A comprehensive automated malware sandbox analysis platform with parallel processing and behavioral monitoring capabilities. This system provides intelligent malware analysis with real-time monitoring, advanced scheduling, and detailed behavioral insights for security research and threat detection.
- π Multi-Engine Analysis: Support for multiple security analysis engines with comprehensive threat detection
- β‘ Parallel Processing: Simultaneous analysis with 40%+ time savings and 1.7x speed improvement
- π Behavioral Analysis: Deep behavioral monitoring with process tree construction and system activity tracking
- π RESTful API: Complete API interface for integration and automation
- π Real-time Monitoring: Performance tracking, task status, and system health monitoring
- π§ Intelligent Management: Automatic sandbox management and resource optimization
- π‘οΈ Isolated Environment: Secure sandbox execution with snapshot-based recovery
- π Detailed Reports: Comprehensive analysis reports with behavioral insights and threat indicators
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FastAPI Web Server β
β (Port: 8000) β
βββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
β Task Manager β
β (Parallel Analysis Scheduler) β
βββββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββββββββββ
β β
βββββββββββ΄ββββββββββ βββββββββββ΄ββββββββββ
β Behavioral Engine β β Security Engines β
β (Activity Monitor)β β (5 Parallel VMs) β
βββββββββββ¬ββββββββββ βββββββββββ¬ββββββββββ
β β
βββββββββββ΄ββββββββββ βββββββββββ΄ββββββββββ
β Sandbox Monitor β β Analysis Pool β
β β β βββββββββββββββββ β
βββββββββββββββββββββ β β Sandbox VMs β β
β β - engine-1 β β
β β - engine-2 β β
β β - engine-3 β β
β β - engine-4 β β
β β - engine-5 β β
β βββββββββββββββββ β
βββββββββββββββββββββ
- Backend Framework: FastAPI + Python 3.11
- Sandbox Environment: Isolated virtual machine execution
- Async Processing: asyncio + Parallel Task Queue
- Performance Monitoring: psutil + Custom Performance Monitor
- Logging System: loguru
- Configuration Management: YAML Configuration Files
-
Multi-Engine Detection: Support for multiple security analysis engines
- Static analysis capabilities
- Dynamic behavior analysis
- Signature-based detection
- Heuristic analysis
- Machine learning detection
-
Behavioral Analysis: Comprehensive behavioral monitoring and tracking
- Process creation and termination
- File system operations
- Network connections
- Registry modifications
- Process tree construction
- System call monitoring
- Intelligent Scheduling: Multiple analysis engines run simultaneously
- Resource Pooling: Dynamic sandbox resource allocation and management
- Performance Optimization: 40%+ time savings, 1.7x speed improvement
- Error Isolation: Single analysis failure doesn't affect other analyses
- Performance Monitoring: Real-time tracking of CPU, memory, disk usage
- Task Status: Detailed task execution status and progress
- Threat Detection: Real-time threat detection and classification
- System Health: Sandbox status and resource usage monitoring
- Intelligent File Processing: Automatic file type detection and validation
- Sandbox Management: Automatic snapshot restoration and cleanup
- Time Unification: All timestamps unified to local time format
- Threat Intelligence: Intelligent threat classification and reporting
- Report Generation: Comprehensive analysis reports with actionable insights
- API Interface: Complete RESTful API
- Windows 10/11 (Recommended)
- Virtualization platform (for sandbox environment)
- Python 3.11+
- At least 16GB RAM
- 100GB+ available disk space
-
Download Latest Release
# Download from GitHub releases wget https://github.com/zcyberseclab/vmm/releases/latest/download/vmm-latest.tar.gz tar -xzf vmm-latest.tar.gz cd vmm-*
-
Install Dependencies
pip install -r requirements.txt
-
Clone the Repository
git clone https://github.com/zcyberseclab/vmm.git cd vmm -
Install Dependencies
pip install -r requirements.txt
-
Copy Configuration Template
cp config.yaml.example config.yaml
-
Configure Security Exclusions
# Add exclusions for analysis directory Add-MpPreference -ExclusionPath "C:\path\to\vmm\uploads"
-
Prepare Sandbox Environment
- Create multiple Windows sandbox virtual machines
- Install security analysis engines on each VM
- Create baseline snapshots for each sandbox
-
Edit Configuration File
# Edit config.yaml file # Configure sandbox names, credentials, analysis settings, etc.
# Start production server
uvicorn main:app --host 0.0.0.0 --port 8000
# Or start development server with auto-reload
python main.pyThe service will be available at http://localhost:8000 (or the port specified in your config.yaml).
-
Submit Sample for Analysis
curl -X POST "http://localhost:8000/api/analyze" \ -H "X-API-Key: your-api-key" \ -F "file=@malware.exe" \ -F "filename=test_malware.exe"
-
Query Task Status
curl -H "X-API-Key: your-api-key" \ "http://localhost:8000/api/task/{task_id}"
-
Get Analysis Results
curl -H "X-API-Key: your-api-key" \ "http://localhost:8000/api/result/{task_id}"
-
System Health Check
curl "http://localhost:8000/api/health" -
Interactive API Documentation
- Swagger UI:
http://localhost:8000/docs - ReDoc:
http://localhost:8000/redoc
- Swagger UI:
Performance statistics based on actual test data:
| Metric | Value | Description |
|---|---|---|
| Parallel Analysis Time | 390.7 seconds | Multi-engine simultaneous analysis |
| Performance Improvement | 40.2% | Time savings compared to serial analysis |
| Speed Multiplier | 1.7x | Parallel vs serial analysis speed |
| CPU Usage | 7.5% β 11.2% | CPU usage change during analysis |
| Memory Usage | 28.2% β 29.8% | Memory usage change during analysis |
| Event Collection | 530+ events | Behavioral monitoring event count |
| Threat Detection | 5+ engines | Multiple security engine results |
Startup and ready time statistics for each sandbox environment:
| Sandbox Environment | Startup Time | System Ready Time | Total |
|---|---|---|---|
| Behavioral Monitor | ~31 sec | ~5 sec | ~36 sec |
| Security Engine 1 | ~44 sec | ~30 sec | ~74 sec |
| Security Engine 2 | ~28 sec | ~25 sec | ~53 sec |
| Security Engine 3 | ~33 sec | ~28 sec | ~61 sec |
| Security Engine 4 | ~51 sec | ~32 sec | ~83 sec |
| Security Engine 5 | ~64 sec | ~35 sec | ~99 sec |
| Phase | Average Duration | Description |
|---|---|---|
| Sandbox Startup | 30-100 sec | Varies by different security engines |
| Sample Upload | 2-5 sec | File transfer to sandbox environment |
| Sample Execution | 5-10 sec | Malware execution time |
| Threat Detection | 10-25 sec | Wait for security engine detection |
| Log Collection | 5-15 sec | Collect analysis logs and reports |
| Sandbox Cleanup | 10-20 sec | Snapshot restoration and resource cleanup |
| Behavioral Analysis | 60-90 sec | Event collection and behavioral analysis |
| Configuration Item | Current Value | Maximum Value | Description |
|---|---|---|---|
| Concurrent Tasks | 10 | Configurable | Simultaneous analysis tasks |
| Queue Size | 100 | Configurable | Maximum queued task count |
| Sandbox Pool Size | 6 Sandboxes | Scalable | Available sandbox environments |
| File Size Limit | 100MB | Configurable | Single sample file size |
The main configuration file config.yaml contains the following sections:
- Server Configuration: Port, upload directory, file size limits
- Sandbox Configuration: Sandbox names, credentials, snapshot names
- Analysis Configuration: Timeout settings, monitoring time, concurrency limits
- Behavioral Monitoring: Event types, collection count, analysis options
Please refer to the comments in the config.yaml file for detailed configuration.
- Resource Requirements: The system needs sufficient CPU and memory to run multiple sandbox environments simultaneously
- Network Isolation: Recommended to run in an isolated network environment to prevent malware propagation
- Snapshot Management: Regularly update sandbox snapshots to keep the analysis environment clean
- Log Monitoring: Monitor log file sizes and clean up old logs regularly
- Security Protection: Ensure the host system has appropriate security protection measures
We welcome contributions! Please see our Contributing Guidelines for details.
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes and add tests
- Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request
-
Virtualization platform not found
- Ensure virtualization software is properly installed
- Check that virtualization commands are accessible from PATH
-
Sandbox startup timeout
- Increase
vm_startup_timeoutin config.yaml - Check sandbox environments have sufficient resources allocated
- Increase
-
API key authentication failed
- Verify the API key in config.yaml matches the X-API-Key header
- Check for typos in the API key
-
File upload fails
- Check file size limits in config.yaml
- Ensure upload directory has write permissions
For more issues and solutions, please check the Issues page.
- System Monitor Tools - System monitoring and analysis tools
- Virtualization Platforms - Sandbox virtualization solutions
- FastAPI - Modern web framework for building APIs
This project is licensed under the MIT License. See the LICENSE file for details.
- Microsoft Sysinternals team for system monitoring tools
- Virtualization platform developers for sandbox technologies
- FastAPI team for the excellent web framework
- Security research community for threat analysis methodologies
- All contributors who helped improve this project
- π§ Email: support@zcyberseclab.com
- π Issues: GitHub Issues
- π¬ Discussions: GitHub Discussions
β If you find this project useful, please consider giving it a star on GitHub!