Builds malware analysisWindows virtual machines so that you don’t have to.
Requirements
- Python 3.3+
- packer: https://www.packer.io/docs/install/index.html
- vagrant: https://www.vagrantup.com/downloads.html
- VirtualBox or an vSphere / ESXi server
Minimum specs for the build machine
- At least 5 GB of RAM
- VT-X extensions strongly recommended
Debian
apt install vagrant git python3-pip
Installation
Linux/Unix
- Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
pip install
malboxes:sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Windows
Using Chocolatey
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
Note | Starting with Windows 10 Hyper-V is always running below the operating system. Since VT-X needs to be operated exclusively by only one Hypervisor this causes VirtualBox (and malboxes) to fail. To disable Hyper-V and allow VirtualBox to run, issue the following command in an administrative command prompt then reboot: bcdedit /set hypervisorlaunchtype off |
Using Chocolatey
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
- Install dependencies:
choco install python vagrant packer git virtualbox
- Refresh the console
refreshenv
- Install malboxes:
pip3 install setuptools
pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Manually
- Install VirtualBox, Vagrant and git
- Install Packer, drop the packer binary in a folder in your user’s PATH like
C:\Windows\System32\
- Install Python 3 (make sure to add Python to your environment variables)
- Open a console (Windows-Key + cmd)
pip3 install setuptools
pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Usage
Box creation
Box creation
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
malboxes build <template>
You can also list all supported templates with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
Per analysis instances
malboxes spin win10_64_analyst <name>
This will create a
Vagrantfile
prepared to use for malware analysis. Move it into a directory of your choice and issue:vagrant up
By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the
Vagrantfile
.For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
Configuration
Malboxes' configuration is located in a directory that follows usual operating system conventions:
- Linux/Unix:
~/.config/malboxes/
- Mac OS X:
~/Library/Application Support/malboxes/
- Win 7+:
C:\Users\<username>\AppData\Local\malboxes\malboxes\
The file is named
config.js
and is copied from an example file on first run. The example configuration is documented.ESXi / vSphere support
Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.
Profiles
Profiles
We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.
More information
Video
Blog posts
Presentations
malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse