Cuckoo

Description

Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

  • Native functions and Windows API calls traces

  • Copies of files created and deleted from the filesystem

  • Dump of the memory of the selected process

  • Full memory dump of the analysis machine

  • Screenshots of the desktop during the execution of the malware analysis

  • Network dump generated by the machine used for the analysis.

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

  • JSON report

  • HTML report

  • MAEC report

  • MongoDB interface

  • HPFeeds interface

Usage

Syntax

cuckoo [-h] [-q] [-d] [-v] [-a] [-t] [-m MAX_ANALYSIS_COUNT]

Options

  -h, --help            show this help message and exit
  -q, --quiet           Display only error messages
  -d, --debug           Display debug messages
  -v, --version         show program's version number and exit
  -a, --artwork         Show artwork
  -t, --test            Test startup
  -m MAX_ANALYSIS_COUNT, --max-analysis-count MAX_ANALYSIS_COUNT
                        Maximum number of analyses

Example

Create a VM named cuckoo1 with any version of Windows. Write down the IP address. Download Python , Python Imaging Library, and Adobe Reader. Reader allows you to analyze pdf files as well as executables. You can also install MS Word if you want to analyze .doc files.

Copy the agent.py file form the /pentest/forensics/cuckoo-master/agent folder to the Windows machine and set it to run at startup. Take a snapshot of the VM and name it cuckoo1.

Back on the Linux host, open up /pentest/forensics/cuckoo-master/conf/cuckoo.conf and change the resultserver IP address to that of your Linux host and change the interface to the one you are using for VMware or Virtualbox. (Usually vmnet0 for VMware and vboxnet0 for Virtualbox)

Next edit your appropriate virtualization software .conf file such as vmware or virtualbox. In that .conf file, change the IP to that of the Windows host and verify that all the info about the VM is correct.

One last thing before you begin, edit the reporting.conf and enable mongodb.

 

RUNNING CUCKOO

Open up a terminal 

cyborg@cyborg:~$ sudo cuckoo

This will launch Cuckoo. Make sure there are no errors, and then start the web interface under the utils folder like this: python /pentest/forensics/cuckoo-master/utils/web.py

Browse to localhost:8080 in your web browser and submit the file to be analyzed. Your VM will then open up and it will analyze the malware. After 10 or so minutes, your malware will be analyzed and it will give you a link to the nice looking report of the malware with all the malicious activity that occurred.

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?