Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.

Related Content you might be interested in

Current Title:

Small book image
Cuckoo Malware Analysis
Oct, 2013 | 142 pages
No titles found
Table of Contents (13 chapters)
Cuckoo Malware Analysis
Cuckoo Malware Analysis
Credits
Credits
About the Authors
About the Authors
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Getting Started with Automated Malware Analysis using Cuckoo Sandbox
Getting Started with Automated Malware Analysis using Cuckoo Sandbox
Malware analysis methodologies
Basic theory in Sandboxing
Malware analysis lab
Cuckoo Sandbox
Installing Cuckoo Sandbox
Summary
2
Using Cuckoo Sandbox to Analyze a Sample Malware
Using Cuckoo Sandbox to Analyze a Sample Malware
Starting Cuckoo
Submitting malware samples to Cuckoo Sandbox
Submitting a malware Word document
Submitting a malware PDF document – aleppo_plan_cercs.pdf
Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
Submitting a malicious URL – http://youtibe.com
Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
Submitting a binary file – Sality.G.exe
Memory forensic using Cuckoo Sandbox – using memory dump features
Additional memory forensic using Volatility
Summary
3
Analyzing the Output of Cuckoo Sandbox
Analyzing the Output of Cuckoo Sandbox
The processing module
Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
Summary
4
Reporting with Cuckoo Sandbox
Reporting with Cuckoo Sandbox
Creating a built-in report in HTML format
Creating a MAEC Report
Exporting data report analysis from Cuckoo to another format
Summary
5
Tips and Tricks for Cuckoo Sandbox
Tips and Tricks for Cuckoo Sandbox
Hardening Cuckoo Sandbox against VM detection
Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
Automating e-mail attachments with Cuckoo MX
Summary
Index
Index

Summary

Now, you have successfully prepared the Host OS and Guest OS in the VirtualBox and then installed Cuckoo Sandbox. It is important to make sure that all the dependencies that are needed in the Host OS along with pydeep and yara are present. For the Guest OS, always turn off the defensive parameter and Windows firewall and use any software that the malware often use to interact with, for example, Adobe Reader 9.5, Internet Explorer 6, Microsoft Office 2003, and so on.

Always set your configuration in <machinemanager>.conf in exactly the same way as it is in the virtualization software you are using. For example, if you are using KVM, you have to set kvm in machinemanager.conf. Since we are using VirtualBox, you have to set virtualbox in the configuration. You have to be careful at the time of inserting the name of the Guest OS in VirtualBox to cuckoo.conf configuration file. For example, if you create a Guest OS named cuckoo1, you have to write down cuckoo1 in the cuckoo.conf configuration file. The most important part of all is not to forget to make a backup of the whole system and configurations.

In the next chapter, we will continue learning about Cuckoo Sandbox's features, such as analyzing PDF files, URLs, and binary files, Memory Forensic using Cuckoo Sandbox (using the Memory dump feature), and additional Memory Forensic using Volatility.

Previous Section
End of Chapter 1
Next Chapter