Are you looking to setup your own Malware Sandbox?

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Johannes Ullrich

Threat Level: green

Are you looking to setup your own Malware Sandbox?
Most of you are familiar with the Cuckoo sandbox but there is another open source sandbox out there called IRMA (Incident Response Malware Analysis) with a different twist, it supports multiple antivirus engines. If your sandbox isn't separated by airgap, it can also query Virustotal by adding your own API key. The recommended hardware requirements are listed here but you can also download a pre-package appliance here. A list of all available scanning engines is listed here. However, in order to get some of the additional engines installed (ClamAV is pre-installed) on the appliance, I needed to add the following packages: apt-get install libqt4-xml apt-get install libqtgui4 apt-get install libqt4-network apt-get install libqt4-sql Here is an example of a malware file scanned using multiple AV engines: The final report looks like this: I was able to add the AVG scanning engine not listed in the master probe list using the following: apt-get install gdebi wget http://download.avgfree.com/filedir/inst/avg2013flx-r3118-a6926.i386.deb gdebi avg2013flx-r3118-a6926.i386.deb [1] http://www.cuckoosandbox.org [2] http://irma.quarkslab.com/index.html [3] http://irma.quarkslab.com/install.html [4] https://irma.readthedocs.org/en/latest/ [5] http://irma.quarkslab.com/download/1.2.1/irma-1.2.1.ova [6] https://github.com/quarkslab/irma/blob/master/probes/analyzers.rst ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu	Guy 528 Posts ISC Handler Dec 5th 2015
Thread locked Subscribe	Dec 5th 2015 6 years ago
Does this also do statistical analysis for you or only AV processing?	Anonymous
Quote	Dec 5th 2015 6 years ago
Can you expand by what you mean with statistical analysis? It does mainly AV analysis, you can also query past analysis. It is still in early stages but I'm sure you can make request for additional functionality to the developpers	Guy 528 Posts ISC Handler
Quote	Dec 5th 2015 6 years ago
Sorry. I meant to say behavioral analysis. You mentioned cuckoo on your article, which does this type of analysis. It actually runs the file and records its behavior, whereas it sounds like this other product just uses multiple AV engines to conduct scanning of the file against signatures.	Anonymous
Quote	Dec 7th 2015 6 years ago
It does basic behavioral analysis using the Static Analyzer. However, the report produced is still very basic but helpful.	Guy 528 Posts ISC Handler
Quote	Dec 7th 2015 6 years ago