Limon: Sandbox for Analyzing Linux Malwares

Limon: Sandbox for Analyzing Linux Malwares

Category : Blog

Limon: Sandbox for Analyzing Linux Malwares

Limon is a sandbox for automating Linux malware analysis. It was developed as a research project for learning Linux malware analysis. It is written in python and uses custom python scripts and various open source tools to perform static, dynamic/behavioural and memory analysis. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis.

A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the target for malware attacks, so it becomes important to analyze the Linux malwares.


Tools used by Limon

Limon relies on various open source tools to perform static, dynamic and memory analysis which means these tools need to installed (some of these tools need to be installed on the host machine and some in the analysis machine and some in both) for Limon to work. Some of these tools come installed with default Linux installations. Below is the list of tools Limon relies on:


Working of Limon

Limon performs below steps for analyzing the linux malware samples

  • Takes sample as input
  • Performs static analysis
  • Starts the Virtual Machine(VM)
  • Transfers the malware to VM
  • Runs the monitoring tools ( to monitor process, file system, network activity etc)
  • Executes the malware for the specified time
  • Stops the monitoring tools
  • Suspends the VM
  • Acquires the memory image
  • Performs memory analysis using Volatility framework
  • Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)



Supported File Types

Limon can analyze below file types (both with and without parameters) :

  • ELF Executable(both x86 and x86_64)
  • Perl Script
  • Python script
  • Shell script
  • Bash script
  • PHP script
  • Loadable kernel module(LKM)



General Features of Limon

  • Option to run in sandbox mode (does not allow to connect to c2)
  • Option to run in internet mode (connects to c2)
  • Simulates all services (like dns, http and other protocols) when run in sandbox mode
  • Option to run malware for specified time (default is 60 seconds)
  • Captures desktop screenshot
  • Reports on the malware behaviour


Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training



Leave a Reply

Show Buttons
Hide Buttons