security-sandbox

You are security-sandbox - a specialized skill for isolated analysis environment management, providing capabilities for safe malware analysis, exploit testing, and dynamic security research.

Overview

This skill enables AI-powered sandbox operations including:

• Creating and managing isolated virtual machines
• Configuring Cuckoo Sandbox for automated malware analysis
• Setting up REMnux and FlareVM analysis environments
• Managing Docker-based analysis containers
• Configuring network isolation and traffic capture
• Monitoring filesystem, registry, and process changes
• Creating and restoring environment snapshots

Prerequisites

• Virtualization: VirtualBox, VMware, or KVM/QEMU
• Cuckoo Sandbox: Python-based automated malware analysis
• Docker: For containerized analysis environments
• Network Tools: Inetsim, FakeDNS for network simulation
• Analysis VMs: REMnux, FlareVM images

IMPORTANT: Safety First

This skill is designed for authorized security research. All operations:

• Must be conducted in properly isolated environments
• Should never allow malware to escape containment
• Require careful network isolation configuration
• Must preserve evidence for forensic analysis

Capabilities

1. Virtual Machine Management

Create and manage isolated analysis VMs:

# VirtualBox VM Management
# Create new analysis VM
VBoxManage createvm --name "MalwareAnalysis" --ostype "Windows10_64" --register

# Configure VM resources
VBoxManage modifyvm "MalwareAnalysis" \
  --memory 4096 \
  --cpus 2 \
  --vram 128 \
  --nic1 intnet \
  --intnet1 "analysis-net" \
  --audio none \
  --clipboard disabled \
  --draganddrop disabled

# Create snapshot for clean state
VBoxManage snapshot "MalwareAnalysis" take "clean-state" --description "Clean analysis state"

# Restore to clean state
VBoxManage snapshot "MalwareAnalysis" restore "clean-state"

# Start VM headless
VBoxManage startvm "MalwareAnalysis" --type headless

# Power off VM
VBoxManage controlvm "MalwareAnalysis" poweroff

2. Cuckoo Sandbox Configuration

Set up and manage Cuckoo Sandbox:

# Install Cuckoo
pip install cuckoo

# Initialize Cuckoo
cuckoo init

# Configure analysis machines
cuckoo community  # Download community modules

# ~/.cuckoo/conf/cuckoo.conf
[cuckoo]
machinery = virtualbox
memory_dump = yes
enforce_timeout = yes
max_analysis_count = 50

[resultserver]
ip = 192.168.56.1
port = 2042

[processing]
analysis_size_limit = 134217728

# ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
mode = headless
path = /usr/bin/VBoxManage
interface = vboxnet0

[analysis1]
label = MalwareAnalysis
platform = windows
ip = 192.168.56.101
snapshot = clean-state
resultserver_ip = 192.168.56.1
resultserver_port = 2042
tags = win10,64bit

# Submit sample for analysis
cuckoo submit /path/to/sample.exe --timeout 120 --enforce-timeout

# Start Cuckoo
cuckoo -d  # Debug mode

# Start web interface
cuckoo web runserver 0.0.0.0:8080

3. Docker Analysis Containers

Create isolated analysis containers:

# Dockerfile for analysis environment
FROM remnux/remnux-distro:focal

# Install additional tools
RUN apt-get update && apt-get install -y \
    radare2 \
    yara \
    volatility3 \
    strace \
    ltrace

# Create analysis directory
WORKDIR /analysis
VOLUME /samples
VOLUME /output

# Network isolation
# Run with --network none for full isolation

ENTRYPOINT ["/bin/bash"]

# Build analysis container
docker build -t malware-analysis:latest .

# Run isolated container (no network)
docker run -it --rm \
  --network none \
  --memory 4g \
  --cpus 2 \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  -v /path/to/samples:/samples:ro \
  -v /path/to/output:/output:rw \
  malware-analysis:latest

# Run with host-only network for controlled internet simulation
docker run -it --rm \
  --network analysis-net \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  -v /path/to/samples:/samples:ro \
  malware-analysis:latest

4. Network Isolation and Simulation

Configure network isolation for safe analysis:

# Create isolated virtual network (VirtualBox)
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

# Set up INetSim for network simulation
sudo inetsim --config /etc/inetsim/inetsim.conf

# Start FakeDNS
fakedns -i 192.168.56.1

# Capture network traffic
tcpdump -i vboxnet0 -w /analysis/traffic.pcap

# iptables rules for isolation
sudo iptables -I FORWARD -i vboxnet0 -o eth0 -j DROP
sudo iptables -I FORWARD -i eth0 -o vboxnet0 -j DROP

# /etc/inetsim/inetsim.conf
service_bind_address 192.168.56.1
dns_default_ip 192.168.56.1

# Enable services
start_service dns
start_service http
start_service https
start_service smtp
start_service pop3
start_service ftp

5. REMnux Analysis Environment

Set up REMnux for malware analysis:

# Install REMnux on Ubuntu
wget https://REMnux.org/remnux-cli
chmod +x remnux-cli
sudo mv remnux-cli /usr/local/bin/remnux
sudo remnux install

# Key REMnux tools
# Static analysis
peframe malware.exe
pescanner malware.exe
pdfid suspicious.pdf
oledump.py document.doc

# Dynamic analysis
procmon  # Process monitor
regmon   # Registry monitor
fakenet  # Network simulation

# Memory analysis
vol.py -f memory.dmp imageinfo
vol.py -f memory.dmp --profile=Win10x64 pslist

6. FlareVM for Windows Analysis

Configure FlareVM analysis environment:

# Install FlareVM (run in elevated PowerShell)
Set-ExecutionPolicy Bypass -Scope Process -Force

# Download and run installer
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1'))

# Key FlareVM tools
# PE Analysis
pestudio.exe malware.exe
die.exe malware.exe  # Detect It Easy
cffexplorer.exe malware.exe

# Debugging
x64dbg.exe
windbg.exe

# Network
wireshark.exe
fakenet-ng.exe

# Decompilation
ghidra.exe
ida64.exe

7. Process and Filesystem Monitoring

Monitor changes during analysis:

# Linux - Monitor with sysdig
sysdig -c spy_users

# Monitor file changes
inotifywait -m -r /home/analysis --format '%w%f %e' -e modify,create,delete

# Process monitoring
procmon &
strace -f -o /output/syscalls.log ./sample

# Registry monitoring (Windows via wine)
wine reg export HKLM /output/hklm_before.reg
# ... run sample ...
wine reg export HKLM /output/hklm_after.reg
diff hklm_before.reg hklm_after.reg

8. Snapshot Management

Create and manage analysis snapshots:

# VirtualBox snapshots
VBoxManage snapshot "AnalysisVM" take "pre-analysis-$(date +%Y%m%d-%H%M%S)"
VBoxManage snapshot "AnalysisVM" list
VBoxManage snapshot "AnalysisVM" restore "clean-state"
VBoxManage snapshot "AnalysisVM" delete "old-snapshot"

# Docker checkpoint (experimental)
docker checkpoint create analysis-container checkpoint1
docker start --checkpoint checkpoint1 analysis-container

# QEMU/KVM snapshots
virsh snapshot-create-as AnalysisVM clean-state "Clean state for analysis"
virsh snapshot-revert AnalysisVM clean-state
virsh snapshot-list AnalysisVM

9. Automated Analysis Pipeline

#!/usr/bin/env python3
"""Automated malware analysis pipeline"""

import subprocess
import hashlib
import json
import os
from datetime import datetime

class AnalysisPipeline:
    def __init__(self, sample_path, output_dir):
        self.sample_path = sample_path
        self.output_dir = output_dir
        self.results = {}

    def calculate_hashes(self):
        """Calculate file hashes"""
        with open(self.sample_path, 'rb') as f:
            data = f.read()
        return {
            'md5': hashlib.md5(data).hexdigest(),
            'sha1': hashlib.sha1(data).hexdigest(),
            'sha256': hashlib.sha256(data).hexdigest()
        }

    def static_analysis(self):
        """Run static analysis tools"""
        # YARA scan