Builds malware analysis Windows VMs so that you don't have to.

= Malboxes :toc: preamble :toclevels: 2 :twob: :twhg: // github stuff ifdef::env-github[:status:]

// Travis Build Status ifdef::status[] .Project health image:[Build Status (Travis CI), link=] endif::[]

Builds malware analysis Windows virtual machines so that you don't have to.

== Requirements

.Specs for the build machine

  • At least 5 GB of RAM
  • VT-X extensions strongly recommended

== Installation

=== Linux/Unix

=== Windows

==== Using Chocolatey

The following steps assume that you have[Chocolatey] installed. Otherwise, follow the <<Manually,manual installation procedure>>.

==== Manually

== Usage

=== Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.


malboxes build <profile>

You can also list all supported profiles with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_64_analyst

If you want to customize your configuration, look at the following location for a config.js file:

  • Linux/Unix: ~/.config/malboxes/
  • Mac OS X: ~/Library/Application Support/malboxes/
  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

=== Per analysis instances

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_32_analyst

//// FIXME: not sure we are going to keep this interface so commented for now

=== Customization

You can modify (add, modify or delete) registry keys, directories and files like this:

Registry keys:

malboxes registry <profile> <modtype> <key name> <value> <valuetype>


malboxes registry win10_64_analyst add HKCU:\Software Malboxes IsAwesome String

Directories and files:

malboxes directory <profile> <modtype> <dirpath>


malboxes directory BadAPT57 delete C:\Windows\System32

You can add packages to install that are specific to the profile:

malboxes package <profile> <package>


malboxes package RansomwareThatINeedRevengeOn chrome


== More information

=== Videos

Introduction video


=== Blog posts

=== Presentations

malboxes was presented at[NorthSec 2016] in a talk titled Applying DevOps Principles for Better Malware Analysis given by link:{twob}[Olivier Bilodeau] and link:{twhg}[Hugo Genesse]

== License

Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.

== Credits

After I had the idea for an improved malware analyst workflow based on what I've been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.

I found the[packer-malware] repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.