Assemblyline as a Malware Analysis Sandbox

Published: 2023-02-04
Last Updated: 2023-02-04 23:53:30 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2]

First step, install the server. My server configuration is as follow: 

  • Ubuntu 22.04
  • Ubuntu Server (minimized)
  • 8+ Cores
  • 16+ GB RAM
  • 100 GB
  • 100+ GB /var/lib/docker
  • Static IP

After rebooting and before installing AL, I update the server and added the following packages:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
$ sudo apt-get install net-tools open-vm-tools htop ntp bind9-utils vim

Setup a separate disk for the docker which will also store the sample malware. Mine is 100 GB:

$ sudo cfdisk /dev/sdb
$ sudo pvcreate /dev/sdb1
$ sudo vgcreate malware_vg01 /dev/sdb1
$ sudo vgdisplay malware_vg01
$ sudo lvcreate -n /dev/mapper/malware_vg01-virus --size 99G malware_vg01
$ sudo lvdisplay malware_vg01
$ sudo mkfs.xfs /dev/malware_vg01/virus

Add the new disk to /etc/fstab

$ sudo vi /etc/fstab
Add: /dev/malware_vg01/virus /var/lib/docker xfs defaults,noatime,nosuid 0 0
$ sudo mkdir -p /var/lib/docker
$ sudo mkdir -p /etc/docker
$ sudo mount -a
$ df -k

The server is ready to install Assemblyline. Next, I followed the instructions here  to install the software. I selected Docker to install AL for my VM appliance. After completing the installation, it is time to login: admin:admin

After logging in, check the Services tab for other Services Available you might choose to install. Some of them you need are paid the vendor to access the service (i.e. IntezerDynamic, IntezerStatic) while other are free to use and might need to register to enable them.

Next, it is time to configure some of the other services under the Services tab such as adding an API key to use them (i.e. Virustotal)

Before submitting any files, check out the Options tab to set other scan services:

Submitting Files via API

This is an example to submitting a sample via Rest API [4]. Check the reference where to go to create an API key in an account in the sandbox with the word mykey to generate the key. Here is an example to submit a file to AL:

$ curl -X POST https://malware/api/v4/submit/ \
    -k --insecure \
    -H 'x-user: admin' \
    -H 'x-apikey: mykey:SomeApiKeyHere' \
    -H 'accept: application/json' \
    -F 'bin=@myfile.txt'

$ curl -X POST https://malware/api/v4/submit/ -k --insecure -H 'x-user: admin' -H 'x-apikey: mykey:SomeApiKeyHere' -H 'accept: application/json' -F 'bin=@myfile.txt'

Submitting Files to AL

Using some of the files uploaded to my DShield sensor, I submitted 3 of them using the API for analysis.

AL release regular updates who can be seen by clicking on the Bell in the top right corner which shows in green the current version. I found over time the following worked best for me to update my AL by doing the following commands in the following order:

Updating AL

$ sudo apt-get update
$ sudo apt-get upgrade
$ cd ~/deployments/assemblyline
$ sudo docker-compose pull
$ sudo docker-compose build
$ sudo docker-compose up -d
$ sudo docker-compose stop
$ sudo docker-compose start

Indicator of Compromised



Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives