Are you looking to setup your own Malware Sandbox?

Published: 2015-12-05
Last Updated: 2015-12-05 15:18:00 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

Most of you are familiar with the Cuckoo sandbox but there is another open source sandbox out there called IRMA (Incident Response Malware Analysis) with a different twist, it supports multiple antivirus engines. If your sandbox isn't separated by airgap, it can also query Virustotal by adding your own API key.

The recommended hardware requirements are listed here but you can also download a pre-package appliance here. A list of all available scanning engines is listed here. However, in order to get some of the additional engines installed (ClamAV is pre-installed) on the appliance, I needed to add the following packages:

apt-get install libqt4-xml
apt-get install libqtgui4
apt-get install libqt4-network
apt-get install libqt4-sql

Here is an example of a malware file scanned using multiple AV engines:

 

The final report looks like this:

I was able to add the AVG scanning engine not listed in the master probe list using the following:

apt-get install gdebi
wget http://download.avgfree.com/filedir/inst/avg2013flx-r3118-a6926.i386.deb
gdebi avg2013flx-r3118-a6926.i386.deb

[1] http://www.cuckoosandbox.org
[2] http://irma.quarkslab.com/index.html
[3] http://irma.quarkslab.com/install.html
[4] https://irma.readthedocs.org/en/latest/
[5] http://irma.quarkslab.com/download/1.2.1/irma-1.2.1.ova
[6] https://github.com/quarkslab/irma/blob/master/probes/analyzers.rst

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

4 comment(s)

Comments

Does this also do statistical analysis for you or only AV processing?
Can you expand by what you mean with statistical analysis? It does mainly AV analysis, you can also query past analysis. It is still in early stages but I'm sure you can make request for additional functionality to the developpers
Sorry. I meant to say behavioral analysis. You mentioned cuckoo on your article, which does this type of analysis. It actually runs the file and records its behavior, whereas it sounds like this other product just uses multiple AV engines to conduct scanning of the file against signatures.
It does basic behavioral analysis using the Static Analyzer. However, the report produced is still very basic but helpful.

Diary Archives