{"id":8645,"date":"2020-06-27T00:20:00","date_gmt":"2020-06-27T00:20:00","guid":{"rendered":"https:\/\/www.freefixer.com\/b\/?p=8645"},"modified":"2020-06-27T16:00:27","modified_gmt":"2020-06-27T16:00:27","slug":"hello-cuckoo-sandbox","status":"publish","type":"post","link":"https:\/\/www.freefixer.com\/b\/hello-cuckoo-sandbox\/","title":{"rendered":"Say Hi To Cuckoo Sandbox!"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Cuckoo<\/a> is an open source automated malware analysis tool<\/strong>. Cuckoo can execute files and monitor the behaviour. And if you are running FreeFixer<\/a>, your suspicious files will also be analysed by the sandbox. For free.<\/p>\n\n\n\n

I’ll try to explain what Cuckoo can do more in detail by using examples from the Cuckoo reports on files listed here at freefixer.com:<\/p>\n\n\n\n

One of the most useful features is that Cuckoo can trace API calls<\/strong>. Here’s an example from RunBoosterUpdateTask64.exe<\/a>, where you can see that it calls CreateServiceW<\/code> to register a driver named WinDivert64.sys<\/code>. This is pretty useful if you are trying to find out what a particular file on your system is doing.<\/p>\n\n\n\n

\"call\": {\n  \"category\": \"services\",\n  \"status\": 1,\n  \"stacktrace\": [],\n  \"api\": \"CreateServiceW\",\n  \"return_value\": 4536928,\n  \"arguments\": {\n    \"service_start_name\": \"\",\n    \"start_type\": 2,\n    \"service_handle\": \"0x0000000000453a60\",\n    \"display_name\": \"WinDivert1.2\",\n    \"error_control\": 1,\n    \"service_name\": \"WinDivert1.2\",\n    \"filepath\": \"C:\\\\Windows\\\\System32\\\\drivers\\\\WinDivert64.sys\",\n    \"filepath_r\": \"C:\\\\Windows\\\\system32\\\\drivers\\\\WinDivert64.sys\",\n    \"service_manager_handle\": \"0x0000000000453a00\",\n    \"desired_access\": 983551,\n    \"service_type\": 1,\n    \"password\": \"\"\n  },\n  \"time\": 1576385586.79675,\n  \"tid\": 2436,\n  \"flags\": {}\n}<\/pre>\n\n\n\n
Cuckoo also monitors host resolving<\/strong>. Here’s another example from the log where RunBoosterUpdateTask64.exe<\/a> tries to get the IP address for update.updinfo.xyz<\/strong>:<\/p>\n\n\n\n
\"resolves_host\": [ \"update.updinfo.xyz\" ]<\/pre>\n\n\n\n
And the list goes on. Cuckoo detects anti-virtualisation tactics<\/strong>. For example, Cuckoo will notice if the file under test checks for existence of VMware\/VirtualBox registry keys or files.<\/p>\n\n\n\n
Here’s an example from armsvc.exe<\/a> where Cuckoo notice that the process is trying to detect if it is running in VMware using an instruction:<\/p>\n\n\n\n
{\n  \"markcount\": 1,\n  \"families\": [],\n  \"description\": \"Detects VMWare through the in instruction feature\",\n  \"severity\": 3,\n...<\/pre>\n\n\n\n
Cuckoo will detect potential compressed or encrypted data<\/strong> in the executable files by measuring the entropy in the file. Cuckoo can also step through installation wizards<\/strong> and takes screenshots <\/strong>during the analysis. It will also log UDP and TCP connection.<\/p>\n\n\n\n
I’m impressed by all the features.<\/p>\n\n\n\n
So, I’ve set up a Cuckoo installation that freefixer.com will use to analyse files. The approach is simple. Freefixer.com will upload files to sandbox and after a while the analysis will be displayed on the web site. I’ve decided to display the Summary, Generic, Dropped, Signatures, Yara, and Network sections from the sandbox report. Here’s an example report for armsvc.exe<\/a>:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
I’ve been running Cuckoo for some time now, and it has analysed more that 6000 files. I’m pretty happy with the result so far. Cuckoo just keeps on running, analysing one file after another.<\/p>\n\n\n\n
I’ve identified a number of issues that needs to be addressed:<\/p>\n\n\n\n