PMA 30: Windows 2016 Cloud Machine for Malware Analysis (15 pts)

What you need


This server uses a lot of Google resources, so it burns through your $300 free trial rapidly. I strongly recommend shutting this server down when not in use.

Task 1: Setting up a fresh Windows Server 2016 Cloud Machine

Sign in to your Google Cloud account at

In the left sidebar, click "Compute Engine" and then "VM instances".

Click "Create Instance"

Type in a name of "win16-yourname", replacing yourname with your name, or whatever you want.

In the Machine Type select n1-standard-4 (4 vCPU, 15gb memory)

Click "Change" next to "Boot Disk".

Under "OS Images" scroll to and select:
 Windows Server 2016 Datacenter
 Server with Desktop Experience, x64 built on 20190709

Built on date may differ.

Change Book disk type to "SSD persistent disk" and "60 gb" of hard disk space.

Click "Create"

Under your new Windows instance, click "RDP" and click "Set Windows Password"

Leave the username to its default setting (probably your Google account name) and then click "SET"

Copy the password for the account and save it in a safe place. Click "Close".

Click "RDP" next to your Windows Instance and "Download the RDP File".
Make a note of where it is saved to (usually /Downloads).

Getting a Remote Desktop Client

For Windows Users:
Use Remote Desktop

For MAC users:
Download and install the Microsoft Remote Desktop client.

Choose "Open APP Store" in the popup.

Click "GET" when the App Store loads.

You may have to enter in our Apple iCloud account password to install Microsoft RDP depending on your security settings.

After getting RDP setup on your Windows or MAC computer, locate the RDP file you downloaded earlier and open it (double clicking it should load RDP automatically).

If you get the error "We couldn't connect to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled." the machine could still be setting up.

Click "Continue" if you encounter "The certificate could not be verified to a root certificate".

Type in or paste the password that was generated earlier and click "Continue"

Again, click "Continue" if you encounter "The certificate could not be verified to a root certificate".

Your Windows RDP connection should load.

Task 2: Lowering Security Settings

If Set Device to discoverable pops up you can ignore this by clicking outside of it.

Blocking Automatic Updates -

Updates are important for security, but for this class we want a vulnerable target machine, so we'll stop them.

On your Windows Server 2016 desktop, in Server Manager, on the top right, click Tools, "Windows PowerShell", as shown below.

In PowerShell, execute this command:

A menu appears, as shown below. Enter these values:

The Command line opens and after a minute or two an "Update Settings" box pops up should pop up.
Click OK

Disabling IE Enhanced Security Configuration

This setting prevents you from downloading software directly on the server, which is a poor practice.

We want to allow that, so do these steps:

In Server Manager, on the left side, click "Local Server". On right side, find "IE Enhanced Security Configuration". Click the word On next to it, as shown below.

In the "Internet Explorer Enhanced Security Configuration" box, click both Off buttons, as shown below.

Click OK.


Right-Click on a Mac

To right-click in the Windows session from a Mac, you need to enable "Secondary click" in Trackpad preferences, as shown below.

Creating a "Malware" folder

Right-click on the Windows desktop and click New, Folder.

Name the folder Malware.

Adding a Windows Defender Exception

Click Start and type DEFENDER. Click "Windows Defender".

In Windows Defender, click Settings.

In Windows Defender, in the "Exclusions" section, click "Add an exclusion", as shown below.

In the "Add an exclusion" window, click "Exclude a folder".

Navigate to the Malware folder, as shown below.

Click "Exclude this folder". Close the Settings window.

Installing Firefox

In Internet Explorer, go to

Download and install Firefox.

Installing 7-Zip

In Firefox, go to

Download and install the 64-bit version of 7-Zip.

Downloading the Lab Files

In Firefox, go to

Click PracticalMalwareAnalysis-Labs.7z, as shown below.

On the next page, right-click Download and click "Save Link As...", as shown below.

Navigate to your Malware folder and save the file there.

Extracting the Lab Files

On your desktop, double-click the Malware folder.

Right-click the PracticalMalwareAnalysis-Labs.7z file and click 7-Zip, "Extract Here", as shown below.

A box pops up asking for a password. Enter


as shown below.

A new file appears, with a red icon, named PracticalMalwareAnalysis-Labs, as shown below.

Double-click the PracticalMalwareAnalysis-Labs file.

Click Accept. Click Extract.

A folder appears with the malware samples, as shown below.

PMA 30.1 Recording Your Success (15 pts)

In the "Malware" window, open these folders: Right-click Lab01-01.dll and click Properties.

The flag is the file size, covered by a green box in the image below.

Ported to Google Cloud by Travis Knapp-Prasek
Minor edits 8-2-19
Warning about burning through free trial money added 8-19-19
Modified to add PMA files 9-4-19