BoomBox is designed for malware analysts and incident responders. It allows for the rapid deployment of a dynamic malware analysis environment using Cuckoo Sandbox and a Windows 10 detonation chamber. Cuckoo is configured to use the physical machinery so that both Cuckoo and the Windows sandbox can be virtual machines on a single host.
- Inetsim network simulation
- Cuckoo community modules
- Clean base snapshot of the Windows environment is taken as part of the build process
- Chocolatey package manager for Windows used to install Adobe Reader, Flash, Chrome, and Firefox.
- NOTE: Microsoft Office has not been included due to licensing. If you have a license key, you can install Office and take a new clean base snapshot.
- 20GB+ of free disk space
- 6GB+ of RAM
- Packer
- Vagrant
- VirtualBox
BoomBox includes a single build script for Linux, macOS, and Windows. This script will build and configure the Windows 10 and Cuckoo virtual machines from the ground up using Packer and Vagrant. The entire build process for BoomBox takes around 30-60 minutes.
./build.sh virtualbox
- Build BoomBox from scratch../build.sh virtualbox --vagrant-only
- Build BoomBox using pre-built Packer boxes hosted on Vagrant Cloud. This option is faster than building BoomBox from scratch../build.sh virtualbox --packer-only
- This will only build the .Box files and will not build the VMs using Vagrant.
./build.ps1 -ProviderName virtualbox
- Build BoomBox from scratch../build.ps1 -ProviderName virtualbox -VagrantOnly
- Build BoomBox using pre-built Packer boxes hosted on Vagrant Cloud. This option is faster than building BoomBox from scratch./.build.ps1 -ProviderName virtualbox -PackerOnly
- This will only build the .Box files and will not build the VMs using Vagrant.
- Build the Windows sandbox using Packer
$ cd BoomBox/Packer
$ packer build --only=virtualbox-iso sandbox.json
-
Move the resulting .box file into the Boxes directory
mv sandbox_virtualbox.box ../Boxes
-
cd ../Vagrant
and inside the Vagrantfile changecfg.vm.box = "boomboxes/sandbox"
tocfg.vm.box = ../Boxes/sandbox_virtualbox.box
-
Install the Vagrant-Reload plugin
vagrant plugin install vagrant-reload
-
Run the
./build.sh
for Linux/macOS or./build.ps1
for Windows from the project root directory -
Logs from the build process are located in the
Vagrant
directory asvagrant_up_<host>.log
Vagrant commands must be run from the "Vagrant" folder.
- Bring up all BoomBox hosts:
vagrant up
- Bring up a specific host:
vagrant up <hostname>
- Restart a specific host:
vagrant reload <hostname>
- Restart a specific host and re-run the provision process:
vagrant reload <hostname> --provision
- Destroy a specific host
vagrant destroy <hostname>
- Destroy the entire BoomBox environment:
vagrant destroy
(Adding-f
forces it without a prompt) - SSH into a host:
vagrant ssh cuckoo
- Check the status of each host:
vagrant status
- Suspend the environment:
vagrant suspend
- Resume the environment:
vagrant resume
- Cuckoo Web Server: http://192.168.30.100:8080 - vagrant:vagrant
- NIC1 attached to NAT
- NIC2 attached to Host-only Adapter
- Windows Sandbox: 192.168.30.101
- NIC1 attached to Host-only Adapter
There are revert.ps1
and revert.sh
scripts that are to be used to restore a clean version of the Windows sandbox. This script will need to be run after each submission to Cuckoo to ensure a consistent detonation environment. This is a temporarily solution until there is a good way to have this done automatically after each detonation.
- Sandbox anti-evasion techniques
- Improve revert scripts to not rely on sleep
- Revert sandbox to clean snapshot on reboot
- Support additional Vagrant providers
Check out CONTRIBUTING.md for details on submitting a pull request.
The majority of this project was directly borrowed from Chris Long's DetectionLab, which is an incredible resource for defenders looking to build a Windows lab.