Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Malboxes
Builds malware analysis Windows virtual machines so that you don’t have to.
Requirements
-
Python 3.3+
-
VirtualBox: https://www.virtualbox.org/wiki/Downloads
Minimum specs for the build machine
-
At least 5 GB of RAM
-
VT-X extensions strongly recommended
Fedora
dnf install ruby-devel gcc-c++ zlib-devel vagrant plugin install winrm winrm-fs
Debian
apt install vagrant git python3-pip
Installation
Linux/Unix
-
Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
-
pip installmalboxes:sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Windows
|
Note
|
Starting with Windows 10 Hyper-V is always running below the operating
system. Since VT-X needs to be operated exclusively by only one Hypervisor
this causes VirtualBox (and
malboxes) to fail. To disable Hyper-V and allow
VirtualBox to run, issue the following command in an administrative command
prompt then reboot: bcdedit /set hypervisorlaunchtype off
|
Using Chocolatey
The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
-
Install dependencies:
choco install python vagrant packer git virtualbox
-
Refresh the console
refreshenv
-
Install malboxes:
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Manually
-
Install VirtualBox, Vagrant and git
-
Install Packer, drop the packer binary in a folder in your user’s PATH like
C:\Windows\System32\ -
Install Python 3 (make sure to add Python to your environment variables)
-
Open a console (Windows-Key + cmd)
pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes
Usage
Box creation
This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
Run:
malboxes build <template>
You can also list all supported templates with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
The configuration section contains further information about what can be configured with malboxes.
Per analysis instances
malboxes spin win10_64_analyst <name>
This will create a Vagrantfile prepared to use for malware analysis. Move it
into a directory of your choice and issue:
vagrant up
By default the local directory will be shared in the VM on the Desktop. This
can be changed by commenting the relevant part of the Vagrantfile.
For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
Configuration
Malboxes' configuration is located in a directory that follows usual operating system conventions:
-
Linux/Unix:
~/.config/malboxes/ -
Mac OS X:
~/Library/Application Support/malboxes/ -
Win 7+:
C:\Users\<username>\AppData\Local\malboxes\malboxes\
The file is named config.js and is copied from an example file on first run.
The example configuration is documented.
We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.
More information
Videos
Introduction video
Blog posts
Presentations
malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse
License
Code is licensed under the GPLv3+, see LICENSE for details. Documentation
and presentation material is licensed under the Creative Commons
Attribution-ShareAlike 4.0, see docs/LICENSE for details.
Credits
After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.
I found the packer-malware repo on
github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which
helped me especially around the areas of Autounattend.xml files.
