[evelyette]

Hello,

Does somebody know which virtual environments automated malware environments like malrw, joesandbox, anubis, theatexpert and others use for malware analysis. Basically I'm interested in the following:

1. Which virtualization technology is used by which automated malware analysis system. If anybody can fill the missing pieces, it would be awesome.

• Anubus: Qemu
• Comodo
• Eureka
• Joe Security
• Malwr: VirtualBox
• Threat Expert: VMware
• Threat Track
• Vicheck

2. Do automated malware analysis systems use public cloud services providers (IaaS) or do they setup a private virtual environment by using their own hardware requirements. If systems are kept private, they can be easily configured to create a good malware analysis environment, which can be harder with public CSPs, but on the other hand using public CSPs has other advantages like availability of the servers, less downtime, etc.

3. When using Windows systems in a virtual machine used for malware analysis, do they require licences from Windows company in order to do so - how can one obtain such licenses; through normal means or is Microsoft hesitant to give away licences for such purposes? How about licences for Windows XP, which isn't supported anymore; can one still obtain a valid license in order to setup a malware analysis lab?

Thank you

[TK_]

your missing cuckoo.

[EP_X0FF]

Comodo Camas is running vmware. All others you can find yourself by sending your own harvester - most of things can be revealed by dumping PCI bus device ID list.

[rnd.usr]

Drakvuf - https://tklengyel.github.io/drakvuf/

DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall.
It allows for in-depth execution tracing of malware samples, extracting deleted files from memory and more.

[evelyette]

Hello,

TK_: The malwr uses Cuckoo - I've updated the initial post to make this clear.
EP_X0FF: Thank you for your comment, I'll take a closer look.
rnd.usr: I'm aware of the Drakvuf.

Thank you all for your provided answers, but if anybody knows more details about *each* of the questions asked, it would mean a lot of he/she can share the information. I can figure out the 1. question due to the EP_XOFF answer, but the remaining two questions remain open as their received no feedback.

Thanks again

[frank_boldewin]

Cuckoo supports VBOX, VMWARE and QEMU KVM. Further it has support for Volatility. The latet Version has a branch to a new API-Monitor, which will integrate in the master branch in the near future. Another plugin is zer0m0n from conix-security which supports kernel hooks and some antivm stuff.
And yes, you need to buy your own windows licenses.

[Xylitol]

virustotal seem to run some samples in VirtualBox to generate a pcap

[evelyette]

Thank you for the provided answers. Now I would only like to know whether an existing malware analysis systems use cloud provides to rent their infrastructure or do they implement their own infrastructure. I realize it's far better to provide your own malware analysis lab, but I'm interested in whether some of the providers do things differently.

Thank you

[EP_X0FF]

Thank you for the provided answers. Now I would only like to know whether an existing malware analysis systems use cloud provides to rent their infrastructure or do they implement their own infrastructure. I realize it's far better to provide your own malware analysis lab, but I'm interested in whether some of the providers do things differently.

Thank you

Actually you can find it yourself.

Let's take as example two maybe not widely known sandboxes (I doubt they are used by more than 50 people each), but they "generic" representative examples

jevereg.amnpardaz.com
hybrid-analysis.com

because this bussiness seems become popular and now every idiot with money can build his own "ultra super forensic lab"

First is Iranian origin and runs VMWare + WinXP SP2 (probably pirated).
Second is German origin and runs VirtualBox + Windows 7 (probably pirated).

Both so friendly configured, so we can gather most of info directly from sandbox (which for example slightly difficult to do with VirusTotal <running VirtualBox> or Camas <running VMWare>).

jevereg.amnpardaz.com sits on 188.75.101.32

inetnum 188.75.100.1 - 188.75.107.255
netname HOMATELECOM-INFRA-100to107
descr HomaTelecom Prefix
country IR
http://homatelecom.net/

Their VM is running on different IP 188.75.101.239 which belongs also to homatelecom.

Second German "ultra-mega sandbox" is running on 85.25.146.22

inetnum 85.25.129.0 - 85.25.153.255
descr BSB-SERVICE Dedicated Server Hosting
netname BSB-SERVICE-1
country DE

This sandbox running on the same IP = 85.25.146.22.

In general answer to your question will be - they use everything. Even mom's computer internets.

[evelyette]

EP_X0FF thank you for a detailed answer. Would you mind sharing the code you used to discover their IPs. Did you just dump the network configuration and be gone with it? Nevertheless, if you can share the code, it would save me the troubles (however small they might be) to do it myself and it would possibly be beneficial for other readers of this blog.

I'm also interested in how does VirusTotal make it more difficult to obtain such information. Are there any existing threads on kernelmode that discuss this in detail?

Regards