---

Linux Malware Analysis Sandbox

Welcome to the Linux Malware Analysis Sandbox, a comprehensive environment for analyzing Linux malware. This sandbox leverages various tools and technologies to perform static, dynamic, and memory analysis of ELF binaries.

Tools Installation

Before you begin using the sandbox, make sure to install the following tools:

1. SSDEEP Installation:

   $ sudo apt-get install ssdeep
   

2. Yara Python:

   $ pip3 install yara-python
   

3. Inetsim Installation:

   $ sudo apt-get install inetsim
   

4. Sysdig Installation:

   $ sudo apt-get install sysdig
   

5. Tcpdump Setup:

   Ensure that tcpdump is installed on your system and make note of its location. If tcpdump is not located in the default directory (/usr/bin/tcpdump), please update the path accordingly. Additionally, to allow tcpdump to be run by your host machine user, please implement the following changes:

   • Create a new group named pcap:

     $ sudo groupadd pcap
     

   • Add the user to the pcap group:

     $ sudo usermod -a -G pcap [your_username]
     

   • Change the group ownership of tcpdump:

     $ sudo chgrp pcap /usr/sbin/tcpdump
     

   • Set the necessary capabilities for tcpdump:

     $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
     

     You can verify the results with:

     $ getcap /usr/sbin/tcpdump
     

     Expected output:

     /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
     

Additional Notes

• If you don’t have setcap installed, you can install it with:

  $ sudo apt-get install libcap2-bin
  

• Alternatively, you can grant elevated privileges to tcpdump using:

  $ sudo chmod +s /usr/sbin/tcpdump
  

Please note that even with the setcap method, there might be potential security vulnerabilities if the system has other untrusted users. It's recommended to run tcpdump in a dedicated or trusted environment to mitigate potential risks.

6. Inetsim Configuration:

   Edit the Inetsim configuration file /etc/inetsim/inetsim.conf and set the following parameters:

   service_bind_address 192.168.56.1
   dns_default_ip 192.168.56.1
   

   Restart the Inetsim service:

   $ sudo systemctl restart inetsim.service
   

7. Volatility Setup:

   Clone the Volatility repository and follow the setup instructions from here.

8. Clone Sandbox Repository:

   Clone the sandbox repository from here. Navigate to the cloned directory and install the required dependencies:

   $ cd sandbox
   $ pip3 install -r requirements.txt
   

9. Create Virtual Interface:

   In VirtualBox, create a host network interface:

   VirtualBox dashboard -> File -> Host Network Manager -> Create
   

10. Download Virtual Machine Image:

    Download the virtual machine image from the provided link and import it into VirtualBox.

11. Create Snapshot:

    Create a snapshot of the virtual machine with the name vm_fresh_1.

12. Copy Files:

    Download each folder from the provided drive link and paste them into your home directory.

13. Modify configurations.py:

    Update the configurations.py file with the following changes:

    • Replace occurrences of ashutoshreddy with your username.
    • Provide a value for the virustotal_key field.
    • Set the IP address obtained by your VM for the Analysis_ip field.
    • Assign the interface name created earlier to the Host_iface_to_sniff field.
    • Set the path to tcpdump binary in the Host_tcpdumppath field.

Running the Sandbox

To run the sandbox, navigate to the sandbox directory and execute the sandbox.py script with the desired options. Here's an example command:

$ python3 sandbox.py /home/ashutoshreddy/malwares/sample_1 -f -M -t 40

Replace /home/ashutoshreddy/malwares/sample_1 with the path to your malware sample. Adjust other options as needed.

---

For licensing information, please refer to the LICENSE file.