Cuckoo-sandbox

From aldeid
Jump to: navigation, search

Description

Cuckoo Sandbox is a tool written by Claudio Guarnieri that has started during the Google Summer of Code 2010. Cuckoo is a fully automated system to analyze malwares in an isolated virtualized Windows environment. It then returns such results:

  • Relevant Windows API calls tracing of all recursively spawned processes.
  • Network traffic dump generated during malware execution.
  • Files being downloaded and deleted during execution.
  • Screenshots taken during malware the whole analysis process.

Installation

Prerequisites

First install Virtualbox. Also install following packages:

$ sudo apt-get install python sqlite3 python-magic tcpdump samba

To ensure you will be able to start tcpdump from your standard user, set the SETUID bit as follows:

$ sudo chmod +s /usr/sbin/tcpdump

Cuckoo

$ cd /opt/
$ git clone git://github.com/cuckoobox/cuckoo.git

Prepare your virtual environment

Cuckoo-virtualbox-shares.png

Cuckoo needs a virtual environment under Windows.

  • Prepare a Windows XP box under Virtualbox
  • In the properties, add these 2 shared folders:
  • Install python 2.7 on it
  • Once booted, make a snapshot that will be used by Cuckoo.

Configuration

The configuration is in the /opt/cuckoo/cuckoo.conf file and is straightforward.

Here are the variables to configure:

Section Variable Example
Host
  • interface
  • interface = vboxnet0
Logging
  • path
  • utc
  • debug
  • path = cuckoo.log
  • utc = False
  • debug = False
Analysis
  • analysis_timeout
  • watchdog_timeout
  • results_path
  • postprocessing
  • analysis_timeout = 180
  • watchdog_timeout = 600
  • results_path = analysis/
  • postprocessing = postprocessing/processor.py
LocalDatabase
  • file
  • file = cuckoo.db
VirtualMachines
  • engine
  • enabled
  • mode
  • python
  • engine = VirtualBox
  • enabled = cuckoo1
  • mode = gui
  • python = C:\Python27\python.exe
[cuckoo1]
  • name
  • username
  • password
  • share
  • name = cuckoo1
  • username = cuckoo
  • password = cuckoo
  • share = shares/cuckoo1

Usage

cuckoo.py

Start Cuckoo as follows:

/opt/cuckoo$ ./cuckoo.py
                     _                  
    ____ _   _  ____| |  _ ___   ___    
   / ___) | | |/ ___) |_/ ) _ \ / _ \ 
  ( (___| |_| ( (___|  _ ( |_| | |_| |  
   \____)____/ \____)_| \_)___/ \___/ v0.2

 www.cuckoobox.org                                
 Copyright (C) 2010-2011                          
 by Claudio "nex" Guarnieri

[2011-09-20 07:21:52] [Virtual Machine] [Check] Your VirtualBox version is: "4.1.0", good!
[2011-09-20 07:21:52] [Start Up] Populating virtual machines pool...
[2011-09-20 07:21:52] [Virtual Machine] Acquired virtual machine with name "cuckoo1".
[2011-09-20 07:21:52] [Virtual Machine] [Infos] Virtual machine "cuckoo1" informations:
[2011-09-20 07:21:52] 	\_| Name: cuckoo1
[2011-09-20 07:21:52] 	  | ID: df89b9c6-d37e-4889-acd7-bf4d72f810b8
[2011-09-20 07:21:52] 	  | CPU Count: 1 Core/s
[2011-09-20 07:21:52] 	  | Memory Size: 192 MB
[2011-09-20 07:21:52] 	  | VRAM Size: 16 MB
[2011-09-20 07:21:52] 	  | State: Saved
[2011-09-20 07:21:52] 	  | Current Snapshot: "cuckoo_on"
[2011-09-20 07:21:52] 	  | MAC Address: 08:00:27:5A:EE:F7
[2011-09-20 07:21:52] [Start Up] 1 virtual machine/s added to pool.

submit.py

Once cuckoo.py has successfully started, you will be able to put malwares in the queue as follows:

/opt/cuckoo$ ./submit /path/to/some/malwares

You can submit malwares one by one in the queue and cuckoo will automatically analyze them.

Example

Description

In this example, we'll analyze a virus: Virus.Win32.Sality.aa (e4fb6f9043b36c720e676b6fe737f151)

Start Cuckoo

First start Cuckoo as follows:

/opt/cuckoo$ ./cuckoo.py
                     _                  
    ____ _   _  ____| |  _ ___   ___    
   / ___) | | |/ ___) |_/ ) _ \ / _ \ 
  ( (___| |_| ( (___|  _ ( |_| | |_| |  
   \____)____/ \____)_| \_)___/ \___/ v0.2

 www.cuckoobox.org                                
 Copyright (C) 2010-2011                          
 by Claudio "nex" Guarnieri

[2011-09-20 22:47:26] [Virtual Machine] [Check] Your VirtualBox version is: "4.1.0", good!
[2011-09-20 22:47:26] [Start Up] Populating virtual machines pool...
[2011-09-20 22:47:26] [Virtual Machine] Acquired virtual machine with name "cuckoo1".
[2011-09-20 22:47:26] [Virtual Machine] [Infos] Virtual machine "cuckoo1" informations:
[2011-09-20 22:47:26] 	\_| Name: cuckoo1
[2011-09-20 22:47:26] 	  | ID: df89b9c6-d37e-4889-acd7-bf4d72f810b8
[2011-09-20 22:47:26] 	  | CPU Count: 1 Core/s
[2011-09-20 22:47:26] 	  | Memory Size: 192 MB
[2011-09-20 22:47:26] 	  | VRAM Size: 16 MB
[2011-09-20 22:47:26] 	  | State: Saved
[2011-09-20 22:47:26] 	  | Current Snapshot: "cuckoo_on"
[2011-09-20 22:47:26] 	  | MAC Address: 08:00:27:5A:EE:F7
[2011-09-20 22:47:26] [Start Up] 1 virtual machine/s added to pool.
[2011-09-20 22:47:26] [Database] [Init] Generated database "cuckoo.db" which didn't exist before.

Send the virus to the queue

Open another window and send the virus in the queue:

/opt/cuckoo$ ./submit.py /data/exploits/viruses/e4fb6f9043b36c720e676b6fe737f151.exe
Done: Task added to database!

In case the analysis has already been done, you will get such a message:

/opt/cuckoo$ ./submit.py /data/exploits/viruses/e4fb6f9043b36c720e676b6fe737f151.exe
WARNING: Seems like a task with the target "/data/exploits/viruses/e4fb6f9043b36c720e676b6fe737f151.exe" already exists in database.
Are you sure you want to add it (yes/no)? yes
Done: Task added to database!

Cuckoo automatically starts Virtualbox and loads the virus:

Cuckoo-e4fb6f9043b36c720e676b6fe737f151.png

Analyze the results

First a look at the cukoo output:

[2011-09-20 22:53:04] [Core] [Dispatcher] Acquired analysis task for target "/data/exploits/viruses/e4fb6f9043b36c720e676b6fe737f151.exe".
[2011-09-20 22:53:04] [Database] [Lock] Locked task with id 2.
[2011-09-20 22:53:04] [Analysis] [Generate Config] Config file successfully generated at "shares/cuckoo1/analysis.conf".
[2011-09-20 22:53:04] [Sniffer] [Start] Tcpdump started monitoring 08:00:27:5A:EE:F7.
[2011-09-20 22:53:04] [Virtual Machine] Acquired virtual machine with name "cuckoo1".
tcpdump: listening on vboxnet0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2011-09-20 22:53:05] [Virtual Machine] [Start] Virtual machine "cuckoo1" starting in "gui" mode.
[2011-09-20 22:53:05] [Virtual Machine] [Execute] Cuckoo executing with PID 2616 on virtual machine "cuckoo1".
[2011-09-20 22:56:19] [Virtual Machine] [Execute] Cuckoo exited with code 0 on virtual machine "cuckoo1".
[2011-09-20 22:56:20] [Virtual Machine] [Stop] Virtual machine "cuckoo1" powered off successfully.
[2011-09-20 22:56:25] [Virtual Machine] [Restore] Virtual machine "cuckoo1" successfully restored to current snapshot.
166 packets captured
166 packets received by filter
0 packets dropped by kernel
[2011-09-20 22:56:25] [Sniffer] [Stop] Tcpdump stopped monitoring 08:00:27:5A:EE:F7.
[2011-09-20 22:56:25] [Analysis] [Save Results] Analysis results successfully saved to "analysis/2".
[2011-09-20 22:56:25] [Analysis] [Clean Share] Shared folder "shares/cuckoo1" cleaned successfully.
[2011-09-20 22:56:25] [Database] [Complete] Task with id 2 updated in the database with status "1".
[2011-09-20 22:56:25] [Analysis] [Free VM] Virtual machine "cuckoo1" released.
[2011-09-20 22:56:25] [Analysis] [Core] Postprocessing script started with pid "5553".

In addition, Cuckoo has automatically created a file structure in the analysis/ directory:

analysis/
`-- 1
    |-- analysis.conf
    |-- analysis.log
    |-- e4fb6f9043b36c720e676b6fe737f151.exe
    |-- files
    |-- logs
    |   |-- 3652.csv
    |   `-- 3756.csv
    |-- pcap
    |   `-- dump.pcap
    |-- report.txt
    `-- shots
  • Extract from report.txt:
PROCESS: 3652 - e4fb6f9043b36c720e676b6fe737f151.exe
	CALL: 20110920205318.347, RegOpenKeyW, Status: SUCCESS, Return Value: 0x0012ee10
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Microsoft\Windows NT\CurrentVersion\winlogon
	CALL: 20110920205318.347, RegOpenKeyW, Status: SUCCESS, Return Value: 0x0012ee10
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Microsoft\Windows NT\CurrentVersion\winlogon
	CALL: 20110920205318.347, RegOpenKeyW, Status: SUCCESS, Return Value: 0x0012ec08
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Microsoft\Windows NT\CurrentVersion\winlogon
	CALL: 20110920205318.347, RegOpenKeyW, Status: SUCCESS, Return Value: 0x0012eb20
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Microsoft\Windows NT\CurrentVersion\winlogon
	CALL: 20110920205318.347, RegOpenKeyW, Status: FAILURE, Return Value: 
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Policies\Microsoft\Windows\System
	CALL: 20110920205318.347, RegOpenKeyW, Status: SUCCESS, Return Value: 0x0012e68c
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Microsoft\Windows NT\CurrentVersion\winlogon
	CALL: 20110920205318.347, RegOpenKeyW, Status: FAILURE, Return Value: 
		ARGUMENT: hKey -> HKEY_LOCAL_MACHINE
		ARGUMENT: lpSubKey -> Software\Policies\Microsoft\Windows\System
	CALL: 20110920205318.347, CreateMutexW, Status: SUCCESS, Return Value: 0x0000009c
		ARGUMENT: lpName -> (null)
	CALL: 20110920205318.347, CreateMutexW, Status: SUCCESS, Return Value: 0x000000a4
		ARGUMENT: lpName -> (null)
  • Extract from dump.pcap