Malware Detonation Platform
Naga is a next-gen malware sandbox with live screen recording, full TLS decryption, and real-time WebSocket streaming. Built with Go + Svelte, it spins up isolated VMs per detonation while enriching data with Suricata, YARA, CAPA, and MITRE ATT&CK tags. Modern UI, one-command Docker deploy.
π NAGA MALWARE DETONATION PLATFORM
π Overview
Naga is a next-generation malware analysis sandbox that combines deep network forensics, real-time visualization, and a modern analyst-centric design.
β‘ "Stop treating malware analysis like a batch job. Start treating it like a live investigation."
Unlike traditional sandboxes (Cuckoo, CAPE), Naga delivers live streaming of the entire detonation process.
π§ Core Philosophy
Traditional sandboxes generate reports after execution.
Naga flips this model by enabling analysts to:
- React instantly to suspicious behavior
- Intercept network traffic in real-time
- Visualize process relationships dynamically
- Understand WHY, not just WHAT
β¨ Key Features
1. π₯οΈ Isolated QEMU/KVM Virtualization
- Fresh VM for every detonation
- Full hardware emulation
- Docker-based deployment (one command setup)
- Auto lifecycle management (create β detonate β destroy β reset)
2. π Full TLS Decryption
- Inspect real HTTPS payloads (not just
443/tcp) - Integrated mitmproxy
- Auto certificate injection
- Full certificate inspection
3. πΉ Live Screen Recording
- Real-time execution via VNC stream
- Video archive for later analysis
- Low-latency WebSocket streaming
4. π Automated Enrichment Pipeline
| Tool | Purpose |
|---|---|
| Suricata | Network intrusion detection |
| YARA | Malware signature detection |
| CAPA | Capability analysis |
| MITRE ATT&CK | Behavior mapping |
5. π Interactive Process Tree
- Built using Sysmon telemetry
- Parent-child relationships
- MITRE ATT&CK tagging
- Hover details (PID, command, techniques)
6. π Network Waterfall Visualization
Timeline of network activity
Color-coded traffic:
- π’ Decrypted HTTPS
- βͺ Other traffic
DNS + certificate insights
7. β‘ Real-Time WebSocket Streaming
Live updates:
- VM status
- Alerts
- Processes
- Network connections
β No polling β only push-based events
8. π¨ Modern UI (Svelte)
- Clean & fast interface
- Analyst-focused dashboard
- Dark mode optimized
- Responsive design
ποΈ Technical Architecture
π High-Level Stack
Frontend (Svelte)
β
β REST / WebSocket
βΌ
Backend (Go)
βββ VM Orchestration
βββ Network Capture
βββ Screen Capture
βββ Enrichment Engine
β
βΌ
QEMU/KVM Virtual Machines
𧩠Components
| Component | Technology | Purpose |
|---|---|---|
| VM Hypervisor | QEMU/KVM + libvirt | Isolation |
| Backend | Go (Gorilla, NATS) | API & orchestration |
| Frontend | Svelte, D3, vis-network | UI |
| Network Capture | tcpdump, mitmproxy | Packet + TLS |
| Screen Recording | ffmpeg, VNC | Live stream |
| Detection | Suricata, YARA, CAPA | Analysis |
| Telemetry | Sysmon | System events |
| Database | PostgreSQL | Storage |
| Backend | NATS | Communication |
| Message Bus | Docker Compose | Deployment |
π¨βπ» Analyst Experience
π What You See
- Upload file / URL
- Live execution dashboard
- Process tree (interactive)
- Network waterfall
- Alerts panel
π‘ Real-Time Event Example
[14:32:01] status: VM ready
[14:32:05] process: powershell.exe (PID 2345)
[14:32:06] mitre: T1059 - Command Execution
[14:32:07] network: 185.x.x.x:443 (HTTPS decrypted)
[14:32:08] alert: Suspicious PowerShell activity
[14:32:10] status: Completed
βοΈ Deployment
π₯οΈ Hardware Requirements
| Resource | Minimum |
|---|---|
| CPU | 8+ cores |
| RAM | 32GB+ |
| Storage | 200GB SSD |
| Network | Isolated |
π§° Software Requirements
- Ubuntu 20.04+ / Debian 11+
- Docker + Docker Compose
- QEMU/KVM + libvirt
- Windows VM image
β‘ One-Command Setup
git clone https://github.com/yourusername/naga
cd naga
sudo ./scripts/setup-host.sh
docker-compose up -d
π― Use Cases
- π‘οΈ SOC / Incident Response
- Analyze phishing payloads
- Investigate attacker infra
- Generate reports
- π§ͺ Threat Research
- Study malware families
- Build detection rules
- Extract TTPs
- π΄ Red Team
- Test payloads safely
- Validate detection footprint
- Improve OPSEC
- π Education
- Teach malware behavior
- Demonstrate attacks live
- Train analysts
βοΈ Comparison
| Feature | Naga | Cuckoo | CAPE | Commercial |
|---|---|---|---|---|
| Live UI | β | β | β | β οΈ Partial |
| TLS Decryption | β | β | β | β |
| Process Tree | β | β οΈ Static | β οΈ Static | β |
| Screen Recording | β | β | β | β |
| Deployment | Easy | Hard | Hard | N/A |
| Cost | FREE | FREE | FREE | $$$ |
π Security & Isolation
β οΈ CRITICAL WARNING
- β Never run on production networks
- π Use isolated environment / VLAN
- π§Ή Reset VM after each detonation
- π« No sensitive data exposure
- β Only analyze authorized samples
πΊοΈ Roadmap
| Feature | Status |
|---|---|
| API Hooking | π‘ Planned |
| Memory Analysis | π‘ Planned |
| Multi-VM | π‘ Planned |
| YARA Editor | π‘ Planned |
| STIX Export | π‘ Planned |
| Cloud Support | π΅ Under Review |
π¦ Project Status
- Version: v0.1.0 (Alpha)
- License: MIT
- Maintainer: SunChero
- Started: April 1, 2026
π Why "Naga"?
Named after the mythical serpent that guards treasures.
π‘ Naga helps analysts uncover hidden malware behavior while resetting clean after each detonation.
π Summary
Naga redefines malware sandboxing:
- β‘ Live, not batch
- π¨ Visual, not static
- π§ Analyst-first design
- π Easy deployment
β Support
If you like this project:
- π Star the repo
- π Share with researchers
- π Contribute to development
