pokiSEC: A Multi-Architecture, Containerized Ephemeral Malware Detonation Sandbox

TL;DR

pokiSEC is a lightweight, cross-architecture sandbox that enables rapid, isolated malware analysis using containerized virtualization, supporting ARM64 and x86_64 hosts with minimal setup.

Contribution

It introduces a universal entrypoint that dynamically configures virtualization environments for different architectures within a single container image.

Findings

Supports ARM64 and x86_64 hosts with consistent performance.

Enables rapid teardown and ephemeral analysis environments.

Provides a browser-based workflow for malware detonation.

Abstract

Dynamic malware analysis requires executing untrusted binaries inside strongly isolated, rapidly resettable environments. In practice, many detonation workflows remain tied to heavyweight hypervisors or dedicated bare-metal labs, limiting portability and automation. This challenge has intensified with the adoption of ARM64 developer hardware (e.g., Apple Silicon), where common open-source sandbox recipes and pre-built environments frequently assume x86_64 hosts and do not translate cleanly across architectures. This paper presents pokiSEC, a lightweight, ephemeral malware detonation sandbox that packages the full virtualization and access stack inside a Docker container. pokiSEC integrates QEMU with hardware acceleration (KVM when available) and exposes a browser-based workflow that supports bring-your-own Windows disk images. The key contribution is a Universal Entrypoint that performs runtime host-architecture detection and selects validated hypervisor configurations (machine types, acceleration modes, and device profiles), enabling a single container image and codebase to launch Windows guests on both ARM64 and x86_64 hosts. We validate pokiSEC on Apple Silicon (ARM64) and Ubuntu (AMD64), demonstrating interactive performance suitable for analyst workflows and consistent teardown semantics via ephemeral container lifecycles.