Today represents a big day for Cuckoo Sandbox, the leading open source
automated malware analysis sandbox. After a years worth of work we're finally
releasing a first version of the
Cuckoo Package (codename "package"). As
with most of our releases this version introduces many improvements, new
concepts, stability tweaks, and so much more that we won't be able to go into
every detail in this release post.
The Cuckoo Package shapes a new future when it comes to deployment, maintenance, user interaction & experience, and the development cycle of Cuckoo Sandbox itself. It's our biggest improvement on usability & UX so far since our early days in 2010 and as such defines the start of a new era for both the development team as well as our users.
We'll go through the various different improvements by splitting 'em up into three different categories: usability & UX, stability improvements, and misc changes.
Usability & UX
By far the most important step forward of this release is a first start on our goal of simplifying the initial setup for our users. It has been known that installing Cuckoo Sandbox may take up to three days for a novice user. This release is the first in a series of releases that will reduce the setup time to one hour (and in the future this will be including setting up VMs).
From now on, one may install Cuckoo by running
$ pip install -U cuckoo. Of
course there are still
more steps to the installation,
but assuming these
have been met, installing and upgrading Cuckoo is as simple as running this
one command. Note that, if
pip install isn't working properly, that it is
very important to follow the OS-specific installation steps.
We have put a lot of effort in an attempt to reduce exactly those problems that have been reported by hundreds of our users. By doing so we hope to largely mitigate the following and many more previously common errors:
- critical timeout has been hit errors
- issues with Virtual Machines and/or missing snapshots
- setup issues due to missing Python packages
- incompatible Python package version numbers
- incorrectly filled out configuration
This release features a lot of updates to the Cuckoo Web Interface and represents a start towards a simplified user experience allowing novice as well as advanced users to get the most out of it. Among many other updates we'd like to highlight the following improvements:
- Fully featured submission page with support for nested archives and global & per-analysis advanced options.
- Night & Cyborg themes for those of us that preferably work at night.
- Lazy loading and filtering in the recent analysis page.
- New dashboard, analysis summary, and network traffic pages.
With regards to usability we can inform you on the following topics:
- Official Windows & Mac OS X host support
- Introduction of cuckoo apps, a wrapper around all of the functionality present in Cuckoo. E.g., guess what running cuckoo -d, cuckoo api, cuckoo web, and cuckoo process do
- A supervisor-based configuration file for semi-automatically running Cuckoo and making sure it keeps running
- Unicode file name & large file support (e.g., files up to 1 GB have been tested successfully)
- Ability to pass attachments (or the emails itself) from your email inbox straight to Cuckoo (using the nested archive support) to get realtime information on their maliciousness
- Tor network routing support
- Quick deployment of several servers using our Cuckoo module for SaltStack
This release contains a terrific amount of work on stability tweaks and unit testing. In particular, it features over 600 unit tests which combined perform unit tests over more than 50% of our code base. In addition to that there are also nearly 100 functional tests. This is a great step forward from our previous unit testing, which was practically none. This unit testing will ensure us that future changes won't brick compatibility with older versions of Cuckoo, proof that new features actually work, and allow us to develop and release new features more quickly & consistently.
Naturally this new version isn't just more stable - it also comes with
improved (and optional) user support integrated. If an analysis doesn't work
as you'd expect it to, simply click on the
feedback button and fill out
the form as per your concerns. We'll get a copy of the analysis (to the extent
that you wish to share it with us) with your message and based on that we're
able to relatively quickly investigate the problem, come up with a fix or ETA
on when it will be resolved, and stay in contact per email with you to
ensure a sound fix on your Cuckoo setup and, by including any bug fixes to the
upcoming release, ensure this bug will not happen anymore in the future.
If you have an older setup of Cuckoo Sandbox laying around that contains all
of your configuration and analyses then we've got good news for you: in the
new version you'll be able to import an existing Cuckoo setup. Cuckoo will
apply database migrations as well as configuration migrations (there are,
e.g., several changes to
cuckoo.conf as well as to the other configuration
files) and prepare the new Cuckoo environment with all of your existing
analyses. Upgrading your existing setup has never been this easy. Do keep in
mind that any code changes that were applied to your local setup are not
taken into account during this upgrade. These will have to be applied
manually. Please reach out to our team for help on this matter.
There are many, many other smaller and bigger misc improvements part of this release. In all fairness, what else do you expect after a year of development? We're going to quickly list some of these changes for your and our reference:
- JSON logging (for integration with, e.g., Splunk or ELK/Grafana)
- Updated report.html
- Submission of sample hashes if a proper VirusTotal key has been configured
- Correlation of Yara rules with Cuckoo Signatures to simplify creating such pairs (extremely useful for identifying a family/variant with Yara and using a Cuckoo Signature to extract any related information)
- Proper extraction of SMTP traffic
- IE11 support in our Cuckoo Monitor
- "Trigger" support in Cuckoo Monitor, i.e., only start logging API calls from, e.g., Office Word once the actual document is being accessed (and therefore reducing on some junk API calls)
- Improved PowerShell & .NET support in Cuckoo Monitor
We have lots of smaller and bigger changes still in the pipeline that will be
included in the upcoming release(s). Due to upgrading being much easier from
now on (i.e.,
$ pip install -U cuckoo) we'll be able to push out updates
more often - and we'll certainly be doing so. May it be for new features,
critical bug fixes, etc.
Following you'll find some of our upcoming ideas, features, and tweaks:
- Initial integration release of zer0m0n, Cuckoo's Window Kernel driver
- Better & updated Suricata integration
- More complete Internet Explorer 11 support
- PDF reports (based on the HTML report)
- InetSim network routing support
- Improve the Scoring to not be alpha-software quality
- Start on a Web-based setup portal at startup
- Proper searching capabilities (based on MongoDB & ElasticSearch)
- Cuckoo documentation integrated into the Web Interface
- Fixes for any and all bugs reported by user
- Lots of stability improvements & more unit testing
- ... and already over 50 other tweaks & improvements ;-)
Interested to see your feature requests, add-ons, and more in our upcoming
version(s)? See also our contact information below & check out the
know further down below.
This release brings many new features & functionality to our users. We hope that with the simplified setup & usage patterns a wider user base may be formed due to our project being more accessible & more easily integrated in any current environments.
For feedback & questions, please do not hesitate to seek contact with us
on IRC (
or per email. If you're interested to
being kept up-to-date with future blog posts, releases, and other
announcements, please send us an email as well and we'll be sure to get back
to you and allow you to be the first to hear news from our side!
Did you know?
Some facts that one may have missed:
- We provide consultancy services for those organizations that need this. Think help with setup, setup verification, bug fixes, new features, custom integration, trainings, and everything else in and around Cuckoo!
- Cuckoo may be integrated with local email solutions and IDS systems to identify ransomware and other potentially maliciousness before your coworkers open said files, preventing potential breaches and data loss.
- We'll be present and available for discussion at a variety of upcoming conferences, i.e., at least Hack in the Box Amsterdam, Blackhat & Defcon Las Vegas, and probably some others.
All of this wouldn't have been possible without our great users & sponsors. Thanks to everyone for using and supporting Cuckoo Sandbox - you know who you are.