Cuckoo Sandbox v1.1 - Automated Malware Analysis

Tuesday, May 13, 2014

Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:
  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Full memory dump of the analysis machine
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis
In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:
  • JSON report
  • HTML report
  • MAEC report
  • MongoDB interface
  • HPFeeds interface
Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.


Changelog v1.1

  • Added imphash to static PE analysis
  • Added search for URLs in the web interface
  • Added search for PE Imphash in the web interface
  • Added possibility in web interface to queue to all machines
  • Added filtering by behavior category in Django web interface
  • Added analyzer log to Django web interface
  • Added REST API to retrieve screenshots associated with a task
  • Added REST API to retrieve the PCAP associated with a task
  • Added database migration utility
  • Added remote submission to submit.py utility
  • Added small stats utility (utils/stats.py)
  • Added analysis package for PowerShell scripts
  • Added overlay configuration for signatures (data/signatures_overlay.json)
  • Fixed bug in MAEC report
  • Fixed package selection for Office documents and CPL scripts
  • Fixed issue with tcpdump filters
  • Fixed unhandled exception when uploading files to the analysis machines
  • Fixed issues in CuckooMon that resulted in Internet Explorer crashes
  • Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
  • Fixed bug in behavior processing module that resulted in a trailing backslash in summary’s registry keys



Subscribe via e-mail for updates!