Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.
Table of Contents (13 chapters)
Cuckoo Malware Analysis
About the Authors
About the Reviewers

Submitting a binary file – Sality.G.exe

This section deals with binary files that contain malware samples. For this purpose, we may need to isolate the environment of the malware once again.

  1. Please repeat adding the Host-only Adapter vboxnet0 and set it just the way we did in Chapter 1, Getting Started with Automated Malware Analysis using Cuckoo Sandbox.

  2. Start the windows-cuckoo from VirtualBox, set the IP, and save the snapshot of it.

  3. Remember to turn it off, change the Cuckoo configuration, and restart it.

  4. You can start to analyze the binary file using the following command:

    $ python utils/ --platform windows shares/Sality.G.exe
  5. Also remember that the .exe file was named as Sality.G.exe in order to warn the user that this file is a virus named Sality.G.exe. This file disguises itself as a keygen and activator for certain software.

  6. Please make sure you have a Success message as shown in the preceding screenshot with task with ID 50.

    Windows will open the binary file.

  7. We do not need...