Today represents a big day for Cuckoo Sandbox, the leading open source automated malware analysis sandbox. After a years worth of work we’re finally releasing a first version of the Cuckoo Package (codename “package”). As with most of our releases this version introduces many improvements, new concepts, stability tweaks, and so much more that we won’t be able to go into every detail in this release post.

The Cuckoo Package shapes a new future when it comes to deployment, maintenance, user interaction & experience, and the development cycle of Cuckoo Sandbox itself. It’s our biggest improvement on usability & UX so far since our early days in 2010 and as such defines the start of a new era for both the development team as well as our users.

We’ll go through the various different improvements by splitting ’em up into three different categories: usability & UX, stability improvements, and misc changes.

Usability & UX

By far the most important step forward of this release is a first start on our goal of simplifying the initial setup for our users. It has been known that installing Cuckoo Sandbox may take up to three days for a novice user. This release is the first in a series of releases that will reduce the setup time to one hour (and in the future this will be including setting up VMs).

From now on, one may install Cuckoo by running $ pip install -U cuckoo. Of course there are still more steps to the installation, but assuming these have been met, installing and upgrading Cuckoo is as simple as running this one command. Note that, if pip install isn’t working properly, that it is very important to follow the OS-specific installation steps.

We have put a lot of effort in an attempt to reduce exactly those problems that have been reported by hundreds of our users. By doing so we hope to largely mitigate the following and many more previously common errors:

critical timeout has been hit errors
issues with Virtual Machines and/or missing snapshots
setup issues due to missing Python packages
incompatible Python package version numbers
incorrectly filled out configuration

This release features a lot of updates to the Cuckoo Web Interface and represents a start towards a simplified user experience allowing novice as well as advanced users to get the most out of it. Among many other updates we’d like to highlight the following improvements:

Fully featured submission page with support for nested archives and global & per-analysis advanced options.
Night & Cyborg themes for those of us that preferably work at night.
Lazy loading and filtering in the recent analysis page.
New dashboard, analysis summary, and network traffic pages.

With regards to usability we can inform you on the following topics:

Official Windows & Mac OS X host support
Introduction of cuckoo apps, a wrapper around all of the functionality present in Cuckoo. E.g., guess what running cuckoo -d, cuckoo api, cuckoo web, and cuckoo process do
A supervisor-based configuration file for semi-automatically running Cuckoo and making sure it keeps running
Unicode file name & large file support (e.g., files up to 1 GB have been tested successfully)
Ability to pass attachments (or the emails itself) from your email inbox straight to Cuckoo (using the nested archive support) to get realtime information on their maliciousness
Tor network routing support
Quick deployment of several servers using our Cuckoo module for SaltStack

Stability Improvements

This release contains a terrific amount of work on stability tweaks and unit testing. In particular, it features over 600 unit tests which combined perform unit tests over more than 50% of our code base. In addition to that there are also nearly 100 functional tests. This is a great step forward from our previous unit testing, which was practically none. This unit testing will ensure us that future changes won’t brick compatibility with older versions of Cuckoo, proof that new features actually work, and allow us to develop and release new features more quickly & consistently.

Naturally this new version isn’t just more stable – it also comes with improved (and optional) user support integrated. If an analysis doesn’t work as you’d expect it to, simply click on the feedback button and fill out the form as per your concerns. We’ll get a copy of the analysis (to the extent that you wish to share it with us) with your message and based on that we’re able to relatively quickly investigate the problem, come up with a fix or ETA on when it will be resolved, and stay in contact per email with you to ensure a sound fix on your Cuckoo setup and, by including any bug fixes to the upcoming release, ensure this bug will not happen anymore in the future.

Misc changes

If you have an older setup of Cuckoo Sandbox laying around that contains all of your configuration and analyses then we’ve got good news for you: in the new version you’ll be able to import an existing Cuckoo setup. Cuckoo will apply database migrations as well as configuration migrations (there are, e.g., several changes to cuckoo.conf as well as to the other configuration files) and prepare the new Cuckoo environment with all of your existing analyses. Upgrading your existing setup has never been this easy. Do keep in mind that any code changes that were applied to your local setup are not taken into account during this upgrade. These will have to be applied manually. Please reach out to our team for help on this matter.

There are many, many other smaller and bigger misc improvements part of this release. In all fairness, what else do you expect after a year of development? We’re going to quickly list some of these changes for your and our reference:

JSON logging (for integration with, e.g., Splunk or ELK/Grafana)
Updated report.html
Submission of sample hashes if a proper VirusTotal key has been configured
Correlation of Yara rules with Cuckoo Signatures to simplify creating such pairs (extremely useful for identifying a family/variant with Yara and using a Cuckoo Signature to extract any related information)
Proper extraction of SMTP traffic
IE11 support in our Cuckoo Monitor
“Trigger” support in Cuckoo Monitor, i.e., only start logging API calls from, e.g., Office Word once the actual document is being accessed (and therefore reducing on some junk API calls)
Improved PowerShell & .NET support in Cuckoo Monitor

Upcoming

We have lots of smaller and bigger changes still in the pipeline that will be included in the upcoming release(s). Due to upgrading being much easier from now on (i.e., $ pip install -U cuckoo) we’ll be able to push out updates more often – and we’ll certainly be doing so. May it be for new features, critical bug fixes, etc.

Following you’ll find some of our upcoming ideas, features, and tweaks:

Initial integration release of zer0m0n, Cuckoo’s Window Kernel driver
Better & updated Suricata integration
More complete Internet Explorer 11 support
PDF reports (based on the HTML report)
InetSim network routing support
Improve the Scoring to not be alpha-software quality
Start on a Web-based setup portal at startup
Proper searching capabilities (based on MongoDB & ElasticSearch)
Cuckoo documentation integrated into the Web Interface
Fixes for any and all bugs reported by user
Lots of stability improvements & more unit testing
… and already over 50 other tweaks & improvements 😉

Interested to see your feature requests, add-ons, and more in our upcoming version(s)? See also our contact information below & check out the did you know further down below.

Conclusions

This release brings many new features & functionality to our users. We hope that with the simplified setup & usage patterns a wider user base may be formed due to our project being more accessible & more easily integrated in any current environments.

For feedback & questions, please do not hesitate to seek contact with us on IRC (#cuckoosandbox on irc.freenode.net), our Github repository, or per email. If you’re interested to being kept up-to-date with future blog posts, releases, and other announcements, please send us an email as well and we’ll be sure to get back to you and allow you to be the first to hear news from our side!

Did you know?

Some facts that one may have missed:

We provide consultancy services for those organizations that need this. Think help with setup, setup verification, bug fixes, new features, custom integration, trainings, and everything else in and around Cuckoo!
Cuckoo may be integrated with local email solutions and IDS systems to identify ransomware and other potentially maliciousness before your coworkers open said files, preventing potential breaches and data loss.
We’ll be present and available for discussion at a variety of upcoming conferences, i.e., at least Hack in the Box Amsterdam, Blackhat & Defcon Las Vegas, and probably some others.