Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.
Table of Contents (13 chapters)
Cuckoo Malware Analysis
Credits
About the Authors
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
Index

Index

A

  • analysis.conf file / Submitting a malware Word document
  • analysis.log file / Submitting a malware Word document
  • analysis directory
    • structure / Submitting a malware Word document
  • AnalysisInfo module / The processing module
  • apt-get command / Install Python in Ubuntu
  • apt-get command line / Creating a MAEC Report
  • APT attack
    • analyzing, Volatility used / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • analyzing, Cuckoo Sandbox used / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • analyzing, Yara used / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • Attached to drop-down menu / Submitting a malicious URL – http://youtibe.com
  • author server / Malware analysis lab
  • automated malware analysis
    • implementing, drawback / Malware analysis lab

B

  • .bashrc file / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • <basedir> / Automating e-mail attachments with Cuckoo MX
  • BAT file / Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
  • BehaviorAnalysis module / The processing module
  • Behaviour tab / Creating a built-in report in HTML format
  • binary file / Submitting a malware Word document
    • submitting / Submitting a binary file – Sality.G.exe
  • Bokken
    • about / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • running, from unity dashboard / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • bottlepy library / Install Python in Ubuntu
  • built-in report
    • creating, in HTML format / Creating a built-in report in HTML format

C

  • Canari Framework
    • about / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
  • command line options
    • -h, --help / Starting Cuckoo
    • -q, --quiet / Starting Cuckoo
    • -d, --debug / Starting Cuckoo
    • -v, --version / Starting Cuckoo
    • -a, --artwork / Starting Cuckoo
  • configuration files, Cuckoo Sandbox installation
    • cuckoo.conf / cuckoo.conf
    • <machinemanager>.conf / <machinemanager>.conf
    • processing.conf / processing.conf
    • reporting.conf / reporting.conf
  • Continue button / Submitting a malware Word document, Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
  • Cuckoo / Malware analysis methodologies
    • data report analysis, exporting from / Exporting data report analysis from Cuckoo to another format
  • cuckoo.conf file / cuckoo.conf
  • cuckooforcanari
    • about / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
  • CuckooMon source code
    • URL / Hardening Cuckoo Sandbox against VM detection
  • CuckooMX
    • about / Automating e-mail attachments with Cuckoo MX
    • URL / Automating e-mail attachments with Cuckoo MX
  • Cuckoo Sandbox
    • about / Cuckoo Sandbox
    • files / Cuckoo Sandbox
    • results / Cuckoo Sandbox
    • components / Cuckoo Sandbox
    • installing / Installing Cuckoo Sandbox
    • setting, in Host OS / Setting up Cuckoo Sandbox in the Host OS
    • starting / Starting Cuckoo
    • malware samples, submitting to / Submitting malware samples to Cuckoo Sandbox
    • submission utility, examples / Submitting malware samples to Cuckoo Sandbox
    • memory forensic, memory dump features used / Memory forensic using Cuckoo Sandbox – using memory dump features
    • procesing modules / The processing module
    • default configurations, modifying / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • used, for analyzing APT attack / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • hardening, against VM detection / Hardening Cuckoo Sandbox against VM detection
    • integrating, with Maltego project / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
    • Maltego, installing / Installing Maltego
  • Cuckoo Sandbox installation
    • hardware requirements / Hardware requirements
    • host OS, preparing / Preparing the host OS
    • requirements / Requirements
    • Python, installing in Ubuntu / Install Python in Ubuntu
    • Guest OS, preparing / Preparing the Guest OS
    • user, creating / Creating a user
    • configuration files, configuring / Installing Cuckoo Sandbox
  • Cuckoo Scanning
    • e-mail attachments, automating with / Automating e-mail attachments with Cuckoo MX
  • Cuckoo Version 0.5
    • URL / Hardening Cuckoo Sandbox against VM detection

D

  • <db> / Automating e-mail attachments with Cuckoo MX
  • data report analysis
    • exporting, from Cuckoo to another Format / Exporting data report analysis from Cuckoo to another format
  • Debug module / The processing module
  • Devices option / Setting up a shared folder between Host OS and Guest OS
  • Download Cuckoo! button / Setting up Cuckoo Sandbox in the Host OS
  • dpkt library / Install Python in Ubuntu
  • Dropped Files section / Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
  • Dropped Files tab / Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls, Creating a built-in report in HTML format
  • Dropped module / The processing module
  • dump.pcap file / Submitting a malware Word document
  • dynamic analysis / Malware analysis methodologies

E

  • e-mail attachments
    • automating, with Cuckoo Scanning / Automating e-mail attachments with Cuckoo MX

F

  • files directory / Submitting a malware Word document
  • File tab / Submitting a malware Word document, Creating a built-in report in HTML format

G

  • <guest> / Automating e-mail attachments with Cuckoo MX
  • gedit / Creating a MAEC Report
  • Guest OS, preparing
    • required specifications / Preparing the Guest OS
    • network, configuring / Configuring the network
    • shared folder, setting up between Host OS and Guest OS / Setting up a shared folder between Host OS and Guest OS
    • guest addition, installing / Setting up a shared folder between Host OS and Guest OS

H

  • Hosts Involved option / Submitting a malware Word document
  • HTML format
    • built-in report, creating / Creating a built-in report in HTML format

I

  • IDA Pro
    • about / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • Info tab / Creating a built-in report in HTML format
  • installation, Volatility / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara

J

  • jinja2 library / Install Python in Ubuntu

L

  • libvirt library / Install Python in Ubuntu
  • logs directory / Submitting a malware Word document

M

  • <machinemanager>.conf file / <machinemanager>.conf
  • MAEC
    • URL / Creating a MAEC Report
    • about / Creating a MAEC Report
  • MAEC Report
    • creating / Creating a MAEC Report
  • magic library / Install Python in Ubuntu
  • malicious URL
    • submitting / Submitting a malicious URL – http://youtibe.com, Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
    • youtibe.com / Submitting a malicious URL – http://youtibe.com
    • http*//ziti.cndesign.com/biaozi/fdc/page_07.htm / Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
  • malicious URL, youtibe.com
    • submitting / Submitting a malicious URL – http://youtibe.com
  • Maltego
    • installing / Installing Maltego
  • Maltego project
    • Cuckoo Sandbox, integrating with / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
  • malware analysis
    • methodologies / Malware analysis methodologies
  • malware analysis, methodologies
    • static analysis / Malware analysis methodologies
    • dynamic analysis / Malware analysis methodologies
  • malware analysis lab / Malware analysis lab
  • malware Excel document
    • CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls / Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
    • submitting / Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
  • malware PDF document
    • aleppo_plan_cercs.pdf / Submitting a malware PDF document – aleppo_plan_cercs.pdf
    • submitting / Submitting a malware PDF document – aleppo_plan_cercs.pdf
  • malware samples
    • submitting, to Cukoo Sandbox / Submitting malware samples to Cuckoo Sandbox
  • malware Word document
    • submitting / Submitting a malware Word document
  • McAfee antivirus / Submitting a malware PDF document – aleppo_plan_cercs.pdf
  • memory.dmp file / Submitting a malware Word document
  • memory forensic
    • Cuckoo Sandbox, using / Memory forensic using Cuckoo Sandbox – using memory dump features
    • Volatility, using / Additional memory forensic using Volatility, Using Volatility

N

  • NetworkAnalysis module / The processing module
  • Network section / Submitting a malicious URL – http://youtibe.com
  • Network tab / Submitting a malware Word document, Creating a built-in report in HTML format

O

  • optional arguments
    • --help / Submitting malware samples to Cuckoo Sandbox
    • --url / Submitting malware samples to Cuckoo Sandbox
    • --package PACKAGE / Submitting malware samples to Cuckoo Sandbox
    • --custom CUSTOM / Submitting malware samples to Cuckoo Sandbox
    • --timeout TIMEOUT / Submitting malware samples to Cuckoo Sandbox
    • --options OPTIONS / Submitting malware samples to Cuckoo Sandbox
    • --priority PRIORITY / Submitting malware samples to Cuckoo Sandbox
    • --machine MACHINE / Submitting malware samples to Cuckoo Sandbox
    • --platform PLATFORM / Submitting malware samples to Cuckoo Sandbox
    • --memory / Submitting malware samples to Cuckoo Sandbox
    • --enforce-timeout / Submitting malware samples to Cuckoo Sandbox
  • OSINT
    • about / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project

P

  • Pafish
    • URL / Hardening Cuckoo Sandbox against VM detection
    • installing / Hardening Cuckoo Sandbox against VM detection
  • Paterva
    • URL / Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
  • pefile libraray / Install Python in Ubuntu
  • PIL (Python Imaging Library) / Setting up a shared folder between Host OS and Guest OS
  • Pip tool / Install Python in Ubuntu
  • positional argument
    • target / Submitting malware samples to Cuckoo Sandbox
  • Processes section / Submitting a binary file – Sality.G.exe, Memory forensic using Cuckoo Sandbox – using memory dump features
  • processing.conf file / processing.conf
  • processing modules, Cuckoo Sandbox
    • about / The processing module
    • AnalysisInfo / The processing module
    • BehaviorAnalysis / The processing module
    • Debug / The processing module
    • Dropped / The processing module
    • NetworkAnalysis / The processing module
    • StaticAnalysis / The processing module
    • Strings / The processing module
    • TargetInfo / The processing module
    • VirusTotal / The processing module
  • pydeep library / Install Python in Ubuntu
  • Pyew
    • about / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • pymongo library / Install Python in Ubuntu
  • Python-PDFKit
    • URL / Exporting data report analysis from Cuckoo to another format
  • Python Functions utility / Submitting malware samples to Cuckoo Sandbox

R

  • Radare
    • about / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • report.html file / Submitting a malware Word document
  • Report class / Exporting data report analysis from Cuckoo to another format
  • reporting.conf file / reporting.conf
  • reports directory / Submitting a malware Word document
  • REST API utility / Submitting malware samples to Cuckoo Sandbox
  • run() function / Exporting data report analysis from Cuckoo to another format

S

  • <sendmailpath> / Automating e-mail attachments with Cuckoo MX
  • Sality / Submitting a binary file – Sality.G.exe
  • Sality.G.exe, binary file
    • submitting / Submitting a binary file – Sality.G.exe
  • Sality.G.exe screenshot / Submitting a binary file – Sality.G.exe
  • sandboxing
    • about / Basic theory in Sandboxing
  • screenshots tab / Creating a built-in report in HTML format
  • self.analysis_path attribute / Exporting data report analysis from Cuckoo to another format
  • self.conf_path attribute / Exporting data report analysis from Cuckoo to another format
  • self.options attribute / Exporting data report analysis from Cuckoo to another format
  • self.reports_path attribute / Exporting data report analysis from Cuckoo to another format
  • Settings option / Configuring the network
  • shellcode
    • about / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • shots directory / Submitting a malware Word document
  • signatures tab / Creating a built-in report in HTML format
  • snapshot / Malware analysis lab
  • ssdeep library / Install Python in Ubuntu
  • static analysis / Malware analysis methodologies
  • StaticAnalysis module / The processing module
  • Static Analysis section / Submitting a binary file – Sality.G.exe
  • static analysis tab / Creating a built-in report in HTML format
  • Strings module / The processing module
  • submit.py utility / Submitting malware samples to Cuckoo Sandbox
  • Success message / Submitting a malware Word document, Submitting a malware PDF document – aleppo_plan_cercs.pdf, Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls, Submitting a malicious URL – http://youtibe.com, Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm, Submitting a binary file – Sality.G.exe, Memory forensic using Cuckoo Sandbox – using memory dump features

T

  • Take Snapshot button / Starting Cuckoo
  • TargetInfo module / The processing module
  • Terminal tab / Submitting a malware PDF document – aleppo_plan_cercs.pdf, Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
  • TreeLine
    • installing / Creating a MAEC Report

V

  • virtualbox.conf file / Submitting a malicious URL – http://youtibe.com
  • VirusTotal module / The processing module, Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • VirusTotal section / Submitting a malware PDF document – aleppo_plan_cercs.pdf, Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls, Submitting a binary file – Sality.G.exe, Memory forensic using Cuckoo Sandbox – using memory dump features
  • Volatility
    • about / Memory forensic using Cuckoo Sandbox – using memory dump features
    • used, for memory forensic / Additional memory forensic using Volatility, Using Volatility
    • using, steps / Using Volatility
    • installing / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
    • used, for analyzing APT attack / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • Volatility Framework tool / Additional memory forensic using Volatility

W

  • Wireshark packet analyzer / Submitting a malware Word document
  • wkhtmltopdf
    • installing / Exporting data report analysis from Cuckoo to another format

X

  • Xavier Mertens
    • URL / Automating e-mail attachments with Cuckoo MX

Y

  • Yara
    • used, for analyzing APT attack / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
  • yara library / Install Python in Ubuntu
  • yara python library / Install Python in Ubuntu
  • Yara rule
    • downloading / Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara