Cuckoo Malware Analysis

What this book covers Chapter 1, Getting Started with Automated Malware Analysis using Cuckoo Sandbox, gets you started with the basic installation of Cuckoo Sandbox and teaches you the basic theory in Sandboxing, how to prepare a safe environment lab for malware analysis, and troubleshoot some problems after installing Cuckoo Sandbox. Chapter 2, Using Cuckoo Sandbox to Analyze a Sample Malware, teaches you how to use Cuckoo Sandbox and its features, how to analyze sample malicious PDF files or malicious URLs, and also covers some basics of memory forensic analysis with Cuckoo Sandbox and Volatility. Chapter 3, Analyzing Output of Cuckoo Sandbox, will help you analyze the results from Cuckoo sandbox, demonstrate the ability to analyze memory dump in a forensic process, and simulate an analysis of a sample APT attack in collaboration with other tools such as Volatility, Yara, Wireshark, Radare, and Bokken. This chapter will also help users analyze the output from Cuckoo Sandbox more easily and clearly. Chapter 4, Reporting with Cuckoo Sandbox, will teach you how to create a malware analysis report using Cuckoo Sandbox reporting tools and export the output data report to another format for advanced report analysis. It will start with human-readable format (TXT and HTML), MAEC format (MITRE standard format), and the ability to export a data report to the most useful format in the world (PDF). www.finebook.irPreface Chapter 5, Tips and Tricks for Cuckoo Sandbox, provides you with some tips and tricks for enhancing Cuckoo's analyzing abilities during the malware analysis process. Some people from the community created interesting plugins or modules that help users perform new experiments using Cuckoo Sandbox such as automating e-mail attachments scanning with CuckooMX, and integrating Cuckoo Sandbox with Maltego project using cuckooforcanari. You will also learn how to harden your VM environment for malware analysis. What you need for this book An Ubuntu 12.04 LTS or newer, VirtualBox 4.2.16 or newer, some malware samples, and an Internet connection. Who this book is for This book is great for someone who wants to start learning malware analysis easily without requiring much technical skills. The readers will go through learning some basic knowledge in programming, networking, disassembling, forensics, and virtualization along with malware analysis. Conventions In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user inputs, and Twitter handles are shown as follows: "Nevertheless, we will try to compile the cuckoomon.dll source code with the file we had changed before ( hook.reg.c )." Any command-line input or output is written as follows: $ sudo apt-get install radare radare2 bokken pyew New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "According to the Installation tutorial in the README file, it will work with a Postfix MTA." Preface Chapter 1: Getting Started with Automated Malware Analysis using Cuckoo Sandbox Malware analysis methodologies Basic theory in Sandboxing Malware analysis lab Cuckoo Sandbox Installing Cuckoo Sandbox Hardware requirements Preparing the host OS Requirements Install Python in Ubuntu Setting up Cuckoo Sandbox in the Host OS Preparing the Guest OS Configuring the network Setting up a shared folder between Host OS and Guest OS Creating a user Installing Cuckoo Sandbox cuckoo.conf .conf processing.conf reporting.conf Chapter 2: Using Cuckoo Sandbox to Analyze a Sample Malware Starting Cuckoo Submitting malware samples to Cuckoo Sandbox Submitting a malware Word document Submitting a malware PDF document – aleppo_plan_cercs.pdf

Submitting a malware Excel document – CVE-2011-0609_XLS- SWF-2011-03-08_crsenvironscan.xls Submitting a malicious URL – http://youtibe.com Submitting a malicious URL – http://ziti.cndesign.com/biaozi/fdc/page_07.htm Submitting a binary file – Sality.G.exe Memory forensic using Cuckoo Sandbox – using memory dump features Additional memory forensic using Volatility Using Volatility

Chapter 3: Analyzing the Output of Cuckoo Sandbox 65 Chapter 4: Reporting with Cuckoo Sandbox 89 The processing module Analyzing an APT attack using Cuckoo Sandbox, Volatility, and Yara

Creating a built-in report in HTML format Creating a MAEC Report Exporting data report analysis from Cuckoo to another format

Chapter 5: Tips and Tricks for Cuckoo Sandbox Hardening Cuckoo Sandbox against VM detection Cuckooforcanari – integrating Cuckoo Sandbox with the Maltego project Installing Maltego Automating e-mail attachments with Cuckoo MX