Automated Malware Analysis

Cuckoo 1.0

  • January 09, 2014
  • Claudio Guarnieri

It took a while.

After almost four years of development, ups and downs, more people joining the project and more people using it, we finally reached version 1.0.

We've been procrastinating a lot while trying to get this release done, mainly for the concern of having a mature enough software worthy of the release code, but it's finally completed and ready for download!

There is a number of improvements, bugfixes and new features available in this release. Most importantly Cuckoo is now provided with a full- fledged Django and MongoDB-powered web interface. Similarly to Malwr, you can use it to submit files and URLs, browse through the analyses as well as search across the full dataset.


Other noteworthy additions are support for VMWare ESXi, new modules, more analysis packages and an overall improvement in stability and reliability of the software.


Following is the CHANGELOG for this version:

  • Introduced Auxiliary modules
  • Added option to set sniffing interface for each virtual machine
  • Added option to set snapshot for each virtual machine
  • Added pagination to API
  • Added option to REST API to return compressed archives of files ("all" and "dropped")
  • Added option to set Result Server IP and port for each virtual machine
  • Added processing module for volatility to analyze memory dumps, disabled by default
  • Added new "reported" status for analysis tasks
  • Added automated rescheduling of locked tasks at startup
  • Added tags to machines
  • Added reduced behavioral events
  • Added new Django/Mongo-powered web interface
  • Added Windows analyzer auxiliary module to disguise the analysis environment
  • Added VBS, CPL and RTF analysis package
  • Added generic analysis package to execute samples via cmd.exe
  • Added MAEC 4.0.1 reporting module
  • Added filter for private networks in Network Analysis processing module
  • Added max_analysis_count to cuckoo.conf to automatically shutdown Cuckoo
  • Added check for available disk space
  • Added support for BSON logging format
  • Added option to specify a custom DLL to the analyzer and the analysis packages
  • Added ICMP protocol dissection
  • Added ESX Virtual Machine Manager
  • Slightly improved CuckooMon's stealthiness and stability
  • Refactored processing to improve performances
  • Refactored signature engine, introducing event-based signatures to improve performances
  • Refactored generation of process tree
  • Transitioned network sniffer to auxiliary module
  • Renamed MachineManagers to Machinery modules
  • Renamed Metadata to MMDef reporting module
  • Fixed virtual machine clock, now is updated to current time or specified by user via --clock option
  • Fixed bug in Human auxiliary module, now moving cursor to absolute positions
  • Fixed issue in Human auxiliary module, using SetCursorPos instead of mouse_event
  • Fixed issues with resolving relative filenames in CuckooMon
  • Removed support for GrayLog2
  • Removed pickle reporting module
  • Removed MAEC 1.1 reporting module

Known Issues

At the moment we are only aware of one existing issue when analyzing .NET applications. In most cases you'll have inconsistent results and possibly crashes or sudden termination of the analyzed binary.

We are currently investigating the issue and we'll hopefully have a fix in the near future.


This release represents an important landmark for the maturity of the project. We've made it this far thanks to the support of the community and the outstanding work of our developers and our contributors, committed into providing a valuable open source software to the public and dedicating every bit of time to it.


  • January 09, 2014
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -