DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood.
This project provides you with a friendly web interface that allows you to upload suspicious files to be analyzed. Once the sandboxing job is finished, you can explore the analysis result through the mentioned interface and get insight whether the file is truly malicious or not.
Because it is usually pretty hard to set up a malware sandbox, this project also provides you with an installer app that would guide you through the necessary steps and configure your system using settings that are recommended for beginners. At the same time, experienced users can tweak some settings or even replace some infrastructure parts to better suit their needs.
In order to run DRAKVUF Sandbox, your setup must fullfill all of the listed requirements:
- Processor: Intel processor with VT-x and EPT features
- Host system: Debian 10 Buster/Ubuntu 18.04 Bionic/Ubuntu 20.04 Focal with at least 2 core CPU and 5 GB RAM
- Guest system: Windows 7 (x64), Windows 10 (x64; experimental support)
This instruction assumes that you want to create a single-node installation with the default components, which is recommended for beginners.
-
Download latest release packages.
-
Install DRAKVUF:
sudo apt update sudo apt install ./drakvuf-bundle*.deb sudo reboot
-
Install DRAKVUF Sandbox stack:
sudo apt install redis-server sudo apt install ./drakcore*.deb sudo apt install ./drakrun*.deb
-
Execute:
sudo draksetup install --iso /opt/path_to_windows.iso
carefully read the command's output. This command would run a Virtual Machine with Windows system installation process.
Unattended installation: If you have
autounattend.xml
matching your Windows ISO, you can request unattended installation by adding--unattended-xml /path/to/autounattend.xml
. Unattended install configuration could be generated with Windows Answer File Generator.Storage backend: By default, DRAKVUF Sandbox is storing virtual machine's HDD in a
qcow2
file. If you want to use ZFS instead, please check the "Optional features" section below. -
Use VNC to connect to the installation process:
vncviewer localhost:5900
-
Perform Windows installation until you are booted to the desktop.
-
Execute:
sudo draksetup postinstall
-
Test your installation by navigating to the web interface ( http://localhost:6300/ ) and uploading some samples. The default analysis time is 10 minutes.
This sections contains various information about optional features that may be enabled when setting up DRAKVUF Sandbox.
If you want to install DRAKVUF Sandbox with a ZFS storage backend, you should perform the following extra steps before executing draksetup install
command:
- Install ZFS on your machine (guide for: Debian Buster, Ubuntu 18.04)
- Create a ZFS pool on a free partition:
where
zpool create tank <partition_name>
<partiton_name>
is e.g./dev/sda3
. Be aware that all data stored on the selected partition may be erased. - Create a dataset for DRAKVUF Sandbox:
zfs create tank/vms
- Execute
draksetup install
as in "Basic installation" section, but remembering to provide additional command line switches:--storage-backend zfs --zfs-tank-name tank/vms
DRAKVUF Sandbox may optionally draw a behavioral graph using ProcDOT, if drakcore
will find it's binary installed at /opt/procdot/procmon2dot
.
- Download ProcDOT (Linux version).
- With your downloaded
procdot*_linux.zip
archive, execute the following commands:unzip -o procdot*_linux.zip lin64/* -d /tmp/procdot mv /tmp/procdot/lin64 /opt/procdot chmod +x /opt/procdot/procmon2dot
- Your new analysis reports will also contain behavioral graphs.
Note: Even though that the guest Internet connectivity is an optional feature, drakrun
would always make some changes to your host system's network configuration:
Always:
- Each instance of
drakrun@<vm_id>
will create a bridgedrak<vm_id>
, assign10.13.<vm_id>.1/24
IP address/subnet to it and bring the interface up. drakrun
will drop any INPUT traffic originating fromdrak<vm_id>
bridge, except DHCP traffic (UDP ports: 67, 68).
Only with net_enable=1
:
drakrun
will enable IPv4 forwarding.drakrun
will configure MASQUERADE throughout_interface
for packets originating from10.13.<vm_id>.0/24
.drakrun
will DROP traffic betweendrak<X>
anddrak<Y>
bridges forX != Y
.
In order to find out the exact details of the network configuration, search for _add_iptable_rule
function usages in drakrun/drakrun/main.py
file.
If you want your guest VMs to access Internet, you can enable networking by editing [drakrun]
section in /etc/drakrun/config.ini
:
- Set
net_enable=1
in order to enable guest Internet access. - Check if
out_interface
was detected properly (e.g.ens33
) and if not, correct this setting.
After making changes to /etc/drakrun
, you need to restart all drakrun
services that are running
in your system:
systemctl restart 'drakrun@*'
Be aware that if your sandbox instance is already running some analyses, the above command will gracefully wait up to a few minutes until these are completed.
You may optionally configure your guests to use
- Setup dnschef tool.
- Start
dnschef
in such way to make it listen on alldrak*
interfaces that belong to DRAKVUF Sandbox. - Set
dns_server=use-gateway-address
in/etc/drakrun/config.ini
. - Restart your drakrun instances:
systemctl restart 'drakrun@*
If your DRAKVUF Sandbox installation seems to work improperly, here are some commands that would help to troubleshoot the infrastructure.
Check service status:
drak-healthcheck
Check service logs:
journalctl -e -u drak-web
journalctl -e -u drak-system
journalctl -e -u drak-minio
journalctl -e -u drakrun@1
You may encounter the following error with draksetup
command or drakrun@*
service, which will prevent the VM from starting properly.
libxl: error: libxl_create.c:1676:domcreate_devmodel_started: Domain 4:device model did not start: -3
...
subprocess.CalledProcessError: Command 'xl create /etc/drakrun/configs/vm-0.cfg' returned non-zero exit status 3.
In such a case, you should inspect /var/log/xen/qemu*.log
in order to determine the actual reason why the VM is refusing to start.
The following error with draksetup
command or drakrun@*
service means that your machine is missing memory resources:
xc: error: panic: xc_dom_boot.c:122: xc_dom_boot_mem_init: can't allocate low memory for domain: Out of memory
...
subprocess.CalledProcessError: Command 'xl create /etc/drakrun/configs/vm-0.cfg' returned non-zero exit status 3.
Resolutions:
- adjust the amount of memory dedicated to the Dom0 (host system) in
/etc/default/grub.d/xen.cfg
(look fordom0_mem=2048M,max:2048M
) and runupdate-grub && reboot
; - adjust the amount of memory dedicated to the DomU (guest systems) in
/etc/drakrun/scripts/cfg.template
(maxmem
andmemory
keys);
The project is divided into two main packages:
drakcore*.deb
- system core, provides a web interface, an internal task queue and object storagedrakrun*.deb
- sandbox worker, should be installed where you want to run your Virtual Machines (Intel CPU with VT-x and EPT is required)
Please note that the DRAKVUF engine is a separate project authored by Tamas K Lengyel.
The system core package drakcore*.deb
consists of the following services:
drak-web
- web interface that allows user to interact with the sandboxdrak-system
- internal task management system, using for dispatching jobs between workersdrak-minio
- builtin object storage on which analysis results are stored
A worker package drakrun*.deb
is basically a wrapper around DRAKVUF project that spins off drakrun
service instances. These instances are processing the queued suspicious files one after another, using appropriate infrastructure. This component also features a draksetup
command that makes it easier to setup configuration that is necessary to run services.
In order to build installation packages on your own, you must install Docker on your machine.
You may build your packages from source using following commands:
git clone https://github.com/CERT-Polska/drakvuf-sandbox.git
cd drakvuf-sandbox
sudo ./drakcore/package/build.sh
sudo ./drakrun/package/build.sh
Afterwards, you should find your installation packages produced in out/
directory.
The build scripts for drakvuf-bundle
are part of tklengyel/drakvuf repository. You may build your package using the following commands:
git clone --recursive https://github.com/tklengyel/drakvuf
cd drakvuf
sudo ./package/build.sh
The resulting package will be produced to package/out/
directory.
Feel free to contact us if you have any questions or comments.
- Michał Leszczyński - [email protected]
- Adam Kliś - [email protected]
- Hubert Jasudowicz - [email protected]
If you have any questions about DRAKVUF engine itself, contact [email protected]