Cuckoo – Automated Malware Analysis

Cuckoo is a malware analysis system. Based on the description on the website:

Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.

It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

But it can do much more…
It’s up to you to discover what and how.

Some of the results that Cuckoo generates are:

  • Trace of performed relevant win32 API calls
  • Dump of network traffic generated during analysis
  • Creation of screenshots taken during analysis
  • Dump of files created, deleted and downloaded by the malware during analysis
  • Trace of assembly instructions executed by malware process

In addition, Cuckoo allows you to:

  • Automate submission of analysis tasks
  • Create analysis packages to define custom operations and procedures for performing an analysis
  • Run multiple virtual machines concurrently
  • Script the process and correlation of analysis results data
  • Script and automate the generation of reports in the format you prefer

Install Cuckoo on OS X

Cuckoo is based on Python, it will therefore run smoothly on OS X despite the fact that it was initially created on Ubuntu. Installation is pretty easy, just follow the documentation. There is however a few common error messages that might be difficult to resolve:

TypeError: ‘NoneType’ object is unsubscriptable

{code}Cuckoo version: v0.3.2
Python version: 2.6.7 (r267:88850, Jul 31 2011, 19:30:54)
[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)]
OS: darwin
Command line: processor.py analysis/18
Traceback (most recent call last):
File “processor.py”, line 67, in <module> main()
File “processor.py”, line 61, in main ReportProcessor(analysis_path).report(CuckooDict(analysis_path).process())
File “/Users/cuckoo/Desktop/run_cuckoo/cuckoo/reporting/reporter.py”, line 59, in report self._observable.notify(report)
File “/Users/cuckoo/Desktop/run_cuckoo/cuckoo/reporting/observers.py”, line 68, in notify observer.update(results)
File “/Users/cuckoo/Desktop/run_cuckoo/cuckoo/reporting/tasks/maec.py”, line 42, in update self.addActions()
File “/Users/cuckoo/Desktop/run_cuckoo/cuckoo/reporting/tasks/maec.py”, line 112, in addActions
if len(self.results[‘network’][‘udp’]) > 0:
TypeError: ‘NoneType’ object is unsubscriptable{/code}

The following can be done to resolve this:

  • Network configuration: Ensure to use the full path (e.g. absolute path) when setting the network trace. Don’t use a relative path it won’t work.
  • Shared Folders: Here again use the full path (e.g. absolute path) when defining the two shared folders.
  • Virtual Box SDK: Install the Virtual Box SDX. To do so, download it from Oracle website and type the following command:

{code}sudo VBOX_INSTALL_PATH=/Applications/VirtualBox.app python ./vboxapisetup.py install{/code}

xpcom error

{code}
Cuckoo version: v0.3.2
Python version: 2.7.1 (r271:86832, Jul 31 2011, 19:30:53)
[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)]
OS: darwin
Command line: cuckoo.py
Traceback (most recent call last):
File “cuckoo.py”, line 665, in <module>
if not VirtualMachine().check():
File “/Users/sganiere/Downloads/cuckoo/cuckoo_0.3.2/cuckoo/core/virtualbox.py”, line 54, in __init__
vbm = vboxapi.VirtualBoxManager(None, None)
File “/Library/Python/2.7/site-packages/vboxapi/__init__.py”, line 513, in __init__
exec “self.platform = Platform”+style+”(platparams)”
File “<string>”, line 1, in <module>
File “/Library/Python/2.7/site-packages/vboxapi/__init__.py”, line 349, in __init__
import xpcom.vboxxpcom
ImportError: No module named xpcom.vboxxpcom
{/code}

The following can be done to resolve this:

  • Add the following to the Python path in the terminal:

{code}export PYTHONPATH=/Applications/VirtualBox.app/Contents/MacOS/sdk/bindings/xpcom/python{/code}

Use Python 2.6

In some situation you have to force the use of Python 2.6. To do so you can change the config of Cuckoo, check this page of the manual under the Processing section: http://www.cuckoobox.org/doc/0.3.2/html/installation/host/configuration.html

Source:

http://www.zonbi.org/?p=800
http://advancedmalwareprotection.blogspot.sg/2012/03/installing-cuckoo-on-max-os-x-lion.html
http://www.cuckoobox.org/doc/0.3.2/html/index.html
https://public.honeynet.org/mailman/listinfo/cuckoo <– Official mailing list, ensure to read the Archive before posting. You can search the archive via the following link http://tiny.cc/cuckoo_search (Google customized search engine)

0 comments

Leave a Reply