A Cuckoo Sandbox is an open-source tool that can be used to automatically analyze malware.
Imagine, it’s 2 am in the Security Operations Center (SOC) and an alert has triggered on a key server within the organization, the alert is rather vague but is reporting that the file is potentially malware. The hash of the file isn’t on VirusTotal and the SOC analyst cannot find any information on the Internet to determine if the file is malicious or not.
SOC analysts have a broad knowledge of cybersecurity matters and may not have the skills to perform some ad-hoc malware analysis on the file. Due to this alert firing in the early hours of the morning, the analyst may also be reluctant to call out the C Computer Emergency Response Team (CERT) to perform malware analysis with the limited information available to them at this point.
This is where a Cuckoo Sandbox can help, by submitting the file to the sandbox it will run the malware and pull out any relevant Indicators of Compromise (IOC’s) such as network connections, use of a suspicious Application Programming Interface (API), created files on disk which can then be used by the SOC to determine if the file warrants raising a security incident or can be confidently closed as a false positive.
This article will cover what a Cuckoo Sandbox is, how it works, and explain the value of the output that is generated from the automated analysis.
This article will cover the following topics:
- What is a Cuckoo Sandbox?
- The basic structure of Cuckoo
- Why you should use a Cuckoo Sandbox
- Outline what is generated within a Cuckoo Report
What is a Cuckoo Sandbox?
A Cuckoo Sandbox is a tool that is used to launch malware in a secure and isolated environment, the idea is the sandbox fools the malware into thinking it has infected a genuine host.
The sandbox will then record the activity of the malware and then generate a report on what the malware has attempted to do while in this secure environment.
These are great for security teams and malware analysts as they can be used to quickly gather IOC’s which may be required for a security incident or a starting point for a piece of intel, it gives you quick and detailed information on how the malware is likely to behave.
Most commercial malware sandboxes are expensive, such as McAfee’s enterprise version called Artemis. However Cuckoo is open source and free to download, and from my experience, the resulting output is almost identical.
Even though Cuckoo is free to download it can be quite complicated and time-consuming to set up for the first time, this is due to the Cuckoo requiring a number of dependencies, however once in place, it is an incredibly useful tool.
Once set up, Cuckoo is able to analyze many different malicious files (executables, office documents, pdf files, emails, malicious scripts) as well as malicious websites.
Basic Structure of Cuckoo
A Cuckoo sandbox is made up of 2 devices. It’s primarily a Linux Ubuntu host which then contains a nested Windows 7 machine.
The Ubuntu host has the main Cuckoo package installed on it which is python based, along with a number of dependencies that are configured to make use of Cuckoos’ modular features.
On the Ubuntu host, VirtualBox is installed and a Windows 7 guest is built. The Windows 7 machine has a Cuckoo agent installed on it which allows the two machines to talk to each other.
On the host machine, a piece of malware can then be submitted to the guest machine using either the Linux command line or the Cuckoo web-based GUI. Once submitted the Windows guest will then detonate this malware and the malware will run on this machine, during this time the activity of the malware is captured and once the analysis is completed this data is then fed back to the Ubuntu host and a detailed report is generated.
When building the Windows guest I have always used VirtualBox, however, the developers have also made Cuckoo compatible with KVM, VMware Workstation, and XenServer.
The Cuckoo backend is run via the Linux command line. I tend to use Terminator as my terminal emulator for Cuckoo as this allows me to split the display into four separate screens.
The above image shows the four displays used to run Cuckoo, each window is used for a different purpose.
- Top Left – This is used to run the command ‘sudo cuckoo rooter’. The ‘rooter’ command allows Cuckoo to run a limited number of commands with ‘root’ privileges.
- Top Right – This is used to run the command ‘cuckoo’, this starts the Cuckoo sandbox.
- Bottom Left – This is used to run the command ‘cuckoo web runserver’, this starts the cuckoo web GUI.
- Bottom Right – This is used to run the command ‘cuckoo submit <filename>’, this is used to submit files to the Cuckoo sandbox for analysis.
Once the webserver has been started, the Cuckoo dashboard can be accessed by opening up a web browser and navigating to localhost:8000.
The above image shows the Cuckoo dashboard that can be accessed using the web server functionality.
This dashboard provides the following information:
- Cuckoo Installation – Version details of installed Cuckoo instance and any available updates.
- Usage Statistics – Number of samples submitted to the sandbox and their current status.
- File Submission – The dashboard can also be used as an alternative to the Linux command line for submitting samples, hashes, and URLs to the sandbox.
- System Info – Information such as free disk space, CPU load, and memory usage is displayed along with a graphical representation.
- Recent Analyses – Scrolling down the dashboard, the image below shows some basic information regarding recently submitted files such as submission number, date, filename, and score given to the sample by Cuckoo.
Clicking on one of the analyzed files listed above then brings up a detailed report for that file.
Why Should I Use Cuckoo Sandbox?
Quite simply it’s an easy way to triage malware! If you work in security and are dealing with a malware incident, use a Cuckoo sandbox to quickly pull out IOC’s and feed these back to the SOC and Incident Management.
Your organization may not yet have experienced malware analysts in place who know the latest tools and techniques for analyzing malware.
If you work in incident response then you know the importance of quickly gathering evidence that can be used to identify compromised hosts and put blocks in place. Cuckoo is a great weapon to have in your blue team arsenal.
If you’re making your first steps into analyzing malware then Cuckoo will help you identify malicious artifacts and level up your knowledge of malware.
As a malware researcher Cuckoo is great to use alongside your own analysis. If the malware isn’t running in your malware lab then maybe the malware has detected it is running within a VM, running the malware in Cuckoo and checking the API calls can help you identify what checks the malware is performing as part of its anti-analysis checks.
Example Cuckoo Report
Using the dashboard it is possible to open individual reports on malware that have been submitted to Cuckoo. In the example below I will cover some of the sections of the report and the information that is included.
In the image below, the Summary page is displayed. This contains information that would usually be identified from performing static analysis such as file sizes and hashes.
On the right-hand side is a score that has been assigned to the file based on how malicious it is deemed from the sandbox analysis. This ranges from zero, meaning the file is benign, increasing to ten the more malicious the file is.
Cuckoo also provides details of when the analysis was conducted, how long it took, and what type of routing was used. In the image below you can see that my sandbox is configured to route traffic via TOR. This has been done so that the source IP of my sandbox isn’t revealed when it communicates with the bad guys’ infrastructure.
This is something I would highly recommend, also if you are dealing with a piece of malware that you feel may have been created to target your organization then I strongly suggest disabling network connectivity. The last thing you want is the bad guys being tipped off that you have found their malware and evidence that you are on to them.
The signatures are color-coded either blue, yellow, or red. Blue indicates the signature could be potentially benign, yellow is medium risk and the red signatures are where Cuckoo has identified strong evidence of malicious activity such as IP addresses and keylogging activity.
At the foot of the summary page, Cuckoo provides a list of screenshots taken from the Guest device that was infected with malware, this may be useful for analyzing a piece of Ransomware as Ransom messages will often be displayed.
Cuckoo then lists any domains and IP addresses that have been identified, this is really useful information as the IPs in the image below could be used to identify other compromised hosts within an organization. Proactive blocks can also be put in place to prevent any other hosts from communicating with these malicious IP addresses.
The Static Analysis page of the report pulls out information that is often identified using tools such as PEStudio, this includes information such as the sections of the executable and any identified resources.
A list of DLLs and the API imported by the malware are also recorded, this is useful if a piece of malware has been unpacked and is being reverse engineered using a tool such as x64dbg. A malware analyst will often check the imports to see if any are being used for malicious purposes, for example, the presence of the API ‘CryptEncrypt’ may indicate that the malware is encrypting data on the device or perhaps decrypting some data. This API can then investigate this activity in x64dbg or IDA.
The Behavioural Analysis page records information from when the malware was running on the Guest device. The image below shows the processes that have been created by the malware, in this example, the malware has created a child process of itself. This is a common technique used by malware to unpack itself known as ‘process injection’, this is where the newly created process is hollowed out and the unpacked malware is then ‘injected’ into the empty process.
By clicking on the different processes Cuckoo will list what API has been run by the malware. Being able to check what imported functionality is being used and see if any information is being returned is especially useful.
The Network Analysis tab provides different tabs to filter on various network traffic protocols. In the image below the report lists the IP addresses that were provided on the summary page. However, the tabs on the page allow the user to filter on DNS, TCP, UDP, HTTP, ICMP, and IRC traffic if it has been generated by the malware. Cuckoo also allows the analysts to download the PCAP from this page
This article should hopefully have given you a good understanding of what a Cuckoo Sandbox is and how useful it can be when responding to a malware-related security incident or to assist with a piece of research relating to malware.