The Cuckoo Sandbox written by Leon van der Eijk

Performing malware analysis, either static and/or dynamic can be an exciting but daunting task. The sheer amount of malware can be overwhelming at times. Between all the polymorphing Conficker junk that gets caught using, for example, the dionaea honeypot really exciting stuff can be found.
But relying solely on sites like Anubis, CWsandbox or Virustotal for dynamic analysis isn't always a good idea. Let alone the situations thinkable that prohibit the use of them, either by company policy or by law. while I fully support the general idea about sharing information and samples, I've experienced occasions that simply just won't allow to do so. It could be a situational matter. It even could be a confidential situation.
So in the broad spectrum of tools and so little time at hand, what is a malware analyst to do ? Well, the bright folks from the honeynet.org project brought us cuckoo. Cuckoo Sandbox is developed by Claudio Guarnieri and Anthony Desnos. This project recently received awesome news from Rapid7. Apart from the great recognition they are also receiving a substantial sum of money to backup the project.
 
So what does it do ? Well there is beauty in simplicity :) The whole concept involves Virtualbox. You basically take an installation of an operating system you want to conduct your analysis on and install it in a virtual instance. Then you customise that installation to your needs/standards (Adobe reader for example). This could be a copy of your corporate environment to emulate a real installation.
You do need to install python 2.7 on your customised virtualbox image.
Now, I don't want to go over the exact installation details, there is good coverage on their website.
 
When finished you make a snapshot of the virtualbox instance and that covers the basics. With the cuckoo scripts in place, you can start the sandbox and start the analysis!
With the sandbox started, you simply submit the sample to the running snapshot of your operating installation and set the malware free to let the infection do its thing. After some time a delta is created of all that is changed in your snapshot and a nice report is made for you to study. Needless to say that the whole process will be undone when finished, so you can start over with the next sample.
Now I realise that this isn't a silver bullet solution. There are many more steps to take in doing a thorough analysis. However,  it gives a quick overview and some first impressions on what the malware wanted to manipulate.
One major drawback is malware that checks for a virtual environment. All in all I think it is a nice addition in the malware analyst toolbox.
To see Cuckoo in action versus Zues, here is the link to their site http://vimeo.com/cuckoobox/zeusv2

Views: 787

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9
bernardorichard updated their profile
Nov 28
Sam Mccalla is now a member of Dissecting The Hack
Nov 19
bernardorichard is now a member of Dissecting The Hack
Oct 24

© 2018   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service