Analysis malicious files with virtualbox (Cuckoo/PIN/DynamoRIO).
It's just docker file and scripts for automatise installation of cuckoo & guest vm analyz on virtualbox (tested on version 5.2). Docker dont protected you against exploit of virtualbox [cap_add == ALL && network mode host](if malware attack sandbox...), docker just for use cuckoo fast. Prefer use dedicate host system for this.
- Dockerz virtualbox & cuckoo (use x11 export or rdp to open virtualbox gui) [you must install vbox (same version for driver) on host system too for work!! It's not magic! Sorry]
- script for auto install VM for analyz from FREE ISO microsoft virtualbox (from microsoft website)
- cuckoo install with sysmon module + reverse nginx (ssl + auth htpasswd) + guacamol (remote control) + vmcloak + mitmproxy (view https trafic) + dnsmasq (view dns queries)
- You must install same version of vbox driver on host system (last version of virtualbox 5.x)
- You configure docker-compose on cuckoo service
- build environment (version of virtalbox)
- environment for run (Password, image vb place [look volumes mount], ...) => choose vm guest install
- bash tcpdump_apparmor.sh && cd docker-cuckoo && docker-compose build && bash ../init_cuckoo.sh
- docker-compose up (read info log for instal vm) && bash ../network-cuckoo.sh
- Run you navigator on https://your_ip:8000 and play!
- All: docker-compose logs
- Virtualbox! ../virtualbox/vbrootconf/VBoxSVC.log
- Cuckoo Sandbox
- Pin Intel
- DynamoRIO
- blacktop (https://github.com/blacktop/docker-cuckoo/)
- T0ad (Thomas D.)
- https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
- Vmcloak
- Pin
- DynamoRIO
- Script for result analysis
- check differents profils (admin/restricted user/...)
- check coverage (dynamic vs static) call lib function with SFA (static analysis)
- Create signatures for check detected IOC on infected system (yara => RAM & FILE | SIGMA => logs/mft/proxy/dns)
- Add Mitre Attack cuckoo Signatures
- Remake README for more explain use!