Automated Malware Analysis

Cuckoo Sandbox 2.0.0

  • March 30, 2017
  • Jurriaan Bremer

Today represents a big day for Cuckoo Sandbox (the leading open source automated malware analysis sandbox). After a years worth of work we're finally releasing a first version of the Cuckoo Package (codename "package"). As with most of our releases this version introduces many improvements, new concepts, stability tweaks, and so much more that we won't be able to go into every detail in this post.


The Cuckoo Package shapes a new future when it comes to deployment, maintenance, user interaction & experience, and the development cycle of Cuckoo Sandbox itself. It's our biggest improvement on usability & UX so far since our early days in 2010 and as such defines the start of a new era for both the development team as well as our users.

We'll go through the various different improvements by splitting 'em up into three different categories: usability & UX, stability improvements, and misc changes.

Usability & UX

By far the most important step forward of this release is a first start on our goal of simplifying the initial setup for our users. It has been known that installing Cuckoo Sandbox may take up to three days for a novice user. This release is the first in a series of releases that will reduce the setup time to one hour (and in the future this will be including setting up VMs).

From now on, one may install Cuckoo by running $ pip install -U cuckoo. Of course there are still more steps to the installation, but assuming these have been met, installing and upgrading Cuckoo is as simple as running this one command.

We have put a lot of effort in an attempt to reduce exactly those problems that have been reported by hundreds of our users. By doing so we hope to largely mitigate the following and many more previously common errors:

  • critical timeout has been hit errors
  • issues with Virtual Machines and/or missing snapshots
  • setup issues due to missing Python packages
  • incompatible Python package version numbers
  • incorrectly filled out configuration.

This release features a lot of updates to the Cuckoo Web Interface and represents a start towards a simplified user experience allowing novice as well as advanced users to get the most out of it. Among many other updates we'd like to highlight the following improvements:

  • Fully featured submission page with support for nested archives and global & per-analysis advanced options.
  • Night & Cyborg themes for those of us that also work at night.
  • Lazy loading and filtering in the recent analysis page.
  • New dashboard, analysis summary, and network traffic pages.

With regards to usability we can inform you on the following topics:

  • Official Windows & Mac OS X host support.
  • Introduction of cuckoo apps, a wrapper around all of the functionality present in Cuckoo. E.g., guess what running cuckoo -d, cuckoo api, cuckoo web, and cuckoo process do.
  • A supervisor-based configuration file for semi-automatically running Cuckoo.
  • Unicode file name & large file support (e.g., files up to 1 GB have been tested successfully).
  • Ability to pass attachments from your email inbox straight to Cuckoo (using the nested archive support) to get realtime information on their maliciousness.
  • Tor & InetSim network routing support.
  • Quick deployment of several servers using our Cuckoo module for SaltStack.

Stability Improvements

This release contains a terrific amount of work on stability tweaks and unit testing. In particular, it features over 600 unit tests which combined perform unit tests over more than 50% of our code base. In addition to that there are also nearly 100 functional tests. This is a great step forward from our previous unit testing, which was practically none. This unit testing will ensure us that future changes won't brick compatibility with older versions of Cuckoo, proof that new features actually work, and allow us to develop and release new features more quickly & consistently.

Naturally this new version isn't just more stable - it also comes with improved (and optional) user support integrated. If an analysis doesn't work as you'd expect it to, simply click on the feedback button and fill out the form as per your concerns. We'll get a copy of the analysis (to the extent that you wish to share it with us) with your message and based on that we're able to relatively quickly investigate the problem, come up with a fix or ETA on when it will be resolved, and stay in contact per email with you to ensure a sound fix on your Cuckoo setup and, by including any bug fixes to the upcoming release, ensure this bug will not happen anymore in the future.

Misc changes

If you have an older setup of Cuckoo Sandbox laying around that contains all of your configuration and analyses then we've got good news for you: in the new version you'll be able to import an existing Cuckoo setup. Cuckoo will apply database migrations as well as configuration migrations (there are, e.g., several changes to cuckoo.conf as well as to the other configuration files) and prepare the new Cuckoo environment with all of your existing analyses. Upgrading your existing setup has never been this easy. Do keep in mind that any code changes that were applied to your local setup are not taken into account during this upgrade. These will have to be applied manually. Please reach out to our team for help on this matter.

There are many, many other smaller and bigger misc improvements part of this release. In all fairness, what else do you expect after a year of development? We're going to quickly list some of these changes for your and our reference:

  • JSON logging (for integration with, e.g., Splunk)
  • Newly updated report.html & its report.pdf counterpart
  • Submission of sample hashes if a proper VirusTotal key has been configured
  • Correlation of Yara rules with Cuckoo Signatures to simplify creating such pairs (extremely useful for identifying something with Yara and using a Cuckoo Signature to extract the related information)
  • Proper extraction of SMTP traffic
  • IE11 support in our Cuckoo Monitor
  • "Trigger" support in Cuckoo Monitor, i.e., only start logging API calls from, e.g., Office Word once the actual document is being accessed (and therefore reducing on some junk API calls)
  • Improved PowerShell support in Cuckoo Monitor


This release brings many new features & functionality to our users. We hope that with the simplified setup & usage patterns a wider user base may be formed due to our project being more accessible & more easily integrated in any current environments.

For feedback & questions, please do not hesitate to seek contact with us on IRC (#cuckoosandbox on, our Github repository, or per email.

Did you know?

Some facts that one may have missed:

  • We provide consultancy services for those organizations that need this. Think help with setup, bug fixes, new features, custom integration, trainings, and everything else in and around Cuckoo!
  • Cuckoo may be integrated with local email solutions and IDS systems to identify ransomware and other potentially maliciousness before your coworkers open said files, preventing potential breaches and data loss.
  • We're once again participating in Google Summer of Code and are still looking for students.

All of this wouldn't have been possible without our great users & sponsors. Thanks to everyone for using and supporting Cuckoo Sandbox - you know who you are.

  • March 30, 2017
  • Jurriaan Bremer

Cuckoo Sandbox 2.0 -