Published on January 23rd, 2016 📆 | 4314 Views ⚑0
Cuckoo Sandbox — Malware Analysis System
Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
Cuckoo is an open source automated malware analysis system.
It’s used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated Windows operating system.
It can retrieve the following type of results:
- Traces of win32 API calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAP format.
- Screenshots of Windows desktop taken during the execution of the malware.
- Full memory dumps of the machines.
New in v2.0 RC1
A short list of what has been introduced in this release:
- Monitoring 64-bit Windows applications and samples.
- Mac OS X, Linux, and Android analysis support.
- Integration with Suricata, Snort, and Moloch.
- Interception and decryption of TLS/HTTPS traffic.
- Per analysis network routing including VPN support.
- Over 300 signatures for isolating and identifying malicious behavior.
- Volatility baseline capture to highlight the changes during the analysis.
- Extraction of URLs from process memory dumps.
- Possibility to run extra services in separate VMs next to the analysis.
- Maliciousness scoring – does this analysis show malicious behavior?
- Many bug fixes, improvements, tweaks and automation improvements.
Cuckoo is designed to be used both as a standalone application as well as to be integrated in larger frameworks, thanks to its extremely modular design.
It can be used to analyze:
- Generic Windows executables
- DLL files
- PDF documents
- Microsoft Office documents
- URLs and HTML files
- PHP scripts
- CPL files
- Visual Basic (VB) scripts
- ZIP files
- Java JAR
- Python files
- Almost anything else
Thanks to its modularity and powerful scripting capabilities, there’s not limit to what you can achieve with Cuckoo. Cuckoo Sandbox consists of a central management software which handles sample execution and analysis. Each analysis is launched in a fresh and isolated virtual machine. Cuckoo’s infrastructure is composed by an Host machine (the management software) and a number of Guest machines (virtual machines for analysis). The Host runs the core component of the sandbox that manages the whole analysis process, while the Guests are the isolated environments where the malware samples get actually safely executed and analyzed.
Although the recommended setup is GNU/Linux (Ubuntu preferably) as host and Windows XP Service Pack 3as guest, Cuckoo has proved to work smoothly also on Mac OS X as host and Windows Vista and Windows 7as guests.