Skip to content

obfuscated-loop/wsb-malware-analysis

Repository files navigation

wsb-malware-analysis

Windows Sandbox (WSB) starter project for malware analysis: automatically provisions a ready-to-use Windows Sandbox environment, including analysis tools, a preconfigured .wsb file, and helper scripts/samples.

Change the MemoryInMB entry in analysis.wsb to something that your system can handle - it is 8GBs of RAM by default; designed for a 16GB machine.

Quick start

  1. Ensure Windows Sandbox is enabled.
  2. Add/remove any program you want from applications/applications.dat by using its' corresponding WinGet package ID - you can search a program here: https://winget.ragerworks.com/
  3. Use the preconfigured .wsb file from this repo.
  4. Start the Sandbox and let the install complete (this can take 10+ mins)

Pro tip: use the download-applications.ps1 script to download the WinGet installers locally on your host machine, this can speed up installations (by quite a bit) in the Windows Sandbox environment as the programs have already been downloaded + will not need to be hash verified.

What it installs

The installer uses winget to install the following tools:

Category Tool Winget id
Utilities Everything voidtools.Everything
Compression / archives 7-Zip 7zip.7zip
System / process tooling Sysinternals Suite Microsoft.Sysinternals.Suite
Reverse engineering x64dbg x64dbg.x64dbg
Reverse engineering rizin Rizin.Rizin
.NET reverse engineering dnSpyEx dnSpyEx.dnSpyEx
Browser LibreWolf LibreWolf.LibreWolf
Editor / IDE Zed ZedIndustries.Zed
Network analysis Wireshark WiresharkFoundation.Wireshark
Launcher Flow Launcher Flow-Launcher.Flow-Launcher

Taskbar pinning (after installs)

After installation, the script pins these binaries to the taskbar when they exist at their expected locations:

  • LibreWolf (librewolf.exe)
  • dnSpyEx (dnSpy.exe)
  • Sysinternals (ProcMon64.exe, procexp64.exe, tcpview64.exe, Autoruns64.exe)
  • x64dbg (x64dbg.exe)
  • Wireshark (Wireshark.exe)

Project layout

  • applications/
    • applications.dat - A list of WinGet package IDs to install to the sandbox
  • samples/
    • A placeholder folder for malware samples
  • scripts/
  • analysis.wsb - A preconfigured Windows Sandbox file
  • download-applications.ps1 - Optional helper script to run on host; run from host machine and it'll download manifest+installer files for each program in applications.dat

Notes

  • Please respect the license of https://github.com/Freenitial/Pin-Taskbar and do not use their tool for commercial use; you can use my work for commercial use but you will need to remove all traces of their project.
  • The .wsb file is configured to integrate your applications/, samples/ and scripts/ directories into the Sandbox session.