Builds malware analysis Windows VMs so that you don't have to.
Python PowerShell Shell JavaScript Ruby Makefile
Latest commit 9389f6c Feb 20, 2017 @obilodeau obilodeau Updated CHANGELOG



Project health

Build Status (Travis CI)

Builds malware analysis Windows virtual machines so that you don’t have to.



  • Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)

  • pip install malboxes:

    sudo pip3 install git+


Using Chocolatey

The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.

  • Install dependencies:

    choco install python vagrant packer git virtualbox
  • Refresh the console

  • Install malboxes:

    pip3 install git+


  • Install VirtualBox, Vagrant and git

  • Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\

  • Install Python 3 (make sure to add Python to your environment variables)

  • Open a console (Windows-Key + cmd)

    pip3 install git+


Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.


malboxes build <profile>

You can also list all supported profiles with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_64_analyst

If you want to customize your configuration, look at the following location for a config.js file:

  • Linux/Unix: ~/.config/malboxes/

  • Mac OS X: ~/Library/Application Support/malboxes/

  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

Per analysis instances

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_32_analyst

More information


Introduction video



malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse


Code is licensed under the GPLv3+, see LICENSE for details. Documentation and presentation material is licensed under the Creative Commons Attribution-ShareAlike 4.0, see docs/LICENSE for details.


After I had the idea for an improved malware analyst workflow based on what I’ve been using for development on Linux servers (Vagrant) I quickly Googled if someone was already doing something in that regard.

I found the packer-malware repo on github by Mark Andrew Dwyer. Malboxes was boostrapped thanks to his work which helped me especially around the areas of Autounattend.xml files.