Automated Malware Analysis

Cuckoo Sandbox 2.0 Release Candidate 2

  • November 16, 2016
  • Claudio Guarnieri

Today we are thrilled to annouce the release of Cuckoo Sandbox 2.0 Release Candidate 2. This version features manybug fixes and improvements to the instrumentation components, analysis accuracy, and usability.

Following, is a short list of the key changes:

  • Import & Export analysis functionality to simplify sharing reports and debugging user issues
  • Lots of stability improvements for the Cuckoo Monitor
  • Initial integration with MISP and IRMA
  • Introduction of ability for analysis to survive reboot (still work in progress)
  • Office Word / Adobe PDF instrumentation for analysis of embedded Javascript and VBA scripts
  • Extraction of in-memory PE files from process memory dumps
  • ElasticSearch integration for global search capabilities
  • Support for Ubuntu 16.04
  • And much more..

As may be concluded from the short summary our main focus has been around improving the user experience, adding instrumentation for malicious document-based targets, and improving overall stability.

As many new features and possibilities are introduced, some of them have been following underdocumented, resulting in few people taking advante of them. We are planning to remediate to that, and complement better documentation with more blog posts. For example, did you know that you can now do per-analysis network routing?

And now, on to what is coming up in the near future...

Upcoming: Cuckoo Package

More than six years passed since Cuckoo Sandbox started. Since then some attempts have been made at simplifying the installation process of Cuckoo, but there are still various problems that had so far not been properly resolved. E.g., when updating your local Cuckoo instance to the latest development version you'd first have to make a backup of your Cuckoo configuration as otherwise Git would fail to pull the new code trying to overwrite your configuration (which are tracked as files that belong to the Git repository).

Cuckoo Sandbox 2.0-RC2 will be the last "legacy" release in which users will be able to use the system as they've known to be using it for the past years. Our next release will be solely based on the Cuckoo package which can be installed simply by running pip install cuckoo and updated through pip install -U cuckoo. Running Cuckoo or any of its subcommands will be possible through the cuckoo command, thereby combining all of the Cuckoo Utilities into one generic command.

This is just a heads up for our future release(s), for now you can read more about the Cuckoo Package at Pull Request #863 of our Github or in the new and comprehensive documentation for the package branch. We are very excited about these steps forward as they will not only ease user experience, but it will also simplify the release process, which has so far been very demanding and time consuming.

Upcoming: Improved Web Interface

A lot of effort is currently being spent in refreshing our web interface, and extending it with many features that have been long overdue. This includes performance improvements, theme selection, expanded submission options, and more. More on this to follow, so stay tuned on our blog and social media.

Upcoming: Spoofing anti-analysis tricks by malicious documents

Those of you who often deal with malicious documents attached to spam emails will especially like our upcoming developments. Take for example the following writeup by PhishMe. It explains how the malicious document is reaching out to the internet to do a GeoIP in order to decide if it's being analyzed or not.

Now spoofing the response for this HTTP request may seem like a trivial thing to do, but when it comes to a proper and clean implementation there are a lot of moving parts involved:

  • Often the email attachments are distributed in an archive. Each of the files from this archive should be submitted as an analysis task separately. This is where the new Web Interface comes in.
  • One can't just unpack malicious archives. This process requires its very own sandbox to avoid arbitrary file overwrite exploits and potential exploits for a variety of RCE vulnerabilities. Read more at the Github page for ZipJail.
  • We're going to run mitmproxy in transparent mode. Some traffic we'll want to spoof ourselves (e.g., the HTTP response of the GeoIP request), but most we'll want to let through to the configured network route (we support a couple; no routing, drop routing, the dirty line, InetSim, Tor, or one of multiple configured VPNs). There are multiple ways to go about this, but the cleanest is using fully transparent proxy mode, so we helped out on that part as well.
  • We'd like our solution to be easy to extend later on an as-needed basis, and as such we're going to have to develop some mitmproxy plugin scripts that may be enabled on a per-analysis basis.
  • It is extremely useful to get high-level behavioral information such as which VBA methods or Javascript functions are called. We did similar work for Internet Explorer 8 in our 2.0-RC1 release. As such we have been adding instrumentation for specific version(s) of Microsoft Office 2007 as well as Adobe PDF Reader 9 (this is already part of the 2.0-RC2 release).

And this is just a simple summary of what has to be done or has been done already to get such a simple feature to work. There are so many small changes here and there that you wouldn't even think about that are just as necessary as the bigger changes. Let's just say it keeps us busy and excited.

Conclusions

We'd like to thank our users once again for using Cuckoo Sandbox. If you have any feedback please do not hesitate to reach out and let us know.

We hope you appreciate this latest release, and stay tuned for the stable 2.0 to come out in the future In the meantime, follow us on social media, GitHub, and learn more about our consultancy services.

  • November 16, 2016
  • Claudio Guarnieri

Cuckoo Sandbox 2.0 -