Skillget

LitterBox

mcp
SUMMARY

A secure sandbox environment for malware developers and red teamers to test payloads against detection mechanisms before deployment. Integrates with LLM agents via MCP for enhanced analysis capabilities.

README.md

LitterBox

LitterBox Logo

Python
Windows
Linux
Docker
MCP
Ask DeepWiki
GitHub Stars

Table of Contents

Overview

LitterBox provides a controlled sandbox environment designed for security professionals to develop and test payloads. This platform allows red teams to:

  • Test evasion techniques against modern detection techniques
  • Validate detection signatures before field deployment
  • Analyze malware behavior in an isolated environment
  • Keep payloads in-house without exposing them to external security vendors
  • Ensure payload functionality without triggering production security controls

The platform includes LLM-assisted analysis capabilities through the LitterBoxMCP server, offering advanced analytical insights using natural language processing technology.

Note: While designed primarily for red teams, LitterBox can be equally valuable for blue teams by shifting perspective – using the same tools in their malware analysis workflows.

Documentation

LitterBox Wiki - Advanced configuration and technical guides

Key sections:

  • Scanner Configuration - HolyGrail, Blender, and FuzzyHash setup
  • YARA Rules Management - Custom rules and organization
  • Configuration Reference - Complete config.yml options
  • Architecture & Development - System design and custom scanners

Analysis Capabilities

Initial Processing

Feature Description
File Identification Multiple hashing algorithms (MD5, SHA256)
Entropy Analysis Detection of encryption and obfuscation
Type Classification Advanced MIME and file type analysis
Metadata Preservation Original filename and timestamp tracking
Runtime detection Compiled binary identification

Executable Analysis

For Windows PE files (.exe, .dll, .sys):

  • Architecture identification (PE32/PE32+)
  • Compilation timestamp verification
  • Subsystem classification
  • Entry point analysis
  • Section enumeration and characterization
  • Import/export table mapping
  • Runtime detection for Go and Rust binaries with specialized import analysis

Document Analysis

For Microsoft Office files:

  • Macro detection and extraction
  • VBA code security analysis
  • Hidden content identification
  • Obfuscation technique detection

LNK Analysis

For Windows shortcut Files (.lnk)

  • Target execution paths and arguments
  • Machine tracking identifiers
  • Timestamps and file attributes
  • Network share information
  • Volume and drive details
  • Environment variables and metadata

Analysis Engines

Static Analysis

  • Industry-standard signature detection
  • Binary entropy profiling
  • String extraction and classification
  • Pattern matching for known indicators

Dynamic Analysis

Available in dual operation modes:

  • File Analysis: Focused on submitted samples
  • Process Analysis: Targeting running processes by PID

Capabilities include:

  • Runtime behavioral monitoring
  • Memory region inspection and classification
  • Process hollowing detection
  • Code injection technique identification
  • Sleep pattern analysis
  • Windows telemetry collection via ETW

HolyGrail BYOVD Analysis

Find undetected legitimate drivers for BYOVD attacks:

  • LOLDrivers Database: Cross-reference against known vulnerable drivers
  • Windows Block Policy: Validation against Microsoft's recommended driver block rules for Windows 10/11
  • Dangerous Import Analysis: Detection of privileged functions commonly exploited in BYOVD attacks
  • BYOVD Score Calculation: Risk assessment based on exploitation potential and defensive controls

Doppelganger Analysis

Blender Module

Provides system-wide process comparison by:

  • Collecting IOCs from active processes
  • Comparing process characteristics with submitted payloads
  • Identifying behavioral similarities

FuzzyHash Module

Delivers code similarity analysis through:

  • Maintained database of known tools and malware
  • ssdeep fuzzy hash comparison methodology
  • Detailed similarity scoring and reporting

Integrated Tools

Static Analysis Suite

Dynamic Analysis Suite

API Reference

File Operations

POST   /upload                    # Upload samples for analysis
GET    /files                     # Retrieve processed file list

Analysis Endpoints

GET    /analyze/static/<hash>     # Execute static analysis
POST   /analyze/dynamic/<hash>    # Perform dynamic file analysis  
POST   /analyze/dynamic/<pid>     # Conduct process analysis

HolyGrail BYOVD Analysis

POST   /holygrail                 # Upload driver for BYOVD analysis
GET    /holygrail?hash=<hash>     # Execute BYOVD analysis on uploaded driver

Doppelganger API

# Blender Module
GET    /doppelganger?type=blender               # Retrieve latest scan results
GET    /doppelganger?type=blender&hash=<hash>   # Compare process IOCs with payload  
POST   /doppelganger                            # Execute system scan with {"type": "blender", "operation": "scan"}

# FuzzyHash Module
GET    /doppelganger?type=fuzzy                 # Retrieve fuzzy analysis statistics
GET    /doppelganger?type=fuzzy&hash=<hash>     # Execute fuzzy hash analysis
POST   /doppelganger                            # Generate database with {"type": "fuzzy", "operation": "create_db", "folder_path": "C:\path\to\folder"}

Results Retrieval (JSON)

GET    /api/results/<hash>/info      # Retrieve file metadata
GET    /api/results/<hash>/static    # Access static analysis results
GET    /api/results/<hash>/dynamic   # Obtain dynamic analysis data
GET    /api/results/<pid>/dynamic    # Retrieve process analysis data
GET    /api/results/<hash>/holygrail # Access BYOVD analysis results

HTML Report Generation

GET    /api/report/          # Generate comprehensive HTML report (target = hash or pid)
GET    /api/report/?download=true  # Download report as file attachment
GET    /report/              # Download report directly (redirects to api with download=true)

Web Interface Results

GET    /results/<hash>/info      # View file information
GET    /results/<hash>/static    # Access static analysis reports
GET    /results/<hash>/dynamic   # View dynamic analysis reports
GET    /results/<pid>/dynamic    # Access process analysis reports
GET    /results/<hash>/byovd     # View BYOVD analysis results

System Management

GET    /health                   # System health verification
POST   /cleanup                  # Remove analysis artifacts
POST   /validate/<pid>           # Verify process accessibility
DELETE /file/<hash>              # Remove specific analysis

Installation

Windows Installation

System Requirements:

  • Windows operating system
  • Python 3.11 or higher
  • Administrator privileges

Deployment Process:

  1. Clone the repository:
git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox
  1. Configure environment:
python -m venv venv
.\venv\Scripts\Activate.ps1
pip install -r requirements.txt

Operation:

# Standard operation
python litterbox.py

# Diagnostic mode
python litterbox.py --debug

Access:

  • Web UI: http://127.0.0.1:1337
  • API Access: Python client integration
  • LLM Integration: MCP server

Linux Installation

System Requirements:

  • Linux operating system
  • Docker and Docker Compose
  • Hardware virtualization support

Deployment Process:

  1. Clone the repository:
git clone https://github.com/BlackSnufkin/LitterBox.git
cd LitterBox/Docker
  1. Run automated setup:
chmod +x setup.sh
./setup.sh

Note: Initial setup takes approximately 1 hour depending on internet speed and system resources.

The setup script automatically:

  • Installs Docker, Docker Compose, and CPU checker
  • Verifies KVM hardware virtualization support
  • Creates Windows 10 container environment with automated LitterBox installation
  • Starts containerized Windows instance

Access:

  • Installation monitor: http://localhost:8006 (track Windows setup progress)
  • RDP access: localhost:3389 (available after installation completes, creds in docker file)

Once installation completes, LitterBox provides:

  • Web UI: http://127.0.0.1:1337
  • API Access: Python client integration
  • LLM Integration: MCP server

For API access, see the Client Libraries section.

Configuration

All settings are stored in config/config.yml. Edit this file to:

  • Change server settings (host/port)
  • Set allowed file types
  • Configure analysis tools
  • Adjust timeouts

Client Libraries

For programmatic access to LitterBox, use the GrumpyCats package:

GrumpyCats Documentation

The package includes:

  • grumpycat.py: Dual-purpose tool that functions as:

    • Standalone CLI utility for direct server interaction
    • Python library for integrating LitterBox capabilities into custom tools

  • LitterBoxMCP.py: Specialized server component that:

    • Wraps the GrumpyCat library functionality
    • Enables LLM agents to interact with the LitterBox analysis platform
    • Provides natural language interfaces to malware analysis workflows

Contributing

Development contributions should be conducted in feature branches on personal forks.
For detailed contribution guidelines, refer to: CONTRIBUTING.md

Support 🍺

If LitterBox has been useful for your security research:

Stargazers 🌟

Stars

Security Advisory

  • DEVELOPMENT USE ONLY: This platform is designed exclusively for testing environments. Production deployment presents significant security risks.
  • ISOLATION REQUIRED: Execute only in isolated virtual machines or dedicated testing environments.
  • WARRANTY DISCLAIMER: Provided without guarantees; use at your own risk.
  • LEGAL COMPLIANCE: Users are responsible for ensuring all usage complies with applicable laws and regulations.

Acknowledgments

This project incorporates technologies from the following contributors:

Interface

LitterBox Demo

Yorumlar (0)

Sonuc bulunamadi