Automated Malware Analysis

To the end of the World!

  • December 20, 2012
  • Claudio Guarnieri

Today brings good and bad news.

The bad news is that we're all gonna die tomorrow. The good news is that you can wait for the end with a new, fresh, apocalyptic version of Cuckoo Sandbox.

That's right, Cuckoo Sandbox 0.5 " To The End Of The World" is here, and it's so good that you're gonna beg the Valkyries for one more day to play with it. It's that good, that if it turns out that the Maya were completely wrong, you're not gonna regret having spent the last hours of your life running Cuckoo as much as we won't regret having spent the last hours of our lives coding it.

Without any doubt, this is probably the best release we've done so far, both in terms of stability, quality and new features being introduced. Some of the highlights of 0.5 being the introduction of native URL analysis, the introduction of a REST API, support for Windows 7 and overall incredibly more solid and qualitative analysis. The overall execution is much more stable and reliable compared to previous versions and a lot of bugs have been fixed (and likely a lot more have been introduced ;).

While there's a lot of details to be discussed, we'll reserve some juice for some follow-up blog posts. You can now go ahead download it and read the documentation to get started.

We wish you all a Merry Christmas and a Happy New Year. We'll see you in the Valhalla, keepin' on bringing you open source freshness since 2010.

At last, we leave you with the complete CHANGELOG:

  • Added native support for URL analysis
  • Added full memory dump of the virtual machine
  • Added base class for libvirt machine managers
  • Added auxiliary modules for Windows analyzer
  • Added Jar analysis package
  • Added Java Applet analysis package
  • Added Zip analysis package
  • Added option to enforce full timeout execution
  • Added support for Graylog2 logging
  • Transitioned internal database to SQLAlchemy
  • Added logging of analysis errors into the database
  • Added logging of guest executions into the database
  • Added logging of active analysis machines into the database
  • Added logging of details of submitted samples into the database
  • Added functionality for automatic version lookup to get notified of available updates
  • Added possibility to order processing and reporting modules
  • Added extraction of strings from analyzed binaries
  • Added Yara signature with indicators of possible virtualization-aware samples
  • Added dissection of intercepted SMTP traffic
  • Added a REST API server to interact with Cuckoo
  • Added user interaction emulation (clicking dialogs buttons and mouse movements)
  • Added support for Windows 7 execution
  • Added support for dumping queried and modified registry data
  • Added more functions to be hooked and logged
  • Added simple functionality to omit injection into Cuckoo processes
  • Added support for dumping files with relative paths
  • Added shared VirusTotal API key
  • Introduced fairly smart way of skipping Sleep calls
  • Unified utility for results processing and reports generation
  • Improved analysis process logic
  • Improved automatic analysis package selection
  • Improved process injection and process following
  • Improved dumping of modified files
  • Improved logging to reduce the amount of useless entries
  • Improved unicode support
  • Improved management of analysis machines parallel execution
  • Improved internal management of plugins and modules
  • Improved dissection of intercepted DNS traffic
  • Fixed bugs in connection with the agent
  • Fixed some issues in dumping dropped files
  • Fixed bug in termination of tcpdump processes
  • Fixed bugs in MongoDB reporting module
  • Fixed issues with internal DNS resolution

End Of Transmission.

  • December 20, 2012
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -