Wednesday, 17 April 2013

[Cuckoo Sandbox v0.6] Software for Automating Analysis of Suspicious Files

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

Cuckoo generates a handful of different raw data which include:
  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis
In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:
  • JSON report
  • HTML report
  • MAEC report
  • MongoDB interface
  • HPFeeds interface

Cuckoo Sandbox 0.6 (2012-04-15)
===============================
(note for author’s blog)
This release represents a major step forward for the quality of the project: you won’t find an endless list of new features this time, but a handful of solid improvements that should make your experience with sandboxing much more pleasant.

Along with a few smaller additions, the focus of 0.6 revolves around the introduction of network logging. Until now the retrieval of the analysis results from the analysis machines happened through an inefficient and resource-expensive XMLRPC transaction. With Cuckoo Sandbox 0.6 we are now able to collect behavioral logs, dropped files, screenshots and memory dumps in real-time from the analysis machines through the use of what it’s been called ResultServer.

The advantages of this approach are multiple:
  • You will now see results coming in in real-time.
  • The memory errors and timeouts that used to occur with previous versions when trying to retrieve the resuts are now gone!
  • Even if the analysis machine is somehow compromised (crashed, shutdown or otherwise locked) you will still have complete results up to that point.
  • Probably some more advantages, but it’s already awesome as it is.

- Added procmemdump option to all analysis packages
- Added randomization of folders and pipes in the analysis machines
- Added checks to block injection of Cuckoo's agent and analyzer
- Added configuration file for processing modules
- Added result server to collect logs, files, screenshots and all results in real-time
- Added option for enabling/disabling generation of CSV logs
- Added REST API function to delete analysis task
- Added matching of Yara signatures against dropped files
- Added default fail-over on "exe" package if can't automatically identify the correct one
- Added password option to zip package
- Improved human auxiliary module
- Improved Sleep() bypass
- Improved dump of dropped files by tracking writing operations
- Improved creation of screenshots by calculating a diff threshold
- Fixed memory error issues
- Fixed bugs in analysis procedure logic and in deletion of original files
- Fixed bugs in MongoDB reporting module
- Fixed bugs in HTML reporting module
- Fixed bugs in VirusTotal processing module
- Fixed bug in handling GetLastError() result
- Fixed bug in network traffic capture
- Fixed bug in submission and creation of tasks in the database
- Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues

No comments:

Post a Comment