Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.

Related Content you might be interested in

Current Title:

Small book image
Cuckoo Malware Analysis
Oct, 2013 | 142 pages
No titles found
Table of Contents (13 chapters)
Cuckoo Malware Analysis
Cuckoo Malware Analysis
Credits
Credits
About the Authors
About the Authors
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Getting Started with Automated Malware Analysis using Cuckoo Sandbox
Getting Started with Automated Malware Analysis using Cuckoo Sandbox
Malware analysis methodologies
Basic theory in Sandboxing
Malware analysis lab
Cuckoo Sandbox
Installing Cuckoo Sandbox
Summary
2
Using Cuckoo Sandbox to Analyze a Sample Malware
Using Cuckoo Sandbox to Analyze a Sample Malware
Starting Cuckoo
Submitting malware samples to Cuckoo Sandbox
Submitting a malware Word document
Submitting a malware PDF document – aleppo_plan_cercs.pdf
Submitting a malware Excel document – CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
Submitting a malicious URL – http://youtibe.com
Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm
Submitting a binary file – Sality.G.exe
Memory forensic using Cuckoo Sandbox – using memory dump features
Additional memory forensic using Volatility
Summary
3
Analyzing the Output of Cuckoo Sandbox
Analyzing the Output of Cuckoo Sandbox
The processing module
Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara
Summary
4
Reporting with Cuckoo Sandbox
Reporting with Cuckoo Sandbox
Creating a built-in report in HTML format
Creating a MAEC Report
Exporting data report analysis from Cuckoo to another format
Summary
5
Tips and Tricks for Cuckoo Sandbox
Tips and Tricks for Cuckoo Sandbox
Hardening Cuckoo Sandbox against VM detection
Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project
Automating e-mail attachments with Cuckoo MX
Summary
Index
Index

Acknowledgement

I would like to thank Allah the God Almighty, my friend from IT Telkom, Indra Kusuma as a contributor and reviewer, and my boss and partner in Noosc Global for giving a facility for my research. I also want to thank my girlfriend, Eva, for her support and motivation in finishing this book.

I want to give you a list of names of persons to acknowledge as a gratitude for their effort in helping us in writing our book:

Chort Z. Row for the Video in Youtube (Using Cuckoobox and Volatility to analyze APT1 malware) at http://www.youtube.com/watch?v=mxGnjTlufAA, and thank you for providing Yara rules for Miniasp3 detection.

A.A. Gede Indra Kusuma from IT Telkom. Thank you for your effort in Malware Lab, and produce some resources for the book.

Jaime Blasco and Alberto Ortega from Alienvault. Thank you for providing Yara rules for APT1 detection.

David Bressler (bostonlink) for the great effort on Cuckooforcanari Project.

Alberto Ortega from Alienvault for his post on http://www.alienvault.com/open-threat-exchange/blog/hardening-cuckoo-sandbox-against-vm-aware-malware about Hardening Cuckoo Sandbox.

Xavier Mertens (@xme) for CuckooMX Project at http://blog.rootshell.be/2012/06/20/cuckoomx-automating-email-attachments-scanning-with-cuckoo/

All Cuckoo Sandbox Developers and founder: Claudio "nex" Guarnieri, Mark Schloesser, Alessandro "jekil" Tanasi, and Jurriaan Bremer. Thank you very much for the great documentation on http://docs.cuckoosandbox.org/en/latest/.

Mila Parkour from http://contagiodump.blogspot.com. Thank you for providing a lot of information about malware samples.

http://virusshare.com/ and http://virusshare.com/ for providing us APT1 malware sample.

Iqbal Muhardianto is a security enthusiast and he is working in the Ministry of Foreign Affairs of the Republic of Indonesia. He loves breaking things apart just to know how it works. In his computer learning career, he first started with learning MS-DOS and some C programming, after being a System admin, Network Admin, and now he is a IT Security Administrator with some skills in Linux, Windows, Network, SIEM, Malware Analysis, and Pentesting.

He currently lives Norway and works as an IT Staff in the Indonesia Embassy in Oslo.

I would like to thank Allah the God Almighty, my parents and family, my friend Digit Oktavianto for inviting me to write this book, and my colleagues for their support and inspiration.

Previous Section
Next Chapter