Builds malware analysis Windows virtual machines so that you don’t have to.
-
Python 3.3+
-
packer: https://www.packer.io/docs/install/index.html
-
vagrant: https://www.vagrantup.com/downloads.html
-
VirtualBox or an vSphere / ESXi server
-
Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
-
pip install
malboxes:sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Note
|
Starting with Windows 10 Hyper-V is always running below the operating
system. Since VT-X needs to be operated exclusively by only one Hypervisor
this causes VirtualBox (and
malboxes) to fail. To disable Hyper-V and allow
VirtualBox to run, issue the following command in an administrative command
prompt then reboot: bcdedit /set hypervisorlaunchtype off
|
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
-
Install dependencies:
choco install python vagrant packer git virtualbox
-
Refresh the console
refreshenv
-
Install malboxes:
pip3 install setuptools pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes
-
Install VirtualBox, Vagrant and git
-
Install Packer, drop the packer binary in a folder in your user’s PATH like
C:\Windows\System32\
-
Install Python 3 (make sure to add Python to your environment variables)
-
Open a console (Windows-Key + cmd)
pip3 install setuptools pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
malboxes build <template>
You can also list all supported templates with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
The configuration section contains further information about what can be configured with malboxes.
malboxes spin win10_64_analyst <name>
This will create a Vagrantfile
prepared to use for malware analysis. Move it
into a directory of your choice and issue:
vagrant up
By default the local directory will be shared in the VM on the Desktop. This
can be changed by commenting the relevant part of the Vagrantfile
.
For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
Malboxes' configuration is located in a directory that follows usual operating system conventions:
-
Linux/Unix:
~/.config/malboxes/
-
Mac OS X:
~/Library/Application Support/malboxes/
-
Win 7+:
C:\Users\<username>\AppData\Local\malboxes\malboxes\
The file is named config.js
and is copied from an example file on first run.
The example configuration is documented.
Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.
We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.
malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse
Code is licensed under the GPLv3+, see LICENSE
for details. Documentation
and presentation material is licensed under the Creative Commons
Attribution-ShareAlike 4.0, see docs/LICENSE
for details.
After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.
I found the packer-malware repo on
github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which
helped me especially around the areas of Autounattend.xml
files.