Published on March 1st, 2016 📆 | 7838 Views ⚑


Limon — Analyzing Linux Malware Sandbox

Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis

[adsense size='1']

Working of Limon 

Limon performs below steps for analyzing the linux malware samples.

  • Takes sample as input
  • Performs static analysis
  • Starts the Virtual Machine(VM)
  • Transfers the malware to VM
  • Runs the monitoring tools ( to monitor process, file system, network activity etc)
  • Executes the malware for the specified time
  • Stops the monitoring tools
  • Suspends the VM
  • Acquires the memory image
  • Performs memory analysis using Volatility framework
  • Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)


Limon relies on various open source tools to perform static, dynamic and memory analysis which means these tools need to installed (some of these tools need to be installed on the host machine and some in the analysis machine and some in both) for Limon to work. Some of these tools come installed with default Linux installations. Below is the list of tools Limon relies on


Supported File Types

Limon can analyze below file types (both with and without parameters) :

  • ELF Executable(both x86 and x86_64)
  • Perl Script
  • Python script
  • Shell script
  • Bash script
  • PHP script
  • Loadable kernel module(LKM)


Analyzing Linux Malware


General Features of Limon

  • Option to run in sandbox mode (does not allow to connect to c2)
  • Option to run in internet mode (connects to c2)
  • Simulates all services (like dns, http and other protocols) when run in sandbox mode
  • Option to run malware for specified time (default is 60 seconds)
  • Captures desktop screenshot
  • Reports on the malware behaviour


Static Analysis Features

Below are the static analysis capabilities of Limon:

  • Determines File Type
  • Determines File Size
  • Determines md5 hash
  • Determines fuzzy hash(ssdeep hash)
  • Comparison of fuzzy hash with previously submitted samples to determine similar variants
  • Display ELF header Structure
  • Dumps ASCII and UNICODE strings
  • Determines packers using YARA rules
  • Determines malware capability using YARA rules (ability to run custom YARA rules will be added soon)
  • Perfoms md5 search on VirusTotal(does not submit samples)
  • Displays dependencies of the malware (shared objects)
  • Displays program header structures
  • Displays section header information
  • Displays symbol table (both static and dynamic symbols)

[adsense size='2']

Dynamic Analysis Features 

Limon gives different options for performing dynamic analysis to track activity of the malware(during execution), below are the different options:

  • Filtered call trace for tracing system calls related to file, process, network activity
  • Unfiltered call trace – traces all system calls (more noisy)
  • Filtered system event montioring to track file, process, network activity (less noisy)
  • Unfiltered system even monitoring to track file, process, network, memory allocations/unallocations, signals etc (more noisy)
  • Shows DNS summary
  • Shows TCP conversations
  • Stores packet captures
  • Stores event trace dump


Memory Analysis features

Limon performs post-mortem analysis by performing memory analysis using Volatility framework. This feature should help in detecting stealthy rootkits and malwares performing Anti-Forensic tricks. Below are the memory analysis features:

  • Option to perform verbose memory forensics (slow)
  • Process Listing (using different methods)
  • Process tree listing
  • Process listing with process arguments
  • Displays thread associated with each process
  • Dispays Network connections (TCP and UDP)
  • Displays Interface Information
  • Displays processes running with RAW sockets
  • Displays shared libaries associated with the processes (using different methods)
  • Displays kernel modules
  • Dislays kernel modules hidden from module list but present in SYSFS
  • Displays Kernel modules hidden from both module list and SYSFS
  • Displays files opened within kernel
  • Displays processes sharing credential structures
  • Checks for keyboard notifier hooks
  • Checks for TTY hooks
  • Checks for system call table modification
  • Displays BASH history
  • Checks for modified file operation structures
  • Checks hooked network operation function structures
  • Checks netfilter hooks
  • Check inline kernel hooks
  • Checks for code or binary injection
  • Check for PLT/GOT hooks (only in verbose mode)
  • Checks for userland api hooks (only in verbose mode)


[adsense size='4']

Source && Download

Leave a Reply

Your email address will not be published.