Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked Malboxes

0x1

By INACTIVE 0x1
in Protection Programs

 Share

Recommended Posts

0x1 Little Hacker

INACTIVE 0x1

Posted
Posted

Builds malware analysis Windows virtual machines so that you don’t have to.

This is the hidden content, please

Demo Video:

Spoiler

 

Requirements

  • Python 3.3+

  • packer:

    This is the hidden content, please

  • vagrant:

    This is the hidden content, please

  • This is the hidden content, please
    or an vSphere / ESXi server

Minimum specs for the build machine

  • At least 5 GB of RAM

  • VT-X extensions strongly recommended

Usage

Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.

Run: 

malboxes build <template>

You can also list all supported templates with: 

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example: 

malboxes build win10_64_analyst

This is the hidden content, please
contains further information about what can be configured with malboxes.

Per analysis instances 

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue: 

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example: 

malboxes spin win7_32_analyst 20160519.cryptolocker.xyz

Configuration

Malboxes' configuration is located in a directory that follows usual operating system conventions:

  • Linux/Unix: ~/.config/malboxes/

  • Mac OS X: ~/Library/Application Support/malboxes/

  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

The file is named config.js and is copied from an example file on first run.

This is the hidden content, please
is documented.

ESXi / vSphere support

Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the

This is the hidden content, please
. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.

Profiles

We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See

This is the hidden content, please
for an example configuration. This new capacity is experimental and subject to change as we experiment with it.

More information

Blog posts

  • Introductory blog post:

    This is the hidden content, please

     

Presentations

malboxes was presented at

This is the hidden content, please
in a talk titled Applying DevOps Principles for Better Malware Analysis

License

Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.

Dowload & Source :

This is the hidden content, please

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.