nex

Cuckoo Sandbox approaching 1.0

Blog Post created by nex on Jun 21, 2013

Somewhere around one year ago Cuckoo Sandbox was awarded as one of the winners of the first round of sponsorship through the Magnificent7 program. Since then the project progressed and grew up quickly: when we started the program we were somewhere around release 0.3 and as of now we are developing what it's hopefully going to be version 1.0!

The amount of improvements is countless. We restructured heavily the project for version 0.4 and expanded our development team along the way, increasing sensibly the amount of features that got incorporated in the following 0.5 and the most recent 0.6.

 

Following are some numbers to sum up our work:

  • In the last year we published 6 releases.
  • We grew the core development team to 4 members and a growing number of active contributors.
  • We are counting somewhere around 60000 lines of code and 2000 commits.
  • In the last 8 months Cuckoo was downloaded more than 12000 times.

 

Now that the our participation to the Magnificent7 program is coming to a conclusion, I'm glad to confirm that we met all our milestones! Cuckoo Sandbox largely exceeded my expectations both in terms of features being implemented as well as growth and participation of a loving community of malware analysts, forensics investigators, security professionals and students. I couldn't be prouder to see it grow to become one of the tools of choice when getting to malware analysis.

Before proceeding showcasing some of the upcoming features, let me thank my co-developers Alessandro Tanasi, Jurriaan Bremer and Mark Schloesser, all our contributors as well as the whole community hanging on the mailing list and IRC channel.

 

Let's get to the juice now.

 

If you already are a Cuckoo Sandbox user, you might be familiar with our web.py utility which provides a very hacky webserver that lets you browse through the HTML reports. That utility was originally conceived to be a temporary solutions to fill the gap in the waiting of a proper web interface to complement the sandbox.

One of the milestones that we set for Magnificent7 was to develop such web interface and I'm happy to announce that it's finally happening!

We started the development of this interface quite a long time ago, but it has been constantly delayed as we prioritized other features that we considered more significant. However the time has come and we're ready to preview you some screenshots of how Cuckoo's web interface is going to look like:

submit.png

 

This is the page where you can easily submit either files or URLs and specify all options supported by Cuckoo that you would normally provide either through the submit.py utility or the API server.

 

behavior.png

 

When an analysis task is completed you will be prompted with a report. In the screenshot above you can see the page containing the details of the Behavioral Analysis performed on the malware, in this case being a PoisonIvy sample.

If you're familiar with Malwr.com, a public online Cuckoo Sandbox setup, you can see some clear resemblance: Malwr is in fact a variant of the interface that will soon be available to the public! Open source, obviously.

 

Let's face it, malware analysis has become so profitable that there's a lack of consistent and long-running open source solutions, at least compared to other branches of IT security. We like to believe that we're contributing to change this and that luckily we're not alone!

One of the strongholds of the digital forensics community is the popular Volatility Project, the reigning king of memory analysis tools. Volatility is developed by some of the most respected forensics experts in the community and is an absolute must in the arsenal of a malware analyst.

We love it: it's easy to use, written in Python and open source!

 

Thanks to the work of our contributor Thorsten Sick, the upcoming release will be able to automatically perform analysis of the memory image by leveraging the great library provided by Volatility allowing to obtain:

  • List of processes.
  • List of services.
  • List of kernel modules.
  • Hidden and injected code.
  • List of handles.
  • List of DLLs.
  • Many other sweet things provided by Volatility.

 

While it's not complete yet, we're incorporating the results of such additional analysis functionality in the web interface as well:

 

memory.png

 

There is also another great news!
We'll be participating to BlackHat US 2013, where we will be giving a two hours workshop on usage, customization and hacking on Cuckoo Sandbox! Me, Mark and Jurriaan will be there and hopefully provide good content both to novice as well as experienced Cuckoo users. As we believe that Cuckoo Sandbox is the result of not just our work, but of the contribution from the whole community, we also want to showcase the most impressive modules, customization and integration that you created! If you want us to bring your contribution to Las Vegas, get in contact with us.

 

blackhat.jpg

 

Look out for the updated schedule on BlackHat's website to find the slot allocated to our session or alternatively look for us at the Rapid7 booth in the exhibition area!

Outcomes