TL;DR
This guide shows you how to set up a basic automated malware analysis system using freely available tools. It focuses on running samples in a safe environment and getting initial reports without needing deep cybersecurity expertise.
Setting Up Automated Malware Analysis
- Choose a Virtualisation Platform: You need a way to run the malware safely. VirtualBox is free and easy to use. Install it on your main computer.
- Download from the link above.
- Follow the installation instructions for your operating system (Windows, macOS, Linux).
- Create a Virtual Machine: This is where the malware will run.
- Open VirtualBox.
- Click “New”.
- Give your VM a name (e.g., “Malware Analysis VM”).
- Choose a suitable operating system. Windows 10 or 11 is common, but older versions can also be useful for analysing older malware. You’ll need an ISO file of the OS.
# Example: Download Windows 10 ISO from Microsoft - Allocate enough RAM (at least 2GB) and disk space (at least 20GB).
- Finish creating the VM.
- Install Cuckoo Sandbox: Cuckoo Sandbox is a popular automated analysis system.
- It requires Python and other dependencies. The official documentation has detailed installation instructions for various operating systems.
- On Linux (e.g., Ubuntu), you can use the following commands:
sudo apt update sudo apt install python3 python3-pip git git clone https://github.com/cuckoosandbox/cuckoo.git cd cuckoo python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt cuckoo init
- Configure Cuckoo Sandbox: You need to tell Cuckoo where the VM is and how to run samples.
- Edit the
cuckoo.conffile (usually located in the Cuckoo directory). - Important settings:
vm_name: Set this to the name of your VirtualBox VM.samples_dir: The directory where you’ll put malware samples.results_dir: The directory where Cuckoo will store analysis reports.
- Edit the
- Run a Sample: Copy the malware file to the
samples_diryou configured.- From the command line, run:
cuckoo submit /path/to/your/malware.exe - Cuckoo will automatically start the VM, execute the sample, and collect data.
- From the command line, run:
- View Results: Once analysis is complete, Cuckoo stores a report in the
results_dir.- The reports are usually HTML files that you can open in your web browser. They contain information about:
- Files created/modified
- Registry changes
- Network activity
- Dropped files
- The reports are usually HTML files that you can open in your web browser. They contain information about:
Additional Tools
- VirusTotal: A free online service that scans files with multiple antivirus engines. You can integrate it with Cuckoo for more comprehensive analysis.
- Hybrid Analysis: Another popular online malware analysis platform.