Automated Malware Analysis

VxCage 2.0

  • December 27, 2012
  • Claudio Guarnieri

Christmas days are just behind us and you're probably stuffed, heavy and sleepy. Likely still a little bit drunk too. In the meanwhile your sensors kept collecting data and you kept unconsciously downloading samples to your desktop, too lazy and tired to properly sort them. Your samples are stacked up, just like the pile of dirty dishes in your sink. Now clean up your Python interpreter, wake up your Apache server, it's time to get your sh*t together.

A month and half ago we released a small tool that I put together quickly with the help of jekil, used to properly organize my samples, constantly lost in the oblivion of my terrible memory and chaotic filesystem. That was VxCage. Just last week we released Cuckoo Sandbox 0.5 and today, rolling with the coding spree of the last weeks, we bring you VxCage 0.2.

As usual, you can grab it from GitHub and it's released under BSD2-Clause for your convenience.

This is a quick and easy release, but that you might still find enjoyable. We fixed a couple of bugs and slightly refactored the way the APIs now report errors (using HTTP error codes instead of custom messages), but most notably we introduced a console interface that you can use to more easily communicate and interact with your VxCage server.

You can see an example interaction here:

$ python --host --port 443 --ssl --auth

You will be prompted with:

  `o   O o   O .oOo  .oOoO' .oOoO .oOo.
   O   o  OoO  O     O   o  o   O OooO'
   o  O   o o  o     o   O  O   o O
   `o'   O   O `OoO' `OoO'o `OoOo `OoO'
                             OoO'  by nex

Username: nex

vxcage> help
Available commands:
  help        Show this help
  tags        Retrieve list of tags
  find        Find a file by md5, sha256, ssdeep, tag or date
  get         Retrieve a file by sha256
  add         Upload a file to the server

vxcage> tags
| tag                    |
| banker                 |
| bot                    |
| carberp                |
| citadel                |
| zeus                   |
Total: 5

vxcage> find tag carberp
| md5                              | sha256                                                           | file_name    | file_type                                         | file_size |
| 719354b4b7b182b30e1de8ce7b417d2f | 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029 | carberp1.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 132096    |
| 63d8fd55ebe6e2fa6cc9523df942a9a5 | a6d77a5ba2b5b46a0ad85fe7f7f01063fe7267344c0cecec47985cd1e46fa7a4 | carberp2.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 192512    |
| ccf43cdc957d09ea2c60c6f57e4600f0 | b998233b85af152596f5087e64c2cadb1466e4f6da62f416ac3126f87c364276 | carberp3.exe | PE32 executable (GUI) Intel 80386, for MS Windows | 186880    |
Total: 3

vxcage> find md5 719354b4b7b182b30e1de8ce7b417d2f
sha1: 091fcf7378bfc4baec61bc5708e9a64128c5c7e4
tags: banker,carberp
file_type: PE32 executable (GUI) Intel 80386, for MS Windows
file_name: carberp1.exe
created_at: 2012-12-25 00:37:16
file_size: 132096
crc32: 05AF53DC
ssdeep: 3072:fQAsBL+tnecg1OS+x/+SSQSBX8MxaQhJwox:fQAsBoecg1UM3c
sha256: 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029
sha512: 844e0010e23571e2bc6a44405a012bca4f01955348db26320d6a95e54e6afc85a81bef574ee65de9d67cdf6e2cf80fd4d1b2c559902596943b1e4ebeb5641650
id: 41
md5: 719354b4b7b182b30e1de8ce7b417d2f

vxcage> get 689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029 /tmp
Download: 100% |:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::| Time: 00:00:00 223.63 K/s
File downloaded at path: /tmp/689a35928f71848fab346b50811c6c0aab95da01b9293c60d74c7be1357dc029

vxcage> add /tmp/malware.exe windows,trojan,something
File uploaded successfully

As you can see, it's now very easy to use VxCage even if you are not familiar with the implementation of a REST API client. For additional details, refer to the README file. Bear with me, sometime I'll make some proper documentation.


  • December 27, 2012
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -