Building a Personal Malware Analysis Lab on a Ten Year Old HP Laptop

July 20, 2025

The goal was to turn this aging machine into an isolated playground for reverse engineering malware

Breathing New Life into a 10-Year-Old Laptop: My Malware Lab Journey

I’ve always liked squeezing extra life out of old hardware. So when I decided I wanted a personal malware analysis playground, I didn’t run out and buy a new workstation—I pulled a dusty 2011 HP Pavilion dv6 off the shelf. It’s got an Intel i5 2410M (dual core, 2.3 GHz), 16 GB of DDR3 RAM, Intel HD 3000 graphics, and a 1 TB SATA SSD. On paper, not exactly cutting-edge. But my challenge was simple: could I turn this decade-old laptop into a proper malware analysis lab?

Spoiler: yes. But the road was a bumpy one.

Installing the Host

My first step was to install Linux. Easy, right? Wrong. I burned the ISO with Balena Etcher and—boom—frozen at GRUB every time. After a lot of head-scratching, I re-flashed the stick in DD mode, and suddenly it worked. I went with Linux Mint 21.3 XFCE since it’s lighter than Xubuntu, and this machine needed all the help it could get.

Of course, Wi-Fi wasn’t cooperative. The Intel Centrino N1000 card crawled. The driver (iwlwifi) was already in the kernel, but disabling 802.11n finally cut down the latency. Score one for persistence.

Wrestling with KVM

Next up: virtualization. I installed qemu-kvm, libvirt, and virt-manager. Naturally, my first attempt blew up—/dev/kvm didn’t exist. Turns out virtualization was disabled in the BIOS. After flipping on VT-x in firmware, it finally worked.

I added my user to the libvirt and kvm groups and felt like I was finally making progress.

Windows 10 Guest: Death by Drivers

Spinning up a Windows 10 VM sounded straightforward. I set up the VM in virt-manager with Virtio-SCSI for the disk and OVMF firmware. Then the installer mocked me: “Setup can’t see a disk.”

The fix? Loading the Virtio driver manually from iostor.inf. After that, things clicked into place. Once Windows booted, I immediately installed the virtio guest agent, qxl display driver, Sysinternals Suite, and Wireshark. Then I froze everything in time with a clean base snapshot—the golden reset button every malware lab needs.

Snapshot Hell

If you’ve ever messed with snapshots under OVMF, you know what’s coming. Internal snapshots? Nope—unsupported. External only. And deleting them through the GUI? Forget it. I had to manage everything through the CLI, juggling virsh snapshot-delete, rm overlay.qcow2, and virsh blockcommit.

Permissions also loved to break, with overlays showing up as root:root 600. I hacked together a quick script to fix ownership and permissions. Ugly, but it worked.

REMnux: When an OVA Won’t OVA

No malware lab is complete without a Linux analysis VM, so I tried importing the official remnux-v7-focal.ova. That blew up immediately: “No bootable device.”

I ended up unpacking the OVA, converting the VMDK to qcow2, and discovering it only wanted to boot with BIOS + SATA. UEFI dropped me into a shell. Even when it did boot, the display was black. No display manager. Installing XFCE, LightDM, and a fallback VESA driver finally gave me a desktop. Then I made another clean snapshot, because by that point I didn’t trust anything.

Networking Nightmares

Getting the VMs to talk to each other was… messy. I set up two NICs—NAT for internet and an isolated lab-int network for malware traffic. Immediately, duplicate MACs killed DHCP. I had to regenerate new ones.

Then lab-int tried to hijack my default route. The fix was adding ipv4.never-default yes in Netplan. Static IPs on the isolated network finished the job.

Lessons Learned

This little project reminded me just how stubborn old hardware (and software defaults) can be. Some big takeaways:

• With OVMF VMs, stick to external snapshots only and script permission fixes.
• Vendor OVAs usually prefer BIOS + SATA—don’t fight it.
• REMnux needs a display manager if you want a GUI.
• And never, ever trust virt-manager’s defaults.

In the end, my ten-year-old i5 laptop is now running a fully functional malware analysis lab: Windows and Linux VMs, reversible snapshots, isolated networking. It’s not the fastest machine in the world, but it gets the job done.

And honestly? There’s something satisfying about bending old hardware to your will and proving it’s still got life left in it.