Build a Malware Analysis Sandbox
Understanding malware behavior is crucial for defense. This project creates an isolated sandbox environment for safely analyzing suspicious files and executables.
Project Overview
What you'll build:
- Isolated analysis network
- Linux analysis VM (REMnux)
- Windows analysis VM (FlareVM)
- Network traffic capture
- Snapshot management workflow
Time to complete: 4-6 hours
Safety Warning
Critical: Malware analysis involves real threats. Always work in isolated environments and never connect analysis VMs to production networks.
Architecture
┌────────────────────────────────────────────────────────────┐
│ Host System (Air-gapped) │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Isolated Virtual Network │ │
│ │ (No Internet) │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ REMnux │ │ FlareVM │ │ │
│ │ │ (Linux) │◄──────►│ (Windows) │ │ │
│ │ │ Analysis │ │ Analysis │ │ │
│ │ └──────────────┘ └──────────────┘ │ │
│ │ │ │ │ │
│ │ └───────────┬───────────┘ │ │
│ │ │ │ │
│ │ ┌──────▼──────┐ │ │
│ │ │ INetSim │ │ │
│ │ │ (Fake Net) │ │ │
│ │ └─────────────┘ │ │
│ └──────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────┘Prerequisites
- Dedicated analysis machine (not your daily driver)
- VMware Workstation/Player or VirtualBox
- 32GB+ RAM (16GB minimum)
- 500GB+ SSD storage
- No network connection to production systems
Part 1: Network Isolation
Create Isolated Virtual Network
In VMware:
- Edit > Virtual Network Editor
- Add Network > Host-only
- Disable DHCP
- Note subnet (e.g., 192.168.100.0/24)
In VirtualBox:
- File > Host Network Manager
- Create new network
- Disable DHCP
- Configure subnet
Network Configuration
Network: 192.168.100.0/24
Gateway: 192.168.100.1 (REMnux - INetSim)
REMnux: 192.168.100.1
FlareVM: 192.168.100.10Part 2: REMnux Setup
REMnux is a Linux distribution for reverse engineering and malware analysis.
Download and Import
# Download OVA from remnux.org
# Import into hypervisor
# Default credentials
Username: remnux
Password: malwarePost-Install Configuration
# Update system
sudo apt update && sudo apt upgrade -y
# Update REMnux tools
remnux upgrade
# Configure static IP
sudo nano /etc/netplan/01-netcfg.yamlnetwork:
version: 2
ethernets:
eth0:
addresses: [192.168.100.1/24]
gateway4: 192.168.100.1Configure INetSim
INetSim simulates internet services for malware:
# Edit configuration
sudo nano /etc/inetsim/inetsim.conf
# Key settings:
service_bind_address 192.168.100.1
dns_default_ip 192.168.100.1Start services:
sudo inetsimEssential REMnux Tools
| Tool | Purpose |
|---|---|
pdfid | PDF analysis |
oledump | Office document analysis |
peframe | PE file analysis |
strings | Extract strings |
file | File type identification |
ssdeep | Fuzzy hashing |
yara | Pattern matching |
volatility3 | Memory forensics |
Part 3: FlareVM Setup
FlareVM transforms Windows into a malware analysis workstation.
Prepare Windows VM
- Install Windows 10/11 (evaluation version works)
- Configure static IP: 192.168.100.10
- Gateway/DNS: 192.168.100.1
- Disable Windows Defender
- Disable automatic updates
Install FlareVM
# Run as Administrator
Set-ExecutionPolicy Unrestricted -Force
# Download and run installer
(New-Object net.webclient).DownloadFile(
'https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',
"$env:TEMP\install.ps1"
)
# Install (takes 1-2 hours)
Unblock-File "$env:TEMP\install.ps1"
& "$env:TEMP\install.ps1" -password malware -noWait -noGuiEssential FlareVM Tools
| Tool | Purpose |
|---|---|
| x64dbg | Debugger |
| Ghidra | Disassembler |
| IDA Free | Disassembler |
| PEStudio | PE analysis |
| Process Monitor | Runtime monitoring |
| Process Hacker | Process analysis |
| Wireshark | Network capture |
| Fakenet-NG | Network simulation |
Part 4: Snapshot Management
Create Clean Snapshots
Before any analysis:
1. Boot VM to clean state
2. Verify network isolation
3. Start monitoring tools
4. Create snapshot: "Clean-Analysis-Ready"Analysis Workflow
1. Revert to clean snapshot
2. Transfer sample (isolated method)
3. Perform analysis
4. Document findings
5. Revert to clean snapshot
6. Never save infected stateSample Transfer Methods
# Option 1: Shared folder (disabled network)
# Create shared folder, transfer, then disable
# Option 2: ISO image
# Create ISO containing sample
mkisofs -o sample.iso sample_directory/
# Option 3: Virtual floppy (small files)Part 5: Analysis Workflow
Static Analysis
Examine without execution:
# On REMnux
# Identify file type
file suspicious.exe
# Extract strings
strings -a suspicious.exe > strings.txt
# Calculate hashes
md5sum suspicious.exe
sha256sum suspicious.exe
ssdeep suspicious.exe
# PE analysis
peframe suspicious.exe
# YARA scanning
yara -r /path/to/rules suspicious.exeDynamic Analysis
Observe runtime behavior:
# On FlareVM
1. Start Process Monitor (filter to sample)
2. Start Wireshark/Fakenet
3. Take pre-execution snapshot
4. Execute sample
5. Monitor:
- File system changes
- Registry modifications
- Network connections
- Process creation
6. Capture memory if needed
7. Revert to clean snapshotDocument Findings
## Sample Analysis Report
**File:** suspicious.exe
**SHA256:** abc123...
**Analysis Date:** 2026-01-15
**Analyst:** [Name]
### Static Analysis
- File type: PE32 executable
- Compiler: MSVC
- Notable strings: [list]
- Imports: [suspicious APIs]
### Dynamic Analysis
- Creates files: [paths]
- Registry changes: [keys]
- Network activity: [connections]
- Persistence mechanism: [details]
### Indicators of Compromise
- Hashes: [list]
- Domains: [list]
- IPs: [list]
- File paths: [list]
### Classification
[Malware family if identified]Part 6: Automation
Automated Triage Script
#!/bin/bash
# triage.sh - Quick sample triage
SAMPLE=$1
OUTDIR="analysis_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTDIR"
echo "[*] Analyzing: $SAMPLE"
# File identification
file "$SAMPLE" > "$OUTDIR/file_type.txt"
# Hashes
md5sum "$SAMPLE" > "$OUTDIR/hashes.txt"
sha256sum "$SAMPLE" >> "$OUTDIR/hashes.txt"
ssdeep "$SAMPLE" >> "$OUTDIR/hashes.txt"
# Strings
strings -a "$SAMPLE" > "$OUTDIR/strings.txt"
strings -el "$SAMPLE" >> "$OUTDIR/strings_unicode.txt"
# PE analysis (if applicable)
if file "$SAMPLE" | grep -q "PE32"; then
peframe "$SAMPLE" > "$OUTDIR/peframe.txt"
fi
# YARA scan
yara -r /opt/yara-rules/ "$SAMPLE" > "$OUTDIR/yara_hits.txt"
echo "[*] Results saved to $OUTDIR"Cuckoo Sandbox Integration
For automated dynamic analysis:
# Cuckoo provides automated sandbox analysis
# Consider deploying for high-volume analysis
# See cuckoo.sh documentationSecurity Considerations
Physical Isolation
- Use dedicated hardware
- Air-gap from production network
- No USB devices that touch production
- Separate keyboard/mouse if paranoid
Virtual Isolation
- Host-only networking only
- Disable shared folders during analysis
- Disable clipboard sharing
- Use snapshots religiously
Data Handling
- Never execute samples on host
- Encrypt sample storage
- Document chain of custody
- Secure deletion after analysis
Troubleshooting
Common Issues
Malware detects VM:
- Use anti-detection techniques
- Rename VM tools processes
- Modify hardware identifiers
- Use nested virtualization
Network not working:
- Verify INetSim is running
- Check IP configuration
- Verify VM network adapter settings
Tools not working:
- Update tool databases
- Check dependencies
- Verify snapshots are clean
Checklist
- Dedicated analysis machine
- Isolated virtual network
- REMnux configured
- FlareVM configured
- INetSim running
- Clean snapshots created
- Sample transfer method established
- Documentation templates ready
Conclusion
A properly configured malware analysis sandbox is invaluable for understanding threats. Always prioritize isolation and follow safe analysis practices.
Next Steps
- Build YARA rule library
- Integrate with threat intelligence feeds
- Automate with Cuckoo Sandbox
- Practice with known samples (MalwareBazaar)
Last updated: January 2026