Malboxes
Vagrant box builder and config generator for malware analysis
Requirements
-
Python 3.3+
-
appdirs
-
jinja2
-
jsmin
-
packer: https://www.packer.io/intro/getting-started/setup.html
Installation
Linux/Unix
-
Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
-
pip installmalboxes:sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Windows
Manually
-
Install VirtualBox, Vagrant and git
-
Install Packer, drop the packer binary in a folder in your user’s PATH like
C:\Windows\System32\ -
Install Python 3 (make sure to add Python to your environment variables)
-
Open a console (Windows-Key + cmd)
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Using Chocolatey
|
Note
|
Two issues are preventing chocolatey install to work right now: Python3 Scripts directory is not in the PATH and problems with zip files on 32-bit Windows. |
Assuming you have Chocolatey installed:
-
Install dependencies:
choco install python vagrant packer git virtualbox
-
Refresh the console
refreshenv
-
Install malboxes:
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Usage
Box creation
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
malboxes build <profile>
You can also list all supported profiles with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
If you want to customize your configuration, look at the following location
for a config.js file:
-
Linux/Unix:
~/.config/malboxes/ -
Mac OS X:
~/Library/Application Support/malboxes/ -
Win 7+:
C:\Users\<username>\AppData\Local\malboxes\malboxes\
Per analysis instances
malboxes spin win10_64_analyst <name>
This will create a Vagrantfile prepared to use for malware analysis. Move it
into a directory of your choice and issue:
vagrant up
By default the local directory will be shared in the VM on the Desktop. This
can be changed by commenting the relevant part of the Vagrantfile.
For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
Customization
You can modify (add, modify or delete) registry keys, directories and files like this:
Registry keys:
malboxes registry <profile> <modtype> <key name> <value> <valuetype>
Example:
malboxes registry win10_64_analyst add HKCU:\Software Malboxes IsAwesome String
Directories and files:
malboxes directory <profile> <modtype> <dirpath>
Example:
malboxes directory BadAPT57 delete C:\Windows\System32
You can add packages to install that are specific to the profile:
malboxes package <profile> <package>
Example:
malboxes package RansomwareThatINeedRevengeOn chrome
More information
Applying DevOps Principles for Better Malware Analysis
A presentation about malboxes at NorthSec by Olivier Bilodeau and Hugo Genesse
License
Code is licensed under the GPLv3+, see LICENSE for details. Documentation
and presentation material is licensed under the Creative Commons
Attribution-ShareAlike 4.0, see docs/LICENSE for details.
Credits
After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.
I found the packer-malware repo on
github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which
helped me especially around the areas of Autounattend.xml files.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent