Automated Malware Analysis

VxCage

  • November 06, 2012
  • Claudio Guarnieri
/assets/images/blog/vxcage-20/FNnNH.jpg

You know it, our mission is to facilitate and simplify your daily malware research activities. We've been doing this for the last couple of years and as we gave up on sleeping and on our social lives, we are starting producing more code than ever. Open source, free, spaghetti and supposedly working.

Our latest addition to our knife set is VxCage.

When bothering us to tidy up our rooms, our moms were unintentionally preparing us for this moment. If your malware repository is the digital reflection of chaos, if after a delta time of 30 minutes you completely forgot what those binaries were and if you don't know how to find that critical sample back... don't panic, we got the medicine.

VxCage is a REST API-based malware repository released under the 2-Clause BSD license. You can run it as a WSGI app on your favourite webserver and it provides a set of easy-to-use API functions that you can use to upload, tag, search and retrieve malware samples from your remote repository.

The functionalities are extensively documented in the README file, but just to give you a taste, following are some usage examples.

Upload a file:

nex@cuckoo:~$ curl -F file=@sample -F tags="windows banker prinimalka" http://vxcage/malware/add

Retrieve the list of tags:

nex@cuckoo:~$ curl http://vxcage/tags/list
[
  "banker",
  "prinimalka",
  "windows"
]

Search for files matching the given tag:

nex@cuckoo:~$ curl -F tag=banker http://vxcage/malware/find
[
  {
      "tags": [
          "windows",
          "banker",
          "prinimalka"
      ],
      "file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
      "file_name": "sample",
      "file_size": 99840,
      "crc32": "E5F9BFFB",
      "ssdeep": "1536:NNISTIPQHHLjGFY4thx07TFIQ7F580Es0HffHBY6q:N6qHLjGF7tP0pIY580Es0Hni6q",
      "id": 208,
      "md5": "ca54385bb345f20454ec0cd1f01ca9f9",
      "sha1": "a27da9699b1bcf06e32bebf2356b09b48b5b95f5",
      "sha256": "16ecc542804fa2b337e6d8186ba1d700309705623420e682ed13d34c8db10c20",
      "sha512": "f79fbce257e943c9ef33ec8142945c4515c4f95e53689ee7d0d64c22c31dbf0c7726c1e7cd0630eada3145c2c399740b1f6f184513b9cd2bfc46b9db66ecbfde"
  },
  ...
]

Download a file by its SHA256 hash:

nex@cuckoo:~$ curl http://vxcage/malware/get/16ecc542804fa2b337e6d8186ba1d700309705623420e682ed13d34c8db10c20 > sample.exe

Enjoy.

  • November 06, 2012
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -