Automated Malware Analysis

Cuckoo Sandbox 1.2

  • March 04, 2015
  • Claudio Guarnieri

A number of new tools, forks, services and products emulating our efforts have been appearing casting some shadows and doubts on the future of our project. Fear not, we are as committed as ever to produce one of the best free software resources to the malware research community.

We're here to stay, and here's the proof of that. Cuckoo Sandbox 1.2 is now available for download! Visit the Download page, get your copy, read the documentation, and fire it up.

This release's changelog is one of the longest so far, and it includes numerous new features that have been requested by our users for a long time, including for example support for bare-metal and XenServer analysis, respectively contributed by MITRE and Adam Meily. In Cuckoo Sandbox 1.2 we are also supporting Volatility 2.4 and improved the results generated by the integration of the two tools. We see in Cuckoo and Volatility two irreplaceable tools in a malware analyst's arsenal, and we invite you all to research into additional ways to enhance their integration.

Many improvements were made to the Django-based web interface, which has most certainly become the primary and most recommended way to consume the results of Cuckoo Sandbox analyses.

Network Streams View

Cuckoo's network analysis is still far from perfect and we are working to improve it. Version 1.2 already includes some interesting improvements, including for example the ability to collect all TCP and UDP streams and inspect the full hex dump of their content:


Comparative Analysis

As malware analysts we are often in need of comparing the execution of different malware samples to estimate their degree of similarity. Similarly, it is useful sometimes to be able to compare the analysis of the same samples but on different systems, for example Windows XP and Windows 7, to verify whether they take different execution paths.

We wanted to have this capability in Cuckoo Sandbox for a long time, and in one of our latest additions we started layed the foundation for what we refer to as comparative analysis . Starting from an analysis report, you are now able to select other analysis for the same files or analysis of different files and initiate a comparison:


Currently the content of the comparative analysis is limited and it just portrays a graphical representation of the category of events executed by the malware in the two analyses:


While this is useful to get an high level idea on the level of similarity between them, we want to see the comparative analysis grow to become a sophisticated and irreplaceable tool for malware analysts to facilitate their work and make a better use of Cuckoo Sandbox reports.

If you have ideas on how to expand this, please send us feedback, suggestions and code.


Following is the full CHANGELOG for this version:

  • Added support for baremetal analysis (physical machinery module)
  • Added XenServer machinery module
  • Added process memory processing module
  • Added support for Volatility 2.4 and additional modules
  • Added more memory analysis information to web interface
  • Added memory dump to VMWare workstation module
  • Added machine information in reports
  • Added skeleton for comparative analysis of two reports
  • Added TCP and UDP streams hexdump view
  • Added possibility to delete analysis from web interface
  • Added search by string to web interface
  • Added dynamic search of API call logs to web interface
  • Added display of PE compilation time to web interface
  • Added memory dump download to web interface
  • Refactored analysis packages and simplified syntax
  • Added analysis package for Microsoft PowerPoint
  • Added analysis package for MSI (Windows installer package)
  • Added analysis package for Python scripts
  • Added loader option to DLL analysis package (fake parent process)
  • Added additional signatures helper functions
  • Added terminate_processes option to terminate processes before virtual machine shutdown
  • Added option to skip an area when comparing screenshots, avoiding duplicates
  • Added automatic generation of Yara rules indexes
  • Added support for Pillow (PIL fork)
  • Added machine utility to automatically update machinery configuration
  • Added utility to distribute analysis across Cuckoo instances
  • Added un-hook detection (if malware removes Cuckoo's hooks)
  • Added Microsoft Crypto API hooks
  • Added optional aggressive sleep skipping mode
  • Allow Auxiliary modules to run a callback at the very end of an analysis
  • Replaced ./utils/ with ./ --clean
  • Replaced diStorm3 disassembler with Capstone disassembler
  • Fixed to use delete_original and delete_bin_copy when used in auto mode
  • Fixed analysis of HTML pages without a proper extension
  • Fixed logic bug in mouse activity emulator
  • Fixed bug in the sleep skipping mechanism
  • Fixed memory leak if using a old version of python-magic
  • Fixed out of memory exceptions when calculating hash of big files
  • Fixed BPF filter to skip agent traffic from PCAP
  • Fixed a variety of bugs in Windows analyzer
  • Fixed a number of anti-sandbox tricks
  • Fixed locking issues with SQLite database
  • Removed hpfeeds reporting module


  • March 04, 2015
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -