malboxes

Builds malware analysis Windows VMs so that you don't have to.

= Malboxes :toc: preamble :toclevels: 2 :twob: https://twitter.com/obilodeau :twhg: https://twitter.com/hugospns // github stuff ifdef::env-github[:status:]

// Travis Build Status ifdef::status[] .Project health image:https://img.shields.io/travis/GoSecure/malboxes/master.svg[Build Status (Travis CI), link=https://travis-ci.org/GoSecure/malboxes] endif::[]

Builds malware analysis Windows virtual machines so that you don't have to.

https://github.com/gosecure/malboxes

== Requirements

.Specs for the build machine

  • At least 5 GB of RAM
  • VT-X extensions strongly recommended

== Installation

=== Linux/Unix

=== Windows

==== Using Chocolatey

The following steps assume that you have https://chocolatey.org/[Chocolatey] installed. Otherwise, follow the <<Manually,manual installation procedure>>.

==== Manually

== Usage

=== Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.

Run:

malboxes build <profile>

You can also list all supported profiles with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_64_analyst

If you want to customize your configuration, look at the following location for a config.js file:

  • Linux/Unix: ~/.config/malboxes/
  • Mac OS X: ~/Library/Application Support/malboxes/
  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

=== Per analysis instances

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_32_analyst 20160519.cryptolocker.xyz

//// FIXME: not sure we are going to keep this interface so commented for now

=== Customization

You can modify (add, modify or delete) registry keys, directories and files like this:

Registry keys:

malboxes registry <profile> <modtype> <key name> <value> <valuetype>

Example:

malboxes registry win10_64_analyst add HKCU:\Software Malboxes IsAwesome String

Directories and files:

malboxes directory <profile> <modtype> <dirpath>

Example:

malboxes directory BadAPT57 delete C:\Windows\System32

You can add packages to install that are specific to the profile:

malboxes package <profile> <package>

Example:

malboxes package RansomwareThatINeedRevengeOn chrome

////

== More information

=== Videos

Introduction video

image::https://img.youtube.com/vi/oq6N3WLAoe8/0.jpg[link="https://www.youtube.com/watch?v=oq6N3WLAoe8"]

=== Blog posts

=== Presentations

malboxes was presented at https://www.nsec.io/2016/01/applying-devops-principles-for-better-malware-analysis/[NorthSec 2016] in a talk titled Applying DevOps Principles for Better Malware Analysis given by link:{twob}[Olivier Bilodeau] and link:{twhg}[Hugo Genesse]

== License

Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.

== Credits

After I had the idea for an improved malware analyst workflow based on what I've been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.

I found the https://github.com/m-dwyer/packer-malware[packer-malware] repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.