Extending Cuckoo Framework
As previously published in Automating Malware Analysis with Cuckoo [1]it was demonstrated how to install the Cuckoo sandbox malware analysis system and basic usage. In short this framework allows for automated analysis of malicious specimens within a controlled environment. In this article we will describe some of the advanced features, extending the platforms capabilities and demonstrate how to tie all this analysis into a single report.
Introduction
Cuckoo Sandbox is an application that provides a virtual sandbox for the automatic analysis of malware specimens. Originally developed by Claudio Guarnieri for the Google Summer of Code, the project became so popular it is now a mainstay of the Honeynet Project, a leading international research institution with a special focus on malware. The platform allows for the automatic capture and advanced analysis of dangerous strains of malware in a contained environment [2]. If you haven’t installed this previously, or don’t have a working copy of Cuckoo please refer to the reference section to prepare your system [1].
Being a completely python developed framework, this platform is extremely powerful and flexible. It can be installed on almost any operating system and with its open-source roots it can be customized to fit any individual or organizational needs. These customizations come in the form of processing modules, signatures and reporting modules.
Processing Modules
Cuckoo’s processing modules are Python scripts that let you define custom ways to analyze the raw results generated by the sandbox and append some information to a global container that will be later used by the signatures and the reporting modules [3].
The currently available default processing modules are:
AnalysisInfo(modules/processing/analysisinfo.py) – generates some basic information on the current analysis, such as timestamps, version of Cuckoo and so on.
BehaviorAnalysis(modules/processing/behavior.py) – parses the raw behavioral logs and perform some initial transformations and interpretations, including the complete processes tracing, a behavioral summary and a process tree.
Debug(modules/processing/debug.py) – includes errors and the analysis.log generated by the analyzer.
Dropped(modules/processing/dropped.py) – includes information on the files dropped by the malware and dumped by Cuckoo.
NetworkAnalysis(modules/processing/network.py) – parses the PCAP file and extract some network information, such as DNS traffic, domains, IPs, HTTP requests, IRC and SMTP traffic.
StaticAnalysis(modules/processing/static.py) – performs some static analysis of PE32 files.
Strings(modules/processing/static.py) – extracts strings from the analyzer binary.
TargetInfo(modules/processing/targetinfo.py) – includes information on the analyzed file, such as hashes.
VirusTotal(modules/processing/virustotal.py) – lookup VirusTotal.com for AntiVirus signatures of the analyzed file.
Signatures
With Cuckoo you’re able to create some customized signatures that you can run against the analysis results in order to identify some predefined pattern that might represent a particular malicious behavior or an indicator you’re interested in. These signatures are very useful to give a context to the analyses: both because they simplify the interpretation of the results as well as for automatically identifying malwares of interest [4].
An open repository exists for individual contributors to upload custom signatures to enhance the platform, located on Github (https://github.com/cuckoobox/community). Cuckoo provides a mechanism to download new updates submitted to this repository through a script located in “/opt/cuckoo/utils”.
This script has a couple of arguments of importance is the “-a -f and -w” which indicate to download everything, force install, and rewrite existing files respectably.
Figure 1 – community.py update script
Writing custom signatures is also supported. This is demonstrated perfectly by Xavier who wrote a blog post indicating how to cross-reference if your malware specimen was communicating with known malwaredomain.com url [5].
To install any custom signature make sure to copy/create your signature in the “/opt/cuckoo/modules/signatures” directory. Any new signature won’t be loaded until the application framework is reloaded.
Yara
Another powerful feature of Cuckoo is the ability to utilize the Yara framework. YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression, which determines its logic [6].
Large communities of malware researchers are consistently creating signatures to combat and identify malware stands. As an open source framework you have the ability to create your own signatures. A great starting resource for finding yara signatures is deependresearch.org [7]. This site contains numerous links to research into this platform. Another good site includes AlianVault [8] who created a yara signature to detect any activity from malware communicating with APT1 domains, previously identified by Mandiant [9].
When downloading or creating new yara signatures you want to ensure they are located in the following directory: “/opt/cuckoo/data/yara”.
Figure 2 – yara signatures
Reporting Modules
After the analysis raw results have been processed and abstracted by the processing modules and the global container is generated, it is passed over by Cuckoo to all the reporting modules available, which will make some use of it and will make it accessible and consumable in different formats [10].
To Read the Full article please login or register with a FREE account.