Malware is a contraction of malicious software. Malicious software is any piece of software that was written with the intent of doing harm to data, devices or to the people. Viruses, worm, Trojans, Botnets, Ransomware are some of the examples of malicious software. There are various methods to prevent malware, detect them and fight against them in case one is found on your system. If you see a suspicious file or a software in your system, then you run scans to detect them. Malwares are difficult for detect, and defensive mechanisms are often failed because of the signature-based security solutions software’s. Malware analysis are tools that are used to learn how malware functions and any potential repercussions for a given malware can also be known from the analysis. Malware analysis can be used for research purposes either academic or industry based which is used as vital information in building malware detection and prevention systems. This report talks in detail about an automated Malware analysis tool called Cuckoo sandbox.
Cuckoo Sandbox is the leading open source automated malware analysis system that automated the task of analyzing any malicious file under Windows, macOS, Linux and Android.
Cuckoo Sandbox is and advanced, extremely modular and open source automated malware analysis system. Developed in 2010 by just 4 core Developers, Cuckoo has really been popular over the year with researchers and cyber security experts. Mostly because the whole analysis process is automatic, you just submit a suspicious file to the analyzer, and it runs the malware on the guest VM that is configured and gives a complete detailed report within minutes of analysis. It has also been popular for academic use as it is easy to use and understand if the setup and initial configuration is done carefully. Cuckoo Sandbox can be expensive if we were to use dedicated hardware to analyze huge chunks of data.
Working
There are two components in Cuckoo Sandbox. First component is the Core component which is a Cuckoo Daemon that runs on the host machine which is Ubuntu 16.02 in this case. This Core component is responsible for process control and keeping everything on track. Second component is called the analyzer. The analyzer runs on the Guest machine and is responsible to emulate human actions on guest VM and create a sandbox environment to execute malware. When a malware is submitted through web interface on the host machine, cuckoo daemon invokes analyzer on the guest machine and makes it execute the malware in a sandbox environment.
The Goal of this project was to understand the concept of Sandboxing and understand the working of cuckoo as an automated malware analysis tool in a sandboxing environment. Milestones included being reading through research papers , correctly configuring and installing Cuckoo on host as well as the guest machine and finally to be able to analyze sample malware using the setup. I was able to find various research based on Cuckoo, academic and industry based , and those papers and documentation helped me understand the initial concept and working.
During the installation, I hit a bump while configuring the host machine and with the storage in the VM. Since cuckoo sandbox works with snapshot of the guest VM and each time you create a snapshot instead of replacing it, it kept making a new one and in turn hogging memory space.
Major Challenges that I encountered while working on Cuckoo sandbox is that configuring the host machine is a little bit challenging because it need to work with a lot of Repositories. After configuring the host machine each time I ran a malware test , the Host machine spun a guest VM snapshot and created a new one too. Which ultimately crashed my setup because it was out of memory.
For future what I would like to work on is that I would like to have some dedicated memory space for the setup and with enough time to understand the concept. Cuckoo sandbox is a powerful tool that a lot of organization are using with dedicated hardware to analyze hundreds of suspicious files and malwares on daily basis.
This is the sample report as seen on the web interface.
