer, go to Settings and click Enable shell extensions.
• Download and extract PeID to C:\Tools\PeID. Download userdb.txt and overwrite the one in PeID folder. Run PeID -> Options -> Hardcore Scan and check Register shell extensions.

​

• Download and install IDA of your choice (Pro or free). 
• Download and install dotPeek. 
• Download and install NASM (goto latest version folder and download zip inside win32) and MASM. Install NASM to C:\Nasm and install MASM to C:\Masm32, add both folder to PATH environment variable.
• Download and extract Ollydbg to C:\Tools\Olly. Use this as Ollydbg.ini which will have nice theme for you (provided by jacob@reddit.com in comments section of my blog, thanks jacob!). Then install plugins of your choice, here is list of Ollydbg plugins I use: Olly advanced, Olly breakpoint manager, OllyBonE, OllyDumpEx, OdbgScript, StrongOD, Ultra String Reference, CopyHexCode, Multiline Ultimate Assembler and ImportStudio. Then goto Options -> Just in time debugging and make Ollydbg just-in-time debugger. 
• Download and extract ImpRec to C:\Tools\ImpRec. 
• ​If you want to do binary diffing (malware versions diffing or windows patch analysis) like I do, you need to also install TurboDiff, Patchdiff, IDACompare and DarunGrim. 
• Install hex editor of your choice, but I suggest HxD as best free and Hex workshop as best paid.
• Install windows SDK (if you need development) which also installs WinDBG.

• Install windows WDK (driver development kit) if you need.

• Download and put these files in C:\Tools folder: UPX, GMER, Process Explorer, Handle, DebugView, Autoruns, RKU, Kernel Detective, Malzilla, ExeInfo, PEStudio, Dependency Walker, XORSearch, SWFTools, Java Decompiler, PiD.
• Download and install WireShark.
• Save and run this REG file:

REGEDIT4

[HKEY_CLASSES_ROOT\*\shell\cmdhere]
@="Cmd&Here"

[HKEY_CLASSES_ROOT\*\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\\..\""

[HKEY_CLASSES_ROOT\Folder\shell\cmdhere]
@="Cmd&Here"

[HKEY_CLASSES_ROOT\Folder\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\""

• Create desktop shortcuts for the tools you just installed. Results:

5) Shutdown virtual machine.

6) During malware analysis and possibly checking C&C servers of malwares, no one likes to share their real IP with malware authors. Specially nowadays with IP-to-location databases, only your IP will be enough to giveaway your approximate location. So here is what you need to do:

• Download Whonix-Gateway. (you should get .ova file)
• Go to VirtualBox manager -> File -> Import Appliance (or CTRL + I), choose .ova file, set CPU and memory settings and run it.
• After initial/first run, it will take you through some steps, follow them, set tor to start at startup, run "sudo apt-get update ; sudo apt-get upgrade" and use default password which is "changeme".
• Let Whonix run, minimize it and return to main VirtualBox manager.

• As Whonix is running and your main Virtual machine is powered off, go to VirtualBox manager and open your virtual machine's (reverse engineering machine) settings. Go to network -> Choose internal network -> Choose Whonix in name and Press OK to save.
• Now run your virtual machine again. Go to network settings and set followings:

IP address => 10.152.152.50 
Subnet =>     255.255.192.0 
Gateway =>    10.152.152.10 
DNS server => 10.152.152.10

• Allow it to configure itself and Voila!

Guess what? I'm thousands of miles away from Netherlands and I can't speak Dutch (shame on me).

From now on, all applications running inside virtualbox will use this IP. Also if you want to change your TOR IP and TOR identity, I have created a shell script in desktop which does it for you. Do "nano newip.sh" and paste following:

#!/bin/sh
tor-ctrl -a /var/run/tor/control.authcookie -P 9051 -c "signal newnym"

Save the file on your desktop and enable execute permission (chmod +x newip.sh), next time just double click on it and you'll have new identity.

7) Take snapshot with everything installed and configured, call it "Clean-Install". Now you can start analyzing all type of malware without worrying about your identity or damages malware may cause.

I think we've covered it all. Please let me know your suggestions in twitter/comment/email.