Automated Malware Analysis

Cuckoo Sandbox 1.1

  • April 07, 2014
  • Claudio Guarnieri

This release should have come a lot earlier, it took three months instead. Initially we meant to push out a quick hotfix that would resolve some bugs affecting Cuckoo 1.0.

As we procrastinated, more features and contributions quickly came in. Several new features have been added along with the anticipated bug fixes, making it up for a decent 1.1 release.

Several improvements have been made to the Django web interface , which has taken priority over all the other reporting modules. Some of the improvements include an added search tag for URLs and imphash and the possibility to queue one task to all analysis machines available.

In addition, thanks to an initial contribution from SpoonBoy , it is now possible to filter the API calls in the behavioral analysis section by category by clicking on the correspondent colored badge. For example in the picture below, clicking on the synchronization badge resulted in only an NtCreateMutant call being displayed:


Clicking on the default badge will remove the filter.

Another important addition is a database migration utility by jekil. Multiple users complained about the incompatibility across versions that prevented them from importing their old datasets to newer versions of Cuckoo. The underlying problem generally consisted in incompatible database schemas that needed to be migrated. Well, now we have an utility for it which you'll find explained in our documentation.

Several bug fixes are included in this release, most importantly two in our DLL, CuckooMon. One resulted in crashes of Internet Explorer and Firefox while being analyzed. The other was mistakenly trying to resolve mutex names as file paths, which is the reason why in your recent analysis you observed a weird "C:" prefixing the mutexes, sorry about that.


Following is the CHANGELOG for this version:

  • Added imphash to static PE analysis
  • Added search for URLs in the web interface
  • Added search for PE Imphash in the web interface
  • Added possibility in web interface to queue to all machines
  • Added filtering by behavior category in Django web interface
  • Added analyzer log to Django web interface
  • Added REST API to retrieve screenshots associated with a task
  • Added REST API to retrieve the PCAP associated with a task
  • Added database migration utility
  • Added remote submission to utility
  • Added small stats utility (utils/
  • Added analysis package for PowerShell scripts
  • Added overlay configuration for signatures (data/signatures_overlay.json)
  • Fixed bug in MAEC report
  • Fixed package selection for Office documents and CPL scripts
  • Fixed issue with tcpdump filters
  • Fixed unhandled exception when uploading files to the analysis machines
  • Fixed issues in CuckooMon that resulted in Internet Explorer crashes
  • Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
  • Fixed bug in behavior processing module that resulted in a trailing backslash in summary's registry keys
  • Multiple minor bug fixes

Known Issues

The issue with analyzing .NET applications still remains.


Due to the multiple fixes and additions introduced, we urge everybody to upgrade their Cuckoo setup to this latest version and to get back to us with feedback and bug reports.

As a side note, all the development is now moved to the master branch on our GitHub repository and the issue tracking has also been permanently moved to the same platform.


  • April 07, 2014
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -