Malware Analysis using Malboxes
A while back I came across two projects that automate the creation of virtual machines for malware analysis. The original open source project what uses Packer and Vagrant to bootstrap a malware lab can be found here. As part of this blog post, I will instead use malboxes from GoSecure as it suits my need more.
Malboxes creates a Windows VM template using packer. The template will have tools installed. Every time a new malware is analyzed, a new VM is created using vagrant.
Setup
If you are doing this on macOS, all packages needed can be installed with Brew and Pip. Malboxes is written with Python3 ensure you have it installed first.
For macOS
- packer
brew install packer - vagrant
brew cask install virtualbox - VirtualBox
brew cask install virtualbox
If you want a nice UI to manage vagrant VMs, you can install vagrant-manager with brew cask install vagrant-manager
Other
For other operating systems, you can download precompiled binaries here:
Install Malboxes
Once you have the prerequisites installed, install malboxes with the following command.
sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Configuration
The configuration file is stored at: ~/Library/Application Support/malboxes/config.js.
for macOS, ~/.config/malboxes/ for Linux, and C:\Users\<username>\AppData\Local\malboxes\malboxes\ for Windows.
Below is a sample configuration that has added some more software than the default configuration.
{
/*
* Malboxes Example Configuration File
*
* Uncomment a specific section of the file to trigger a particular feature.
*
* Paths should be written using forward slashes even on Windows.
* For ex: C:/Tools
*/
// This allows you to use a local filestore for ISOs.
// For all versions of Windows except Windows 10 you will need this.
// "iso_path": "/path/to/your/windows/isos/",
// Trial or registered version?
// If using a registered product update the product_key and set trial to 'false'.
// See https://github.com/GoSecure/malboxes/blob/master/docs/windows-licenses.adoc for more information.
"trial": "true",
//"trial": "false",
//"product_key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
// VM settings
"username": "malboxes",
"password": "malboxes",
"computername": "dirty",
// disk size is in megabytes
"disk_size": "16384",
// Windows Defender: true means enabled, false means disabled. Default is false.
//"windows_defender": "false",
// Windows Updates: true means enabled, false means disabled. Default is false.
//"windows_updates": "false",
// Chocolatey packages to install on the VM
// TODO re-add dependencywalker and regshot once upstream choco package provides a checksum
"choco_packages": "sysinternals windbg x64dbg.portable 7zip putty fiddler4 processhacker apm wireshark ollydbg dependencywalker explorersuite",
// Setting the IDA Path will copy the IDA remote debugging tools into the guest
//"ida_path": "/path/to/your/ida",
// Setting Tools Path will copy all the files under the given path into the guest.
// Useful to copy proprietary or unpackaged tools.
// Note: packer's file provisonning is really slow, avoid having more than
// 100 megabytes in there.
//"tools_path": "/path/to/your/tools",
"_comment": "last line must finish without a comma for file to be valid json"
}
Build a Box
To build a vagrant box template based on win10 64 bit execute:
malboxes build win10_64_analyst
Note that this will take some time. First, it downloads an evaluation ISO from MSDN and installs a fresh build of Windows 10. If you need to rebuild the box, it will take less time if the ISO is still on the disk.
Available templates:
- win10_32_analyst
- win10_64_analyst
- win7_32_analyst
- win7_64_analyst
Start an Analysis
Create a project folder. Everything in the project folder can be accessed from the VM. From the root of the project folder execute:
malboxes spin win10_64_analyst <project_name>
vagrant up