Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To

Builds malware analysis Windows virtual machines so that you don’t have to.

Minimum specs for the build machine
  • At least 5 GB of RAM
  • VT-X extensions strongly recommended


dnf install ruby-devel gcc-c++ zlib-devel
vagrant plugin install winrm winrm-fs


apt install vagrant git python3-pip


  • Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)
  • pip install malboxes:
    sudo pip3 install git+
Starting with Windows 10 Hyper-V is always running below the operating system. Since VT-X needs to be operated exclusively by only one Hypervisor this causes VirtualBox (and malboxes) to fail. To disable Hyper-V and allow VirtualBox to run, issue the following command in an administrative command prompt then reboot: bcdedit /set hypervisorlaunchtype off

Using Chocolatey

The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.
  • Install dependencies:
    choco install python vagrant packer git virtualbox
  • Refresh the console
  • Install malboxes:
    pip3 install setuptools
    pip3 install -U git+
  • Install VirtualBox, Vagrant and git
  • Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\
  • Install Python 3 (make sure to add Python to your environment variables)
  • Open a console (Windows-Key + cmd)
    pip3 install setuptools
    pip3 install -U git+

Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.
malboxes build <template>
You can also list all supported templates with:
malboxes list
This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.
For example:
malboxes build win10_64_analyst
The configuration section contains further information about what can be configured with malboxes.

Per analysis instances

malboxes spin win10_64_analyst <name>
This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:
vagrant up
By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.
For example:
malboxes spin win7_32_analyst


Malboxes' configuration is located in a directory that follows usual operating system conventions:
  • Linux/Unix: ~/.config/malboxes/
  • Mac OS X: ~/Library/Application Support/malboxes/
  • Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\
The file is named config.js and is copied from an example file on first run. The example configuration is documented.

ESXi / vSphere support

Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.


We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.

More information


malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse

Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To Reviewed by Zion3R on 9:07 AM Rating: 5