Automated Malware Analysis

Cuckoo Sandbox 2.0.6

  • June 07, 2018
  • Jurriaan Bremer

We decided that half a year was enough to urge for a new release. Please find following a number of improvements that we've been working on and expect some big changes for the upcoming 2.1 release!

Note that one may install the latest version of Cuckoo by running pip install -U cuckoo. When upgrading from an older version you'll also have to run some database migrations (i.e., by running cuckoo migrate) and that's it :-)

Community Guidelines

They have been in use since February, but this is the official announcement. We now have community guidelines. They contain some help on how to contribute and report issues in such a way that they can be solved quickly. We've already noticed that many users provide more accurate information when submitting potential bugs or asking questions as opposed to before we had the community guidelines, so in that sense it’s a good step forward.

New & improved file extension support

Cuckoo now supports the correct opening of encoded Javascript (.jse), Internet shortcut (.url), Excel web query (.iqy), and Data exchange (.slk) files. Together with new community signatures, Cuckoo can extract URLs that these files use to retrieve remote resources.

Next to support of a few new file formats, a bug in automatic analysis package selection was also fixed. The bug caused an error in automatic package selection if Cuckoo was unable to determine the type of a file that was submitted through the web interface.

RDP / VNC support

From now on, users that have Guacamole installed in their Cuckoo backend and correctly configure the Cuckoo configuration will be capable of viewing the VM screen from within the Cuckoo Web Interface and interact with analyses in real time. This is supported under Linux with VirtualBox and KVM.

Roach

In order to provide more in-depth capabilities in terms of analyzing Cuckoo Process Memory Dumps we have introduced Roach, a small library that abstracts away common operations useful while parsing process memory dumps. To describe the library briefly; it abstracts away operations such as decompression, decryption, hashing, PE parsing, structure parsing, disassembly, etc.

Unicode filename support

We've already addressed this issue in earlier Cuckoo releases (namely, 2.0.0 and 2.0.4), however, the Cuckoo Analyzer would still crash when documents (e.g., PDF or Office documents) with unicode filenames were submitted. This has now been resolved by patching Python 2.7 to use the Windows API CreateProcessW instead of CreateProcessA internally.

Improved 64-bit Windows support

We've improved Cuckoo support for 64-bit Windows on both the Host and the Guest.

On the Host we had issues with the magic(5) library not working under 64-bit Windows, i.e., sflock wasn't able to determine the filetype of submitted files resulting in crippled package selection logic.

On the Guest we had issues with some native Win32 API calls, resulting in some crashes. These two issues have now been resolved and 64-bit Windows support is now included in our extensive unit tests that are ran on AppVeyor CI after each Git push.

Startup time improvements

By not automatically loading a number of libraries the various Cuckoo commands now start/load almost a second quicker than before, quite greatly improving the user experience.

New feedback form

This version features a shiny new design for the feedback form which allows users to provide the Cuckoo Sandbox team with feedback. These new UI elements should pave the way for future UI styling options in the Cuckoo Web Interface.

Conclusions

That's it for today's release. We hope you enjoy it and we'll try to include some more screenshots against next time! As always we’d love to hear your feedback and are working hard on further shaping Cuckoo Sandbox.

  • June 07, 2018
  • Jurriaan Bremer

Cuckoo Sandbox 2.0 -