Sandbox Setup
Overview
A malware analysis sandbox is an isolated environment where malware can be safely executed and observed. Proper sandbox setup prevents accidental infection of the host system or network while providing the monitoring tools needed to capture malware behavior — file system changes, registry modifications, network traffic, and process activity.
VM-Based Sandbox Architecture
┌─────────────────────────────────────────────────────┐
│ Host Machine (analysis workstation) │
│ │
│ ┌──────────────────┐ ┌────────────────────────┐ │
│ │ Analysis VM │ │ Victim VM │ │
│ │ (REMnux/Kali) │ │ (Windows 10/11) │ │
│ │ │ │ │ │
│ │ - Wireshark │ │ - Process Monitor │ │
│ │ - INetSim │ │ - Procmon │ │
│ │ - FakeDNS │ │ - Regshot │ │
│ │ - Burp Suite │ │ - Autoruns │ │
│ │ │ │ - Debugger │ │
│ └────────┬─────────┘ └───────────┬────────────┘ │
│ │ Host-only network │ │
│ └──────────────────────────┘ │
└─────────────────────────────────────────────────────┘
VirtualBox Setup
# VirtualBox
# https://www.virtualbox.org/
# Create a host-only network for isolated communication
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
# Create a Windows analysis VM
VBoxManage createvm --name "MalwareAnalysis-Win10" --ostype Windows10_64 --register
VBoxManage modifyvm "MalwareAnalysis-Win10" --memory 4096 --cpus 2
VBoxManage modifyvm "MalwareAnalysis-Win10" --nic1 hostonly --hostonlyadapter1 vboxnet0
# Disable shared folders and clipboard (prevent escape)
VBoxManage modifyvm "MalwareAnalysis-Win10" --clipboard-mode disabled
VBoxManage modifyvm "MalwareAnalysis-Win10" --draganddrop disabled
# Take a clean snapshot after setup
VBoxManage snapshot "MalwareAnalysis-Win10" take "clean-baseline"
# Restore to clean snapshot after analysis
VBoxManage snapshot "MalwareAnalysis-Win10" restore "clean-baseline"
# List snapshots
VBoxManage snapshot "MalwareAnalysis-Win10" list
VM Hardening (Anti-VM Evasion)
Malware often detects VMs and refuses to execute. Countermeasures:
# VirtualBox
# https://www.virtualbox.org/
# Change VM BIOS identifiers
VBoxManage setextradata "MalwareAnalysis-Win10" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "American Megatrends Inc."
VBoxManage setextradata "MalwareAnalysis-Win10" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "System Product Name"
VBoxManage setextradata "MalwareAnalysis-Win10" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "ASUS"
# Change disk serial
VBoxManage setextradata "MalwareAnalysis-Win10" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "WD-WMC300987654"
# Increase hardware resources (VMs with minimal resources look suspicious)
VBoxManage modifyvm "MalwareAnalysis-Win10" --memory 8192 --cpus 4
Additional anti-VM countermeasures inside the guest:
- Rename VirtualBox Guest Additions files/services
- Populate the desktop with user documents and browser history
- Install common software (Office, Chrome, PDF reader)
- Set realistic hostname and username
- Ensure the system clock shows a realistic date/time
Network Configuration
Isolated Network
The victim VM should not have direct internet access. Route all traffic through the analysis VM for monitoring.
Victim VM (192.168.56.10)
│
▼
Analysis VM (192.168.56.1) ← DNS + HTTP/HTTPS interception
│
╳ (no route to internet)
INetSim — Simulated Internet Services
INetSim simulates common internet services (HTTP, HTTPS, DNS, SMTP, FTP) so malware believes it has internet connectivity.
# INetSim
# https://www.inetsim.org/
# Start all simulated services
sudo inetsim
# Start with custom config
sudo inetsim --config=/etc/inetsim/inetsim.conf
# Key configuration options in /etc/inetsim/inetsim.conf:
# service_bind_address — bind to the host-only interface IP
# dns_default_ip — IP to return for all DNS queries
# start_service dns — enable DNS simulation
# start_service http — enable HTTP simulation
# start_service https — enable HTTPS simulation
FakeDNS with Python
A minimal DNS responder that answers all queries with a controlled IP:
# Python 3 (standard library)
# https://www.python.org/
import socket
LISTEN_IP = "192.168.56.1"
RESPONSE_IP = "192.168.56.1"
DNS_PORT = 53
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((LISTEN_IP, DNS_PORT))
print(f"FakeDNS listening on {LISTEN_IP}:{DNS_PORT}")
while True:
data, addr = sock.recvfrom(1024)
# Build minimal DNS response
response = data[:2] # Transaction ID
response += b'\x81\x80' # Flags: standard response, no error
response += data[4:6] # Questions count
response += data[4:6] # Answers count (same as questions)
response += b'\x00\x00\x00\x00' # Authority + Additional = 0
response += data[12:] # Original question
# Answer section
response += b'\xc0\x0c' # Pointer to domain name
response += b'\x00\x01\x00\x01' # Type A, Class IN
response += b'\x00\x00\x00\x3c' # TTL = 60
response += b'\x00\x04' # Data length = 4
response += socket.inet_aton(RESPONSE_IP)
sock.sendto(response, addr)
domain = data[12:data.index(b'\x00', 12)].decode(errors='replace')
print(f"Resolved {domain} -> {RESPONSE_IP} for {addr}")
Windows VM Guest Tools
Install these tools in the Windows analysis VM before taking the clean snapshot:
| Tool | Purpose |
|---|---|
| Process Monitor (Procmon) | Real-time filesystem, registry, process monitoring |
| Process Explorer | Advanced task manager (process trees, handles, DLLs) |
| Autoruns | Persistence mechanism enumeration |
| Regshot | Registry snapshot comparison (before/after execution) |
| Wireshark | Network traffic capture and analysis |
| TCPView | Real-time network connections display |
| API Monitor | Win32 API call tracing |
| PEStudio | PE file static analysis |
| x64dbg | User-mode debugger |
| CFF Explorer | PE header editor and viewer |
All Sysinternals tools are available from: https://learn.microsoft.com/en-us/sysinternals/
Snapshot Workflow
1. Install Windows + tools → take "clean-baseline" snapshot
2. Copy malware sample to VM
3. Start monitoring tools (Procmon, Wireshark, Regshot first snapshot)
4. Execute malware
5. Observe behavior for 5-10 minutes
6. Take Regshot second snapshot, save Procmon/Wireshark logs
7. Export logs to host via shared folder or network
8. Revert to "clean-baseline" snapshot
9. Repeat with different configurations if needed
Linux Analysis VM (REMnux)
REMnux is a purpose-built Linux distribution for malware analysis that includes many pre-installed tools.
# Key tools available on REMnux / installable on Kali:
# - INetSim (internet simulation)
# - Wireshark / tshark (packet capture)
# - mitmproxy (HTTP/HTTPS interception)
# - fakeDNS (DNS interception)
# - volatility3 (memory forensics)
# - radare2, Ghidra (reverse engineering)
# - YARA (signature scanning)
# - oledump, oletools (Office document analysis)