Malware Sandbox Explorations

[rothoma2]

Background

Besides Static and Dynamic Malware Analysis modules, Sandbox are commonly used to exploit malware and try to capture the malicious behavior of the malware. Well known commercial Sandboxes are joesandbox, threadgrid from CISCO among others.

Most OpenSource Malware Sandbox were derived from Cuckoo. Cuckoo rained the world for a long time. Its suspected a lot of commercial Cloud Sanbox from Vendors are Modifications of Cuckoo. Cuckoo historically was hard to install, some attempts were made to make it easy. Cukoo seem to have fallen out of grace and some newer forks are very promising.

Requirements

The Requirement from this Task, is to evaluate the state of the Art of Malware Sandbox on the OpenSource World and look into its evolution and advise for which platform to use to base further work.

• https://github.com/cert-ee/cuckoo3
• https://github.com/kevoreilly/CAPEv2 (suspected winner)
• https://github.com/CERT-Polska/drakvuf-sandbox/

Evaluate all 3, and create a list of pros and cons. Languages and tech stack use. Get an updated set of instructions to install the chosen engine. Preferably an ansible or python rutine.

Long Term Vision

The long term vision, is to expand the work on top of one of this engines and provide a series of interfaces via API for people to integrate with their Email, or Web Pipelines.

Additionally develop a nice UI (similar to joesanbox) to allow for People and Analyst to trigger malware in one of the Sandbox from Malware Alliance. In exchange we would be able to collect Malware Samples from People submited to us. A funding Mechanism for hosting to exploit the malware samples would be needed, but in the beginning we could find some creative ways to get some simple hosting of agents.