Cuckoo Sandbox and Malware Analysis

Dear Readers,

This month our main focus is on the leading open source automated malware analysis system - Cuckoo Sandbox.

In this issue, entitled “Cuckoo Sandbox and Malware Analysis”, you will find articles on automated malware analysis with Cuckoo, extracting sample information using Cuckoo API with Python, Cuckoo’s internals and emulation flow, and that’s not all that’s inside this system!

But to give you an overview of what else to expect in this issue, I have to mention that we also have an amazing article on Mobile CSIRT Toolkit, great publication on narrowing down the location of an image, and a paper about Buffer Overflow and Integer Overflow.

We’re more than excited! Also, after reading the articles - please share your opinion with us! We added a new feature on our website and now users are able to leave a review of the issue. Don’t hesitate to do it!

As always – we want to thank all authors, betatesters, and proofreaders for participating in this project.

Have a nice read and fun with Cuckoo!

Regards,

Dominika Zdrodowska

and the eForensics Magazine Editorial Team

 

---

Buy this issue

 Download free magazine preview

---

TABLE OF CONTENTS

---

Cuckoo Sandbox - what it is, how to install it, submitting suspicious file into sandbox and the analysis report

by Sébastien RAMELLA

Cuckoo Sandbox is an indispensable tool adapted to today's computer world to answer the malware threat. The public who might have an interest to use such a system of analysis are the researchers of malware, the CERTs, ... But for my part, I think we could imagine generalizing a tool like this in many companies, so that end users can post to their IT department (internally) the elements considered suspect (email, pdf, exe, apk, ...).

Inside Cuckoo Sandbox: A view into Cuckoo’s internals and emulation flow  

by Mark Lechtik

To better understand how one can adapt Cuckoo and maximize the profit from it, it is essential to know its nuts and bolts, exactly what we intend to do in this article. We will discuss the general architecture, which should give a clear idea of the main components that comprise Cuckoo and how they interact with one other, all with a “guided tour” through all the phases that happen from the moment a sample is submitted for analysis until results are reported back to the user. We will also try to see what kind of shortcomings the current architecture and implementations present and what can be done to overcome them. So without further ado, let’s dig in.

Automated Malware Analysis with Cuckoo Sandbox

by Januar Sugeng

In automated analysis, malware is submitted to a dedicated system that will perform automatic initial analysis. This way usually gives similar results to the static analysis and dynamic analysis. This article will focus on the automated analysis using Cuckoo Sandbox version 2.0.6.

Real-Time Network Intrusion Detection using SNORT

by Ummed Meel

A Network Intrusion Detection System configured with the updated set of rules can make the network secured against the intrusion attack. Through this article, one can have complete understanding and knowledge of deployment of the SNORT, which is an Open Source Network Intrusion Detection System, with the real-time detection of an intruder in the network.

The First Responder CSIRT on a SECURE Drive

by John Walker

Looking back on the problematic events relating to security matters, and others born out of procurement and licensing issues I encountered when working within areas of South America and sub-continent, I arrived at the firm conclusion that to get the job done, it was of obvious and paramount importance to carry the entire secure CSIRT (Computer Security Incident Response Team) Toolkit to the locations to be attended – for this is the only way the attending professional (me) could be sure they had arrived fully equipped with the necessary tools, support materials and facilities to coordinate and effect the operation in hand, at the time of responding.

Using Cuckoo API (with Python) to submit and extract data from Cuckoo Sandbox

The author of the article requested to remain anonymous

In this post, we will look at how to use Cuckoo’s lightweight API to extract information after submitting the sample to sandbox. In order for us to use this API functionality, we need a working Cuckoo Sandbox. It is highly recommended to install Cuckoo (version 2.0.6 preferred) in virtual environments like virtualenv or pipenv, to make sure all the dependencies are separately and specifically installed for it.

Narrowing down a location of an image

by Joshua Richards

This article will go through how you can narrow down a location for where the image was taken. The same generally applies for videos, too, as you can visually analyse these in the same way. Techniques such as reverse image searching with different sources, metadata, and visual analysis will all be explained.

Malware analysis with Cuckoo Sandbox

by Antonio Farina

Using all the information extracted from the malware execution, Cuckoo will provide a detailed but easy to understand report containing the evidence to perform a first triage and attribution. Moreover, Cuckoo is designed in a modular way, so anyone could extend the sandbox functionalities writing his own module. Let’s use it!

Things to know about Buffer Overflow

by Sibi Chakkaravarthy Sethuraman & Deepsagar Mandal

A buffer overflow occurs when the data that is written into the buffer exceeds the allocated space and results in the overwriting of adjacent memory locations. Most of the present day systems have a very similar memory layout. This causes a serious problem as a very simple piece of vulnerable code, if neglected, can possess a grave problem. Security attacks using buffer overflow are fairly common and most of them seek to modify data in the memory, gain access to confidential data and many more similar exploits.

Cuckoo-SandBox - Detection & Bypassing

by Mohammed Ali

Today, a lot of malware contains anti-SandBox, anti-virtualization with a lot of techniques that allow the malware to have an initial background of what type of system that's running on it, and take an action. This is one of the critical disadvantages of SandBox, but it's just come in the second rate. The first disadvantage is "Time", that's what makes SandBox not useful for most companies, i.e., "Who will wait for 30~120 seconds for each file who download, or access it on the internet?" Unfortunately, we have nothing to do with this issue "resources & quality have a positive relationship", but we can deal with the second one with some tricks.