Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.
Table of Contents (13 chapters)
Cuckoo Malware Analysis
Credits
About the Authors
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
Index

Starting Cuckoo


First, we must go to the root directory of the previously extracted Cuckoo. This time, the root directory is home/user/Documents/cuckoo.

We do not need to start VirtualBox to run the Guest OS (in this case, the guest OS is Windows XP SP3) in order to receive the malware sample. You must turn it off after configuring and installing some Windows applications mentioned before (for example, Adobe Reader, Microsoft Office, and so on). Do not forget to snapshot your current VM (virtual machine)—as it will be used several times—so that Cuckoo will start a fresh VM every time it runs the analysis. There are other ways to make the VM take snapshots. To do this using VirtualBox window, open its main window and click on the Take Snapshot button under Machine. (Snapshots can be taken when your Guest OS is started.)

Now we will start Cuckoo Sandbox. As explained before, type the following command line in the terminal and run:

$ python cuckoo.py

Note

cuckoo.py accepts some command line options...