How to create your own FBI Malware Analysis tool [EAT THAT FBI!]

Do not get me wrong, I am happy that the FBI is going to open their Malware Analysis tool to outside researchers, but did you know that you can create your own FBI Malware Analysis Tool within a couple of hours?!

You can create your own Malware Analysis environment with the Cuckoo Sandbox project. Just take a look at the Malwr.com website, you will see that the site uses the Cuckoo Sandbox project. The Cuckoo Sandbox project allows you to research and analyze various malware samples.

The only thing you will need to consider is the fact that you will need to setup your own environment, but hey – that’s exactly what we are going to do.

The FBI Malware Analysis Tool is only available if you sign-up for an agreement with the FBI. So instead of having an agreement with a foreign government, you can setup your own Malware Analysis environment by using Cuckoo Sandbox.

So what is Cuckoo Sandbox:

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

cuckoo sandbox

First things first, the important questions before you start to setup the environment

I have setup these questions as they will provide insight on what you will need for the Cuckoo Sandbox project. I have setup multiple Cuckoo Sandbox environments, on various hardware settings and trust me, when I say that it make a big difference. So let’s select the right environment settings first.

How much samples do you want to analyze

This question is important as the Cuckoo Sandbox will store the samples and databases on your own private environment. So if you want to have 500 000 malware samples and 500 000 reports on the malware samples you will need to have at least 2TB hard drive storage.

Do you want to spend money on the project

If you want to spend money on the project, you might be interested on using a dedicated server, or a home build (high-end) server.

Will you make it public to the internet

If you are going to connect the Cuckoo Sandbox environments to the internet (which is recommended), I urge you to create a secure network for the current environment you are using. You do not want to have a malware outbreak in your private (any) environment.

Will you run it from home

If you are going to run the Cuckoo Sandbox from home, inform your provider so they will not put your IP on a blacklist. I did this once, and my IP has been free from blacklists ever since.

Wil you run it on a VPS

No, do not do that. You will be able to run the cuckoo sandbox environment, but it will be EXTREMELY slow.

Will you run it on a dedicated server

Awesome. If you want to do that – do inform your provider so they will not block the IP.

How to install Cuckoo Sandbox

I could explain to you on how to install the Cuckoo Sandbox environment, but I urge you to follow the official Cuckoo Sandbox developers installation guide which is very complete.

What I can do, is help you out with some awesome Cuckoo Sandbox plugins (signatures) and you can use the Cuckoo Sandbox Search Syntaxes guide to search your database for identified samples.