LitterBox: sandbox approach for malware developers and red teamers

by ddos ·

LitterBox

Your malware’s favorite sandbox – where red teamers come to bury their payloads.

A sandbox environment designed specifically for malware development and payload testing.

This Web Application enables red teamers to validate evasion techniques, assess detection signatures, and test implant behavior before deployment in the field.

Think of it as your personal LitterBox for perfecting your tradecraft without leaving traces on production detection systems.

The platform provides automated analysis through an intuitive web interface, monitoring process behavior and generating comprehensive runtime analysis reports.

This ensures your payloads work as intended before execution in target environments.

Features

Initial Analysis

  • File identification with multiple hashing algorithms (MD5, SHA256)
  • Shannon entropy calculation for encryption detection
  • Advanced file type detection and MIME analysis
  • Original filename preservation
  • Upload timestamp tracking

PE File Analysis

For Windows executables (.exe, .dll, .sys):

  • PE file type detection (PE32/PE32+)
  • Machine architecture identification
  • Compilation timestamp analysis
  • Subsystem classification
  • Entry point detection
  • Section enumeration and analysis
  • Import DLL dependency mapping

Office Document Analysis

For Microsoft Office files (.docx, .xlsx, .doc, .xls, .xlsm, .docm):

  • Macro detection and extraction
  • VBA code analysis
  • Hidden content identification

Analysis Capabilities

Static Analysis Engine

  • Signature-based detection using industry-standard rulesets
  • Binary entropy analysis
  • String extraction and analysis
  • Pattern matching for suspicious indicators

Dynamic Analysis Engine

Available in two modes:

  • File Analysis Mode
  • Process ID (PID) Analysis Mode

Features include:

  • Behavioral monitoring
  • Memory region inspection
  • Process hollowing detection
  • Injection technique analysis
  • Sleep pattern monitoring
  • Collect Windows telemetry via ETW

Doppelganger Analysis

Doppelganger helps you analyze payload in two ways:

Blender

Looks at what’s running on your system by:

  • Scanning active processes to collect IOCs
  • Comparing these IOCs with your payload
  • Showing you which processes are the closest matches
FuzzyHash

Helps you find similar code by:

  • Storing known tools in a database
  • Using ssdeep to compare your payload with open-source tools
  • Showing matches in a simple way, with both overall and specific scores

Integrated Tools

Static Analysis Suite

  • YARA – Pattern matching and signature detection
  • CheckPlz – AV detection testing
  • Stringnalyzer – Payload Strings analyzer

Dynamic Analysis Suite

  • YARA (memory scanning) – Runtime pattern detection
  • PE-Sieve – Detecting and dumping in-memory malware implants and advanced process injection techniques
  • Moneta – Usermode memory analysis tool to detect malware IOCs
  • Patriot – Detecting various kinds of in-memory stealth techniques
  • RedEdr – Collect Windows telemetry via ETW providers
  • Hunt-Sleeping-Beacons – Beacon behavior analysis
  • Hollows-Hunter – Recognizes variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Install & Use

Tags: malware sandbox