Builds malware analysis Windows virtual machines so that you don’t have to.
-
Python 3.3+
-
packer: https://www.packer.io/intro/getting-started/setup.html
-
VirtualBox: https://www.virtualbox.org/wiki/Downloads
-
Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
-
pip installmalboxes:sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
-
Install dependencies:
choco install python vagrant packer git virtualbox
-
Refresh the console
refreshenv
-
Install malboxes:
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
-
Install VirtualBox, Vagrant and git
-
Install Packer, drop the packer binary in a folder in your user’s PATH like
C:\Windows\System32\ -
Install Python 3 (make sure to add Python to your environment variables)
-
Open a console (Windows-Key + cmd)
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
malboxes build <profile>
You can also list all supported profiles with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
If you want to customize your configuration, look at the following location
for a config.js file:
-
Linux/Unix:
~/.config/malboxes/ -
Mac OS X:
~/Library/Application Support/malboxes/ -
Win 7+:
C:\Users\<username>\AppData\Local\malboxes\malboxes\
malboxes spin win10_64_analyst <name>
This will create a Vagrantfile prepared to use for malware analysis. Move it
into a directory of your choice and issue:
vagrant up
By default the local directory will be shared in the VM on the Desktop. This
can be changed by commenting the relevant part of the Vagrantfile.
For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse
Code is licensed under the GPLv3+, see LICENSE for details. Documentation
and presentation material is licensed under the Creative Commons
Attribution-ShareAlike 4.0, see docs/LICENSE for details.
After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.
I found the packer-malware repo on
github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which
helped me especially around the areas of Autounattend.xml files.