Automated Malware Analysis

Cuckoo Sandbox 2.0.7

  • June 19, 2019
  • Ricardo van Zutphen

Time flies, as it has been more than a year since the 2.0.6 release. We thought it was time to release a new version that includes lots of things we have been working on. This release mostly consists of small code changes meant to increase the stability of Cuckoo. Please find the changes below.

Python 3

A word about Python 3 support. First, apologies for not being clear enough on this. We certainly have not forgotten about Python 3 and we are working on it. Thanks to all contributors that are working on making our dependencies Python 3 compatible, we are very grateful!

Vulnerability warnings

Libraries or other software components sometimes contain vulnerabilities. Recently, multiple VirtualBox vulnerabilities were patched by Oracle. Since Cuckoo uses VirtualBox by default, we want to warn our users when such a vulnerability exists. When Cuckoo starts, it checks if it has the latest version. This check now includes the ability to tell a Cuckoo setup that an installed VirtualBox or Python dependency version contains vulnerabilities. Cuckoo will abort startup and warn the user if one of these versions is installed and used.

You can choose to ignore this warning by disabling the check entirely by setting ignore_vulnerabilities = yes under the [cuckoo] section in the $CWD/conf/cuckoo.conf.

A new result server

The result server is the Cuckoo component that accepts collected results such as dropped files and behavioral logs from the analyzer. A completely rewritten and less CPU-intensive result server has been designed, resulting in fewer memory & performance issues when running Cuckoo for an extended period or while performing a large number of analyses.


Cuckoo already has a whitelisting feature, but this feature has been polished a bit more. Cuckoo now allows for the whitelisting of IPs and domains, which enables you to, for example, filter out HTTP requests to a specific IP. There are also separate whitelists for the MISP reporting module, allowing you to keep the results in the reports, but not report them to MISP.

The whitelist files can be found at $CWD/whitelist/*.

Signature TTPs

Support for adding TTP identifiers to signatures has been added. These identifiers are linked to specific descriptions that will be included in the full Cuckoo report. They are not displayed on the web interface (yet). Multiple Cuckoo signatures have been updated to include TTPs. This is a signature example.

General improvements and conclusion

Cuckoo and supporting processes should now perform more reliably cleanups when they are stopped. There have been heaps of smaller unmentioned changes, all aimed at cleaning up the code base, improving stability, reducing unexpected behavior, as well as support for using VirtualBox 6.

Among those changes, the following community contributions were merged:

#2713, #2706, #2726, #2679, #2176, #2426, #2365, #2001, #2738, #2741, and #2617.

Thanks to the contributers!

There still are plenty of things on our to-do list, including macOS and Android support as part of Google Summer of Code, many of which we are working on.

Thanks to our great community for using and helping us develop Cuckoo Sandbox!

  • June 19, 2019
  • Ricardo van Zutphen

Cuckoo Sandbox 2.0 -