Many cybersecurity experts will, from time to time, want to examine how malware works and how it affects a specific operating system. Malware researchers often use sandboxes to run malicious files, which allows them to safely analyze malware behavior.
This is often referred to as ‘detonating’ the malware. A sandbox is an analysis machine with a known, measured, and detailed baseline of a system or environment in which malware is detonated. When malware is detonated in a sandbox you can then compare the before and after environment to determine what havoc the malware caused.
GoSecure has released Malbox, a tool that helps to build safe and feature-rich Windows machines for malware analysis. Each time a malware researcher analyzes a new piece of malware, they normally have to set the test environment and operating system back to a default baseline. Virtual machines are used to provide those environments, and configuring them takes time. One way of managing this labor-intensive aspect is to take ‘snapshots’ that help capture parameters and ease the burden of resetting virtual images.
Malbox allows users to copy virtual machine (VM) instances, making it easier to rapidly reset the sandbox environment for continued analysis. In this article we’ll go through the setup to get you started. I will have follow-on articles that provide demonstrations of malware analysis.
Step 1 – Install Ubuntu
I used Ubuntu 18.04.1 LTS which can be downloaded here:
As usual I hope this link still works, and apologize if it does not.
I am installing this as a virtual machine. I am also going to run sandboxes (more virtual machines) inside my initial virtual machine. You will need to ensure you have virtualization extensions (VT-x) enabled on both your physical machine BIOS and as well as on your virtual machine configuration.
Most newer machines will have virtualized extensions enabled in their BIOS. You will also need to turn it on in your virtual machine. I am using VMware Fusion, and you can see the settings to turn on VT-x extensions:
You can also see that I dedicated 4 processor cores and 8Gb of RAM to my virtual machine. I did this because I will need to run another virtual machine inside my virtual machine.
Step 2: Update Ubuntu and Install Basic Software
First we will Update Ubuntu by using the built-in software updater. You can also update Ubuntu from the command line terminal by using the following command:
sudo apt-get update -y && apt-get upgrade –y
The update option is used to update the list of available packages and their versions, but it does not install or upgrade any packages.
The upgrade option actually installs newer versions of the packages you currently have. After updating the lists, the package manager knows about available updates for the software you have installed. This is why you first want to update.
Now install Git by using the following command:
sudo apt get install git -y
We are installing Git so we can clone GitHub repositories. Basically it will let us create a local copy of a project that is hosted on Git Hub. This specific step isn’t needed to install Ubuntu.
Then we install Curl using this command:
sudo apt get install curl -y
Curl is essentially a way to download Web elements (and other protocols as well) through the command line. We will use this to potentially download files or clone web pages. This step isn’t needed specifically for this installation, but it is good practice.
Step 3: Install Packer
First we will download Packer. Go to:
According to HashiCorp's website (https://www.packer.io/) "Packer is an open source tool for creating identical machine images for multiple platforms from a single source configuration.
Packer is lightweight, runs on every major operating system, and is highly performing, creating machine images for multiple platforms in parallel. Packer does not replace configuration management. In fact, when building images, Packer is able to use tools like Chef or Puppet to install software onto the image.
A machine image is a single static unit that contains a pre-configured operating system and installed software which is used to quickly create new running machines. Machine image formats change for each platform.
Some examples include AMIs for EC2, VMDK/VMX files for VMware, OVF exports for VirtualBox, etc."
Next we’ll select the Linux 64-bit version of Packer:
We’ll then unzip packer from the terminal by issuing the unzip packer command:
Next we move packer to the /usr/local/bin directory using this command:
sudo mv packer to usr/local/bin
Now we can check Packer’s version by issuing the command packer version:
You can see we have version 1.3.2 installed.
Step 4: Install Vagrant
According to HashiCorp (https://www.vagrantup.com/) "Vagrant is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time and increases production parity.
Vagrant provides easy to configure, reproducible, and portable work environments built on top of industry-standard technology and controlled by a single consistent workflow to help maximize the productivity and flexibility of you and your team."
First we will go to https://www.vagrantup.com/ and select download.
We will then select the Debian 64-bit version for download:
Now we can install vagrant by issuing the following command:
dpkg -I vagrant*
In the figure above, I used the wget command to download the file (or you can use a web browser just like I described in the text).
I used the dpkg command to install the software. You can also use the Ununtu Software GUI app to install Debian Package files as an alternate method.
Debian GNU/Linux is the main operating system of a number of Linux distributions including Knoppix, Kali, Ubuntu, Mint, etc. It uses various package managers like dpkg, apt, aptitude, synaptic, tasksel, deselect, dpkg-deb and dpkg-split.
Dpkg is the main package management program in Debian and Debian-based systems. It is used to install, build, remove, and manage packages. Aptitude is the primary front end to dpkg.
Step 5: Install VirtualBox
"VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise and home use. VirtualBox is a feature rich and high performance product for enterprise customers, and is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL) version 2.
Presently, VirtualBox runs on Windows, Linux, Macintosh, and Solaris hosts, and supports a large number of guest operating systems including but not limited to Windows (NT 4.0, 2000, XP, Server 2003, Vista, Windows 7, Windows 8, Windows 10), DOS/Windows 3.x, Linux (2.4, 2.6, 3.x and 4.x), Solaris and OpenSolaris, OS/2, and OpenBSD" (source: https://www.virtualbox.org/).
VirtualBox is being actively developed with frequent releases and has an ever-growing list of features, supported guest operating systems and platforms on which it can be run. VirtualBox is a community effort backed by Oracle to ensure the product always meets professional quality criteria.
Start out by going to the following site and select the Ubuntu version:
Now we can install the software by issuing the command:
Step 6: Install Python
We will install python using the following command:
sudo apt-get install python -y
At this point we have configured a basic system. You can use this configuration for many different projects. We also have more of a potential to mess things up going forward. Because of these reasons, I recommend backing up your image or taking a virtual snapshot.
Our next step includes installing python, python extensions, and the Malboxes software. This is completely established through the commands below. The preparation we did in the earlier steps will help us complete these last steps.
Now we will issue the following commands:
sudo apt-get install vagrant git python3-pip
sudo apt install python-pip -y
sudo pip3 install setuptools
pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=mailboxes
(note this is one command - just keep on typing it into the terminal. If it wraps around, that's ok).
Congrats! You have installed Malboxes:
Now we can play around some. Issue the command:
This allows us to see what templates we have available. You will use a template for each type of malware you test. We will get into using Malboxes for analysis in later blog articles. This article is primarily focused on building the system.
Now you can see the available Malboxes. From here we will need to build out the environment, so we will issue the command:
malboxes build win10_64_analyst
This will build a specific Malbox. You will then be able to create and run multiple instances of the Malbox template you built. The idea is that for each malware you investigate, you will run another instance of your build.
In some ways, think of a build as creating a base image for an operating system with all your settings, configurations and applications. Think of a run (sometimes referred to as a ‘spin’) as a snapshot or cloned VM you will throw away after each specific malware test.
You can see from my screenshot my build failed. When I tried manually downloading the file, it was no longer valid. If you don’t have this issue, awesome! You are working with a version that has fixed the issue. If you do have this problem, don’t worry. It just means you are missing the ISO file used to build the base VM, and one could not be located online. I will now show you how to build this manually.
Step 7: Manually building an ISO
We will need to find the exact files to download. Malboxes allows us to use trial versions of Windows software, or registered versions. I personally think trial versions would be more appropriate. On Maboxes GitHub site they have the different versions listed. You can find the exact versions for the trial versions of Windows and registered versions of Windows that will work with mailboxes at:
NOTE: I actually could not find the trial versions of Windows listed. Granted I did not look too hard. I was able to find all the ISOs for the registered versions of Windows on Archive.com. You will need product license keys for those versions.
We will need to download the versions of Windows. Store the ISOs in a folder you can access. I stored my ISOs in:
Please note that you will need the location of your downloaded ISOs so keep it handy!
Let’s change the Malbox config file using the following command:
We will rename config.js file to config.old so we have backup copy before we make any changes by issuing the command:
cp config.js config.old
We will now edit the config.js file with this command:
sudo gedit config.js
Next we will go to the trial section of the config file:
Comment out the trial config like. Uncomment the trial false line. Finally add the correct product key. I am assuming you did not find the trial ISO downloads. If you did you can skip this step entirely.
Next, near the top of the document find the ISO path configuration line.
Change the ISO path to your ISO path:
Step 8: Build Malboxes
Now we are ready to build our Malbox. I added a Windows 7 product key to my build environment, so I am going to build a Windows 7 Malbox.
Issue this command:
sudo mailboxes build win7_64_analyst
Please note that it will take a few minutes to build this out.
Step 9: Create a Malware Instance
You are now ready to spin up an instance. You will create an instance for each type of malware you want to potentially analyze. Make sure you delete them as you get finished with the, otherwise you will quickly run out of virtual system space. Issue the following command:
malboxes spin win10_64_analyst <name>
This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue the following command:
By default, the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile. For example:
malboxes spin win7_32_analyst 20160519.cryptolocker.xyz
NOTE: These examples are from the malboxes readme file on GitHub
So there you have it.
You have built a sandbox environment that is based on Malbox. You have the ability to rapidly spin environments and test various types of malware, and you can quickly analyze the differences between subtle variants or morphs of specific malware strains.
In following blogs I will walk through specific tests of malware and point out interesting things to look for, or testing techniques to uncover some subtleties within malicious files.
As always – be safe out there!
I want to personally thank my good friend Keith Rayle who spent a good amount of time editing this blog, checking for grammar, and giving me advice. Check out Keith on LinkedIn: https://www.linkedin.com/in/keith-rayle-1aa8241/
Keith also did an excellent webinar on Artificial Intelligence and Machine Learning on this blog: https://www.drchaos.com/home/ai-and-machine-learning-for-the-masses
None of this would have been possible without GoSecure, and them bringing this project to life. The GitHub project page is located at: https://github.com/GoSecure/malboxes
GoSecure's corporate website is located at: https://gosecure.net/
I also want to give a shout out to Olivier Bilodeau.
I first learned about malboxes thru his blog article at https://gosecure.net/2017/02/16/introducing-malboxes-a-tool-to-build-malware-analysis-virtual-machines/.
Olivier has also been active on the GitHub project site. When I was searching for questions around Malboxes, it was not uncommon for me to find something already posted by Olivier answering my question. You can find him on Twitter at: https://twitter.com/obilodeau