Customizing “Cuckoo Sandbox”

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Nov 2012)

As many of our readers will already know Cuckoo Sandbox is an application for the automatic analysis of malware. The installation process in the current version of the sandbox is quite simple and has been described by other blogs in a very detailed manner. Once we have already installed sandbox, it will give us reports, such as the ones found in the malware analysis service hosted on Malwr, about the behavior of the malware, on the imported APIs, the results from virustotal, packer used, etc.

In this post I would like to emphasize the “real power”, from my humble point of view, of this sandbox, power that lies in the modular design that have made its developers and in the simplicity to develop modules for the automatic analysis of malware, making it a highly customizable Sandbox.

The design includes the following types of modules:

  • Machine Managers: modules to interact with the virtualization software, mainly vmware and virtualbox.
  • Analysis Packages: modules to deal with the different types of packages (packages: exe, bin, pdf, etc.).
  • Process Modules: modules that define the actions that are launched on the results (pcap, etc.) collected during the phase of analysis and execution of the malware.
  • Signature Modules: modules to define signatures to be applied on the final results (“Process Modules“) of the previous phases.
  • Reporting Modules: modules to display results.

As we can see, the range of actions is very broad; we can add support for a new hypervisor (for example, we could add support to simulate Android) or to define how we want the information be displayed in our control panel with the design of a reporting module.

As I see it, the application design allows fast and easy writing of modules (at least signatures that has been what I have tried). Below I show two examples created quickly that have been added to the project (you can download all the signatures of the community with the “utils/” utility):

  • CreateRemoteThread: detects code injections with CreateRemoteThread.
  • BOT Ruskill Mutex: detects a mutex of the bot Ruskill by what we have seen in different samples executed in the Sandbox.

As you can see the power of customization it is very high and if Cuckoo roots in the community, will be a very serious alternative for automatic analysis of malware.