This project hosts a platform for sandboxing and analyzing malware samples using Kunai. It is designed to support sandbox environments for both x86_64 and aarch64 architectures, enabling users to safely isolate malware samples and generate real-world data for threat analysis.
A key feature is the generation of detailed Kunai traces and network traffic dumps, providing detection engineers with direct access to critical insights such as behavioral patterns, system-level activities, and network interactions. This actionable data simplifies the creation of detection rules and significantly accelerates the development of effective defenses against emerging threats.
To have an idea of the data which can be collected with this platform, please visit: https://helga.circl.lu/NGSOTI/malware-dataset
Install the necessary Python requirements (the way you prefer) Here is a possibility:
python -m venv ./env
source ./env/bin/activate
pip install -r requirements.txtMake sure you are running the follwing scripts and command from within the virtual environment you have created.
# this would download SEVERAL known working qemu images from debian/ubuntu repositories
./scripts/download-images.shNB: alternatively you can take a download link in that script and download the file
./scripts/sandbox-init.sh /path/to/qcow/image /path/to/prepared/sandboxNB: this step will prompt you for your root password as we need to mount the qcow image to extract vmlinuz and initrd files.
In case this is something you want to avoid, prepare the VMs in a Linux container.
This initialization takes more or less time depending if you are relying on full system emulation or if you benefit from KVM acceleration. Anyway, you must wait for the script to terminate before going further.
# use path to prepared sandbox from previous step
vim /path/to/prepared/sandbox/config.yaml# required changes:
qemu:
# change this
distribution: change_me
analysis:
kunai:
# be careful of pointing to the right architecture bin
path: /path/to/kunai
# this is not mandatory but kunai CLI arguments can be changed here
args: []# this will spawn an interactive shell in the VM
sandbox.py -c /path/to/prepared/sandbox/config.yaml -i# we run a test for 5s and store analysis results in directory /path/to/analysis
./sandbox.py -t 5 -c /path/to/prepared/sandbox/config.yaml --test -o /path/to/analysis
# inspect the results in output directory
ls -hail /path/to/analysisIf you do not have a malware sample or if you don't want to run one just for the purpose of testing, you can just retrieve a binary from the VM
# by default the analysis timeout is 60s
./sandbox.py -c /path/to/prepared/sandbox/config.yaml -o /path/to/analysis -- /path/to/sample --some=sample --args
# inspect the results in output directory
ls -hail /path/to/analysisYou have everything ready to run your first malware sample in the sandbox
The NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity. It underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, incident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims to establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, offering hands-on experience in cyber ranges.
NGSOTI is co-funded under Digital Europe Programme (DEP) via the ECCC (European cybersecurity competence network and competence centre).