Now it work =)

Packer/sandbox.json

@@ -1,104 +1,104 @@
-{
-  "variables": {
-    "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455",
-    "iso_checksum_type": "sha256",
-    "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
-    "autounattend": "./answer_files/10/Autounattend.xml",
-    "disk_size": "61440"
-  },
-  "builders": [
-    {
-      "type": "virtualbox-iso",
-      "vm_name": "sandbox",
-      "communicator": "winrm",
-      "iso_url": "{{user `iso_url`}}",
-      "iso_checksum_type": "{{user `iso_checksum_type`}}",
-      "iso_checksum": "{{user `iso_checksum`}}",
-      "headless": false,
-      "boot_wait": "6m",
-      "boot_command": "",
-      "winrm_username": "vagrant",
-      "winrm_password": "vagrant",
-      "winrm_timeout": "4h",
-      "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"",
-      "guest_os_type": "Windows81_64",
-      "guest_additions_mode": "disable",
-      "disk_size": "{{user `disk_size`}}",
-      "floppy_files": [
-        "{{user `autounattend`}}",
-        "./floppy/WindowsPowershell.lnk",
-        "./floppy/PinTo10.exe",
-        "./scripts/fixnetwork.ps1",
-        "./scripts/MakeWindows10GreatAgain.ps1",
-        "./scripts/MakeWindows10GreatAgain.reg",
-        "./scripts/rearm-windows.ps1",
-        "./scripts/disable-screensaver.ps1",
-        "./scripts/disable-winrm.ps1",
-        "./scripts/enable-winrm.ps1",
-        "./scripts/microsoft-updates.bat",
-        "./scripts/win-updates.ps1",
-        "./scripts/oracle-cert.cer"
-      ],
-      "vboxmanage": [
-        [
-          "modifyvm",
-          "{{.Name}}",
-          "--memory",
-          "2048"
-        ],
-        [
-          "modifyvm",
-          "{{.Name}}",
-          "--cpus",
-          "2"
-        ]
-      ]
-    }
-  ],
-  "provisioners": [
-    {
-      "type": "windows-shell",
-      "remote_path": "/tmp/script.bat",
-      "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"",
-      "scripts": [
-        "./scripts/enable-rdp.bat"
-      ]
-    },
-    {
-      "type": "powershell",
-      "scripts": [
-        "./scripts/debloat-windows.ps1",
-        "./scripts/rearm-windows.ps1",
-        "./scripts/MakeWindows10GreatAgain.ps1"
-      ]
-    },
-    {
-      "type": "windows-restart"
-    },
-    {
-      "type": "powershell",
-      "scripts": [
-        "./scripts/set-powerplan.ps1",
-        "./scripts/docker/disable-windows-defender.ps1"
-      ]
-    },
-    {
-      "type": "windows-shell",
-      "remote_path": "/tmp/script.bat",
-      "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"",
-      "scripts": [
-        "./scripts/pin-powershell.bat",
-        "./scripts/compile-dotnet-assemblies.bat",
-        "./scripts/set-winrm-automatic.bat",
-        "./scripts/compact.bat"
-      ]
-    }
-  ],
-  "post-processors": [
-    {
-      "type": "vagrant",
-      "keep_input_artifact": false,
-      "output": "sandbox_{{.Provider}}.box"
-    }
-  ]
-}
+{
+  "builders": [
+    {
+      "boot_command": "",
+      "boot_wait": "6m",
+      "communicator": "winrm",
+      "disk_size": "{{user `disk_size`}}",
+      "floppy_files": [
+        "{{user `autounattend`}}",
+        "./floppy/WindowsPowershell.lnk",
+        "./floppy/PinTo10.exe",
+        "./scripts/fixnetwork.ps1",
+        "./scripts/MakeWindows10GreatAgain.ps1",
+        "./scripts/MakeWindows10GreatAgain.reg",
+        "./scripts/rearm-windows.ps1",
+        "./scripts/disable-screensaver.ps1",
+        "./scripts/disable-winrm.ps1",
+        "./scripts/enable-winrm.ps1",
+        "./scripts/microsoft-updates.bat",
+        "./scripts/win-updates.ps1",
+        "./scripts/oracle-cert.cer"
+      ],
+      "guest_additions_mode": "attach",
+      "guest_os_type": "Windows81_64",
+      "headless": true,
+      "iso_checksum": "{{user `iso_checksum_type`}}:{{user `iso_checksum`}}",
+      "iso_url": "{{user `iso_url`}}",
+      "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"",
+      "type": "virtualbox-iso",
+      "vboxmanage": [
+        [
+          "modifyvm",
+          "{{.Name}}",
+          "--memory",
+          "8192"
+        ],
+        [
+          "modifyvm",
+          "{{.Name}}",
+          "--cpus",
+          "2"
+        ]
+      ],
+      "vm_name": "sandbox",
+      "winrm_password": "vagrant",
+      "winrm_timeout": "4h",
+      "winrm_username": "vagrant"
+    }
+  ],
+  "post-processors": [
+    {
+      "keep_input_artifact": false,
+      "output": "sandbox_{{.Provider}}.box",
+      "type": "vagrant"
+    }
+  ],
+  "provisioners": [
+    {
+      "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"",
+      "remote_path": "/tmp/script.bat",
+      "scripts": [
+        "./scripts/enable-rdp.bat"
+      ],
+      "type": "windows-shell"
+    },
+    {
+      "scripts": [
+        "./scripts/debloat-windows.ps1",
+        "./scripts/rearm-windows.ps1",
+        "./scripts/MakeWindows10GreatAgain.ps1"
+      ],
+      "type": "powershell"
+    },
+    {
+      "type": "windows-restart"
+    },
+    {
+      "scripts": [
+        "./scripts/set-powerplan.ps1",
+        "./scripts/docker/disable-windows-defender.ps1"
+      ],
+      "type": "powershell"
+    },
+    {
+      "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"",
+      "remote_path": "/tmp/script.bat",
+      "scripts": [
+        "./scripts/pin-powershell.bat",
+        "./scripts/compile-dotnet-assemblies.bat",
+        "./scripts/set-winrm-automatic.bat",
+        "./scripts/compact.bat"
+      ],
+      "type": "windows-shell"
+    }
+  ],
+  "variables": {
+    "autounattend": "./answer_files/10/Autounattend.xml",
+    "disk_size": "61440",
+    "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455",
+    "iso_checksum_type": "sha256",
+    "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso"
+  }
+}
+

Packer/scripts/MakeWindows10GreatAgain.ps1

@@ -14,6 +14,115 @@ c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
 Write-Host "Running Update-Help..."
 Update-Help -Force -ErrorAction SilentlyContinue
 
+Write-Host "Removing bloatware"
+        Get-AppxPackage "Microsoft.3DBuilder" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.AppConnector" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingFinance" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingFoodAndDrink" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingHealthAndFitness" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingMaps" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingNews" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingSports" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingTranslator" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingTravel" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.BingWeather" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.CommsPhone" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.ConnectivityStore" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.FreshPaint" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.GetHelp" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Getstarted" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.HelpAndTips" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Media.PlayReadyClient.2" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Messaging" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Microsoft3DViewer" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MicrosoftOfficeHub" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MicrosoftPowerBIForWindows" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MicrosoftSolitaireCollection" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MicrosoftStickyNotes" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MinecraftUWP" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MixedReality.Portal" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MoCamera" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.MSPaint" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.NetworkSpeedTest" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.OfficeLens" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Office.OneNote" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Office.Sway" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.OneConnect" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.People" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Print3D" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Reader" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.RemoteDesktop" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.SkypeApp" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Todos" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Wallet" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WebMediaExtensions" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Whiteboard" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsAlarms" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsCamera" | Remove-AppxPackage
+        Get-AppxPackage "microsoft.windowscommunicationsapps" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsFeedbackHub" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsMaps" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsPhone" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Windows.Photos" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsReadingList" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsScan" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WindowsSoundRecorder" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WinJS.1.0" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.WinJS.2.0" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.YourPhone" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.ZuneMusic" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.ZuneVideo" | Remove-AppxPackage
+        Get-AppxPackage "Microsoft.Advertising.Xaml" | Remove-AppxPackage # Dependency for microsoft.windowscommunicationsapps, Microsoft.BingWeather
+        Get-AppxPackage "2414FC7A.Viber" | Remove-AppxPackage
+        Get-AppxPackage "41038Axilesoft.ACGMediaPlayer" | Remove-AppxPackage
+        Get-AppxPackage "46928bounde.EclipseManager" | Remove-AppxPackage
+        Get-AppxPackage "4DF9E0F8.Netflix" | Remove-AppxPackage
+        Get-AppxPackage "64885BlueEdge.OneCalendar" | Remove-AppxPackage
+        Get-AppxPackage "7EE7776C.LinkedInforWindows" | Remove-AppxPackage
+        Get-AppxPackage "828B5831.HiddenCityMysteryofShadows" | Remove-AppxPackage
+        Get-AppxPackage "89006A2E.AutodeskSketchBook" | Remove-AppxPackage
+        Get-AppxPackage "9E2F88E3.Twitter" | Remove-AppxPackage
+        Get-AppxPackage "A278AB0D.DisneyMagicKingdoms" | Remove-AppxPackage
+        Get-AppxPackage "A278AB0D.DragonManiaLegends" | Remove-AppxPackage
+        Get-AppxPackage "A278AB0D.MarchofEmpires" | Remove-AppxPackage
+        Get-AppxPackage "ActiproSoftwareLLC.562882FEEB491" | Remove-AppxPackage
+        Get-AppxPackage "AD2F1837.GettingStartedwithWindows8" | Remove-AppxPackage
+        Get-AppxPackage "AD2F1837.HPJumpStart" | Remove-AppxPackage
+        Get-AppxPackage "AD2F1837.HPRegistration" | Remove-AppxPackage
+        Get-AppxPackage "AdobeSystemsIncorporated.AdobePhotoshopExpress" | Remove-AppxPackage
+        Get-AppxPackage "Amazon.com.Amazon" | Remove-AppxPackage
+        Get-AppxPackage "C27EB4BA.DropboxOEM" | Remove-AppxPackage
+        Get-AppxPackage "CAF9E577.Plex" | Remove-AppxPackage
+        Get-AppxPackage "CyberLinkCorp.hs.PowerMediaPlayer14forHPConsumerPC" | Remove-AppxPackage
+        Get-AppxPackage "D52A8D61.FarmVille2CountryEscape" | Remove-AppxPackage
+        Get-AppxPackage "D5EA27B7.Duolingo-LearnLanguagesforFree" | Remove-AppxPackage
+        Get-AppxPackage "DB6EA5DB.CyberLinkMediaSuiteEssentials" | Remove-AppxPackage
+        Get-AppxPackage "DolbyLaboratories.DolbyAccess" | Remove-AppxPackage
+        Get-AppxPackage "Drawboard.DrawboardPDF" | Remove-AppxPackage
+        Get-AppxPackage "Facebook.Facebook" | Remove-AppxPackage
+        Get-AppxPackage "Fitbit.FitbitCoach" | Remove-AppxPackage
+        Get-AppxPackage "flaregamesGmbH.RoyalRevolt2" | Remove-AppxPackage
+        Get-AppxPackage "GAMELOFTSA.Asphalt8Airborne" | Remove-AppxPackage
+        Get-AppxPackage "KeeperSecurityInc.Keeper" | Remove-AppxPackage
+        Get-AppxPackage "king.com.BubbleWitch3Saga" | Remove-AppxPackage
+        Get-AppxPackage "king.com.CandyCrushFriends" | Remove-AppxPackage
+        Get-AppxPackage "king.com.CandyCrushSaga" | Remove-AppxPackage
+        Get-AppxPackage "king.com.CandyCrushSodaSaga" | Remove-AppxPackage
+        Get-AppxPackage "king.com.FarmHeroesSaga" | Remove-AppxPackage
+        Get-AppxPackage "Nordcurrent.CookingFever" | Remove-AppxPackage
+        Get-AppxPackage "PandoraMediaInc.29680B314EFC2" | Remove-AppxPackage
+        Get-AppxPackage "PricelinePartnerNetwork.Booking.comBigsavingsonhot" | Remove-AppxPackage
+        Get-AppxPackage "SpotifyAB.SpotifyMusic" | Remove-AppxPackage
+        Get-AppxPackage "ThumbmunkeysLtd.PhototasticCollage" | Remove-AppxPackage
+        Get-AppxPackage "WinZipComputing.WinZipUniversal" | Remove-AppxPackage
+        Get-AppxPackage "XINGAG.XING" | Remove-AppxPackage
+        Get-WindowsOptionalFeature -Online | Where-Object { $_.FeatureName -like "Internet-Explorer-Optional*" } | Disable-WindowsOptionalFeature -Online -NoRestart -WarningAction SilentlyContinue | Out-Null
+        Get-WindowsCapability -Online | Where-Object { $_.Name -like "Browser.InternetExplorer*" } | Remove-WindowsCapability -Online | Out-Null
+        If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive")) {
+                New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" | Out-Null
+        }
+        Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -Type DWord -Value 1
+
 Write-Host "Removing Microsoft Store, Mail, and Edge shortcuts from the taskbar..."
 $appname = "Microsoft Edge"
 ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

Vagrant/Vagrantfile

@@ -1,7 +1,7 @@
 Vagrant.configure("2") do |config|
 
   config.vm.define "sandbox" do |cfg|
-    cfg.vm.box = "boomboxes/sandbox"
+    cfg.vm.box = "../Boxes/sandbox_virtualbox.box"
     cfg.vm.hostname = "sandbox"
     cfg.vm.boot_timeout = 600
     cfg.winrm.transport = :plaintext
@@ -26,12 +26,12 @@ Vagrant.configure("2") do |config|
     cfg.vm.synced_folder ".", "/vagrant", disabled: true
 
     cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
+      vb.gui = false
       vb.name  = "sandbox"
       vb.default_nic_type = "82545EM"
-      vb.customize ["modifyvm", :id, "--memory", 4096]
+      vb.customize ["modifyvm", :id, "--memory", 8192]
       vb.customize ["modifyvm", :id, "--cpus", 2]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--vram", "256"]
       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
     end
@@ -44,11 +44,11 @@ Vagrant.configure("2") do |config|
     cfg.vm.network :private_network, ip: "192.168.30.100", gateway: "192.168.30.1", dns: "8.8.8.8"
 
     cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
+      vb.gui = false
       vb.name = "cuckoo"
-      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--memory", 8192]
       vb.customize ["modifyvm", :id, "--cpus", 2]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--vram", "256"]
       vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]

Vagrant/bootstrap.sh

@@ -21,7 +21,15 @@ apt_install_prerequisites() {
   apt-get -qq update
   apt-get -qq install -y apt-fast
   echo "[$(date +%H:%M:%S)]: Running apt-fast install..."
-  apt-fast -qq install -y crudini python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev tcpdump apparmor-utils libcap2-bin libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd samba-common-bin
+  apt-fast -qq install -y gcc crudini python python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev tcpdump apparmor-utils libcap2-bin libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd samba-common-bin
+  echo "[$(date +%H:%M:%S)]: Updating pip..."
+#  pip install --upgrade pip
+
+
+  wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
+  python get-pip.py
+
+
   echo "[$(date +%H:%M:%S)]: Installing and configuring inetsim..."
   echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
   wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
@@ -33,6 +41,8 @@ apt_install_prerequisites() {
   service inetsim restart
   echo "[$(date +%H:%M:%S)]: Installing Supervisor..."
   pip install -U supervisor
+  echo "[$(date +%H:%M:%S)]: Installing python3..."
+  apt-get -qq install -y python3
 }
 
 configure_prerequisites() {

Vagrant/scripts/disable_internet.ps1

@@ -1,2 +1,2 @@
 # Purpose: remove internet access so malware can't reach out to the internet
-Disable-NetAdapter -Name "Ethernet 3" -Confirm:$False
+# Disable-NetAdapter -Name "Ethernet 3" -Confirm:$False