Cuckoo Sandbox

Blog post

Cuckoo Sandbox 0.6

I Got 99 Problems

Ok, the image above is inaccurate: we have 99 problems and Cuckoo amounts most of them... BUT! We finally took a whole bunch of them off of our back with this new shiny hatching of our sandbox. Ladies and nerds, Cuckoo Sandbox 0.6 is here!

This release represents a major step forward for the quality of the project: you won't find an endless list of new features this time, but a handful of solid improvements that should make your experience with sandboxing much more pleasant.

Along with a few smaller additions, the focus of 0.6 revolves around the introduction of network logging. Until now the retrieval of the analysis results from the analysis machines happened through an inefficient and resource-expensive XMLRPC transaction. With Cuckoo Sandbox 0.6 we are now able to collect behavioral logs, dropped files, screenshots and memory dumps in real-time from the analysis machines through the use of what it's been called ResultServer.

The advantages of this approach are multiple:

Changelog

Following is the CHANGELOG for this version:

- Added procmemdump option to all analysis packages
- Added randomization of folders and pipes in the analysis machines
- Added checks to block injection of Cuckoo's agent and analyzer
- Added configuration file for processing modules
- Added result server to collect logs, files, screenshots and all results in real-time
- Added option for enabling/disabling generation of CSV logs
- Added REST API function to delete analysis task
- Added matching of Yara signatures against dropped files
- Added default fail-over on "exe" package if can't automatically identify the correct one
- Added password option to zip package
- Improved human auxiliary module
- Improved Sleep() bypass
- Improved dump of dropped files by tracking writing operations
- Improved creation of screenshots by calculating a diff threshold
- Fixed memory error issues
- Fixed bugs in analysis procedure logic and in deletion of original files
- Fixed bugs in MongoDB reporting module
- Fixed bugs in HTML reporting module
- Fixed bugs in VirusTotal processing module
- Fixed bug in handling GetLastError() result
- Fixed bug in network traffic capture
- Fixed bug in submission and creation of tasks in the database
- Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues

Known Issues

Unfortunately, it's not all flowers and butterflies. We do have some issues that we are trying to address.

First thing first, we are working hard on isolating some stability issues with our CuckooMon analysis core. For some mysterious reason that we haven't been able to understand yet, some hooks we install on few Windows API hooks result in some issues that could affect the stability of the malware execution. As a temporary workaround, we disabled hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx. This should likely allow most malware to continue flawlessly with their execution, but unfortunately you won't be able to see logs for those calls.

Secondly, several users reported some issues on the overal stability with the management of the virtual machines under an heavy and continuous load of submissions. We haven't been able to replicate the problem yet, but we are actively investigating this. You can probably expect some fix in the next bugfix release or in the next stable version at last.

Bear with us.

Conclusions

We are really happy with this release and we hope you will be as well. Please remember that this is a spare time effort, so any valuable contribution from the community is very welcome!

That's it for 0.6! Stay tuned for upcoming developments on the next release to come (might it finally be 1.0? WOOTWOOT).

Enjoy.


comments powered by Disqus