green69/malboxes

Builds malware analysis Windows VMs so that you don't have to.

Malboxes

Project health

Builds malware analysis Windows virtual machines so that you don’t have to.

https://github.com/gosecure/malboxes

Table of Contents

• Requirements
• Installation
  • Linux/Unix
  • Windows
• Usage
  • Box creation
  • Per analysis instances
• More information
  • Videos
  • Blog posts
  • Presentations
• License
• Credits

Requirements

• Python 3.3+

• packer: https://www.packer.io/intro/getting-started/setup.html

• vagrant: https://www.vagrantup.com/downloads.html

• VirtualBox: https://www.virtualbox.org/wiki/Downloads

Installation

Linux/Unix

• Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)

• pip install malboxes:

  sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Windows

Using Chocolatey

The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.

• Install dependencies:

  choco install python vagrant packer git virtualbox

• Refresh the console

  refreshenv

• Install malboxes:

  pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Manually

• Install VirtualBox, Vagrant and git

• Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\

• Install Python 3 (make sure to add Python to your environment variables)

• Open a console (Windows-Key + cmd)

  pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Usage

Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.

Run:

malboxes build <profile>

You can also list all supported profiles with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_64_analyst

If you want to customize your configuration, look at the following location for a config.js file:

• Linux/Unix: ~/.config/malboxes/

• Mac OS X: ~/Library/Application Support/malboxes/

• Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

Per analysis instances

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_32_analyst 20160519.cryptolocker.xyz

More information

Videos

Introduction video

Blog posts

• Introductory blog post: http://gosecure.net/2017/02/16/introducing-malboxes-a-tool-to-build-malware-analysis-virtual-machines/

Presentations

malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse

• Slides (HTML, best)

• Slides (PDF, degraded)

• Video

License

Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.

Credits

After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.

I found the packer-malware repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.