2024-12-27 16:41:42 +02:00
# LitterBox
2024-12-29 14:21:05 +02:00
2024-12-29 10:45:36 +02:00
Your malware's favorite sandbox - where red teamers come to bury their payloads.
2024-12-29 10:47:49 +02:00
2024-12-29 10:46:34 +02:00
A sandbox environment designed specifically for malware development and payload testing.
2024-12-29 10:47:49 +02:00
2024-12-29 10:47:27 +02:00
This Web Application enables red teamers to validate evasion techniques, assess detection signatures, and test implant behavior before deployment in the field.
2024-12-29 10:47:49 +02:00
2024-12-29 10:46:34 +02:00
Think of it as your personal LitterBox for perfecting your tradecraft without leaving traces on production detection systems.
2024-12-29 10:47:49 +02:00
2024-12-29 10:47:27 +02:00
The platform provides automated analysis through an intuitive web interface, monitoring process behavior and generating comprehensive runtime analysis reports.
2024-12-27 23:52:38 +02:00
2024-12-29 10:47:49 +02:00
This ensures your payloads work as intended before execution in target environments.
2024-12-29 10:45:36 +02:00
2024-12-29 04:47:37 -08:00
## Features
2024-12-27 23:52:38 +02:00
2024-12-29 10:02:32 +02:00
### Initial Analysis
2024-12-29 04:47:37 -08:00
- File identification with multiple hashing algorithms (MD5, SHA256)
- Shannon entropy calculation for encryption detection
- Advanced file type detection and MIME analysis
2024-12-29 10:02:32 +02:00
- Original filename preservation
2024-12-29 04:47:37 -08:00
- Upload timestamp tracking
2024-12-27 23:52:38 +02:00
2024-12-29 10:45:36 +02:00
### PE File Analysis
2024-12-29 04:47:37 -08:00
For Windows executables (.exe, .dll, .sys):
- PE file type detection (PE32/PE32+)
- Machine architecture identification
- Compilation timestamp analysis
- Subsystem classification
- Entry point detection
- Section enumeration and analysis
- Import DLL dependency mapping
2024-12-27 23:52:38 +02:00
2024-12-29 10:45:36 +02:00
### Office Document Analysis
2024-12-29 04:47:37 -08:00
For Microsoft Office files (.docx, .xlsx, .doc, .xls, .xlsm, .docm):
- Macro detection and extraction
- VBA code analysis
- Hidden content identification
## Analysis Capabilities
### Static Analysis Engine
- Signature-based detection using industry-standard rulesets
- Binary entropy analysis
- String extraction and analysis
- Pattern matching for suspicious indicators
### Dynamic Analysis Engine
Available in two modes:
- File Analysis Mode
- Process ID (PID) Analysis Mode
Features include:
- Behavioral monitoring
- Memory region inspection
- Process hollowing detection
- Injection technique analysis
- Sleep pattern monitoring
2025-01-11 16:30:56 +02:00
- Collect Windows telemetry via ETW
2024-12-29 04:47:37 -08:00
- PE integrity verification
2024-12-29 10:02:32 +02:00
2024-12-29 10:45:36 +02:00
## Integrated Tools
2024-12-29 04:47:37 -08:00
### Static Analysis Suite
2024-12-29 04:01:52 -08:00
- [YARA ](https://github.com/elastic/protections-artifacts/tree/main/yara ) - Pattern matching and signature detection
- [CheckPlz ](https://github.com/BlackSnufkin/CheckPlz ) - AV detection testing
2024-12-29 10:45:36 +02:00
2024-12-29 04:47:37 -08:00
### Dynamic Analysis Suite
2024-12-29 04:01:52 -08:00
- [YARA ](https://github.com/elastic/protections-artifacts/tree/main/yara ) (memory scanning) - Runtime pattern detection
2025-01-11 06:17:59 -08:00
- [PE-Sieve ](https://github.com/hasherezade/pe-sieve ) - Detecting and dumping in-memory malware implants and advanced process injection techniques
- [Moneta ](https://github.com/forrest-orr/moneta ) - Usermode memory analysis tool to detect malware IOCs
- [Patriot ](https://github.com/BlackSnufkin/patriot ) - Detecting various kinds of in-memory stealth techniques
- [RedEdr ](https://github.com/dobin/RedEdr ) - Collect Windows telemetry via ETW providers
2024-12-29 04:01:52 -08:00
- [Hunt-Sleeping-Beacons ](https://github.com/thefLink/Hunt-Sleeping-Beacons ) - Beacon behavior analysis
2024-12-29 10:45:36 +02:00
2025-01-06 00:04:12 +02:00
## Web Endpoint Reference
2024-12-29 10:02:32 +02:00
2025-01-06 00:04:12 +02:00
#### File Management
2024-12-29 10:45:36 +02:00
``` http
2025-01-06 00:04:12 +02:00
P O S T / u p l o a d # U p l o a d f i l e s f o r a n a l y s i s
G E T / f i l e s # G e t l i s t o f p r o c e s s e d f i l e s
```
#### Analysis Operations
``` http
G E T / a n a l y z e / s t a t i c / < h a s h > # S t a t i c f i l e a n a l y s i s
P O S T / a n a l y z e / d y n a m i c / < h a s h > # D y n a m i c f i l e a n a l y s i s
P O S T / a n a l y z e / d y n a m i c / < p i d > # P r o c e s s a n a l y s i s
```
#### API Results (JSON)
``` http
G E T / a p i / r e s u l t s / < h a s h > / i n f o # G e t J s o n f i l e i n f o
G E T / a p i / r e s u l t s / < h a s h > / s t a t i c # G e t J s o n r e s u l t s f o r f i l e s t a t i c a n a l y s i s
G E T / a p i / r e s u l t s / < h a s h > / d y n a m i c # G e t J s o n r e s u l t s f o r f i l e d y n a m i c a n a l y s i s
G E T / a p i / r e s u l t s / < p i d > / d y n a m i c # G e t J s o n r e s u l t s f o r p i d a n a l y s i s
```
#### Web Results
``` http
G E T / r e s u l t s / < h a s h > / i n f o # G e t f i l e i n f o
G E T / r e s u l t s / < h a s h > / s t a t i c # G e t r e s u l t s f o r f i l e s t a t i c a n a l y s i s
G E T / r e s u l t s / < h a s h > / d y n a m i c # G e t r e s u l t s f o r f i l e d y n a m i c a n a l y s i s
G E T / r e s u l t s / < p i d > / d y n a m i c # G e t r e s u l t s f o r p i d a n a l y s i s
2024-12-29 10:45:36 +02:00
```
2025-01-06 00:04:53 +02:00
#### System Management
2024-12-29 10:45:36 +02:00
``` http
2025-01-05 12:19:11 -08:00
G E T / h e a l t h # S y s t e m h e a l t h a n d t o o l s t a t u s c h e c k
2024-12-29 10:45:36 +02:00
P O S T / c l e a n u p # C l e a n a n a l y s i s a r t i f a c t s a n d u p l o a d s
P O S T / v a l i d a t e / < p i d > # V a l i d a t e p r o c e s s a c c e s s i b i l i t y
2025-01-05 23:49:54 +02:00
D E L E T E / f i l e / < h a s h > # D e l e t e s i n g l e a n a l y s i s
2024-12-29 10:45:36 +02:00
```
2024-12-29 04:47:37 -08:00
## Installation
2024-12-29 10:20:15 +02:00
2024-12-29 04:47:37 -08:00
### Prerequisites
2024-12-29 05:01:54 -08:00
- Python 3.11 or higher
2024-12-29 04:47:37 -08:00
- Administrator privileges (required for certain features)
- Windows operating system (required for specific analyzers)
### Setup Steps
2024-12-29 04:01:52 -08:00
1. Clone the repository:
2024-12-29 04:47:37 -08:00
``` bash
2024-12-29 05:33:08 -08:00
git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox
2024-12-29 04:47:37 -08:00
```
2024-12-29 04:01:52 -08:00
2024-12-29 04:47:37 -08:00
2. Install required dependencies:
``` bash
pip install -r requirements.txt
```
2024-12-29 04:01:52 -08:00
2024-12-29 04:47:37 -08:00
### Running LitterBox
2024-12-29 04:01:52 -08:00
``` bash
python litterbox.py
```
2024-12-29 04:47:37 -08:00
The web interface will be available at: `http://127.0.0.1:1337`
2024-12-29 04:01:52 -08:00
2024-12-29 10:20:15 +02:00
## Configuration
The `config.yml` file controls:
- Upload directory and allowed extensions
2024-12-29 04:01:52 -08:00
- Analysis tool paths and Command options
2024-12-29 10:20:15 +02:00
- YARA rule locations
- Analysis timeouts and limits
2024-12-29 05:01:54 -08:00
## SECURITY WARNINGS
- **DO NOT USE IN PRODUCTION**: This tool is designed for development and testing environments only. Running it in production could expose your systems to serious security risks.
- **ISOLATED ENVIRONMENT**: Only run LitterBox in an isolated, disposable virtual machine or dedicated testing environment.
- **NO WARRANTY**: This software is provided "as is" without any guarantees. Use at your own risk.
- **LEGAL DISCLAIMER**: Only use this tool for authorized testing purposes. Users are responsible for complying with all applicable laws and regulations.
## Acknowledgments
2024-12-29 05:04:00 -08:00
This project incorporates the following open-source components and acknowledges their authors:
2024-12-29 05:04:27 -08:00
- [Elastic ](https://github.com/elastic/protections-artifacts/tree/main/yara )
2024-12-29 05:04:00 -08:00
- [hasherezade ](https://github.com/hasherezade/pe-sieve )
- [Forrest Orr ](https://github.com/forrest-orr/moneta )
- [rasta-mouse ](https://github.com/rasta-mouse/ThreatCheck )
- [thefLink ](https://github.com/thefLink/Hunt-Sleeping-Beacons )
2024-12-29 15:20:48 +02:00
- [joe-desimone ](https://github.com/joe-desimone/patriot )
2025-01-11 07:13:38 -08:00
- [dobin ](https://github.com/dobin/RedEdr )
2024-12-29 15:20:48 +02:00
## Screenshots
2025-01-02 11:58:17 +02:00
2025-01-11 16:22:55 +02:00
2024-12-29 15:22:29 +02:00
2025-01-11 16:22:55 +02:00
2025-01-02 12:01:01 +02:00
2025-01-05 22:22:01 +02:00
2024-12-29 15:22:29 +02:00
2025-01-05 13:37:33 +02:00
2025-01-05 13:08:02 +02:00
