Cuckoo is an automated dynamic malware analysis platform which allows for the analysis of submitted artefacts within a range of custom configured guest operating systems.
Analysis environments may be created for Windows, Linux, MacOS and Android, with all manner of filetypes able to be analyzed through the Cuckoo platform. Including, executables, office documents, pdf files, emails, and even hands-on execution of malware with network connections able to be routed through Tor.
The Cuckoo platform allows for the capture of memory (using Volatility), and even captures API executions through the guest virtual machine. The resultant capture is then analyzed through Cuckoo’s utilities, with summarized reports generated in addition to detail reporting.
Cuckoo operates as a virtual machine within the Cuckoo host operating system. The host operates on a Linux OS, with the analysis VMs being segregated from the host using VirtualBox and network profiles assigned which control how network connectivity is presented to the analysis VM.
Ordinarily, the analysis is presented a virtual network interface (vboxnet0) with routes added to provide connectivity between the vboxnet0 subnet and the external interface to the Internet. However this can also be adapted to only allow connection through a Tor circuit (further obfuscating the source of network traffic and potentially not disclosing the operation of the Cuckoo platform).
There are however other things which can disclose the operation of a sandbox, and these are referred to as traces by the developers of Cuckoo. These traces should be reduced so far a possible to reduce the likelihood of a piece of sandbox-evading malware from detecting the environment and preventing analysis of the sample.
Some malware is also able to detect the absence of normal usage within the Analysis VM, which may also give away the presence of an analysis environment. There are strategies in configuring your environment which can assist in reducing the likelihood of this causing a detection by the malware.
What can Cuckoo achieve?
Dynamic malware analysis is the analyses of artefacts for malicious content by executing said artefact within a controlled environment. Telemetry is captured within that controlled environment for processing and analysis and then conversion into an intelligence report.
Functions performed by Cuckoo include capturing of trace calls performed by processes, file captures and activity, memory dumps, and network captures.
Traces of calls performed by all processes spawned by a sample
Traces generated by a sample are captured within Cuckoo, with behavioral analysis applied post-execution to determine if the sample is performing an action which could be considered suspicious or malicious.
Files being created, deleted, modified, and downloaded by a sample
Files which the sample touches within the Analysis VM are captured and extracted to the Cuckoo host and further analyzed by a selection of utilities (including Yara). These results are incorporated into the detailed report generated at the end of the Cuckoo analysis task.
Memory dumps of a sample
Memory generated by processes are captured within the analysis VM and then presented to the Cuckoo analysis platform. Volatility is then run over these memory dumps to find interesting items within the sample for incorporation into the detailed report.
Network traffic captured in PCAP format
Network traffic generated within the Analysis VM is captured with TCP Dump and then presented to Cuckoo for further analysis, and lookups to configured external services (e.g. VirusTotal and MISP) for threat detection.
Screenshots of the Analysis VM during analysis
Screenshots from within the Analysis VM are captured wherever significant activity occurs within the Analysis VM, and are timestamped within the technical analysis. This creates a type of timeline within the execution time of the analysis and records what visual changes occur through an analysis.
Complete memory dumps of the Analysis VM
Lastly, a complete memory dump is captured by the Cuckoo platform of the Analysis VM for complete analysis and reporting. This memory dump can take some time to capture and analyze, so system resources for this analysis need to be considered.