Denis Kalitviansky

Cuckoo Sandbox - fight malware

Blog Post created by Denis Kalitviansky Employee on May 4, 2016

Lately I've worked with some "sandboxing" products, and wanted to see if there is any competition in open-source field. And I found Cuckoo Sandbox. This is amazing and you should defently try this one!
Cuckoo is a sandboxing platform. that can help you get trail on malware in your company. I will try to explain how it works, and why it is important for forensic investigations. I highly recommend to visit official Cuckoo website, grab latest version, and try to install it and see it for your self. Developers did amazing work, and this product must receive more popularity.

So in basic words, in our Cuckoo architecture we have:

1. Cuckoo server (engine), that is responsible for receiving "bad" files, analyzing them, generation report, and sending it back to you.
2. Host\s - it can be XP, 7, 2008, etc OS's (currently I worked only with Windows). Every OS can be customized for your needs: Office can be installed, PDF Reader, and other systems, that you have in your company, to see how malware will behave. E.g. you are building the same end-points with same set of programs, like in your company, to simulate the attack.
3. Agent - agent is your communication between host & engine.


How it works?

You are creating isolated VLAN for the hosts (can be one host or many). Afterwards Cuckoo engine is installed on Linux environment (I used Ubuntu), with Virtual box (VMware also can be used). The hosts is installed on the virtualization tool, and connected to the engine thru isolated VLAN. On every host you have "clean" snapshot with clean system in it(before putting malware for analysis). Every "suspicious" file that you want to check, sent from the server thru the agent to "host", and agent do various manipulations with the file: open it, execute, copy, etc. After this, agent is recording every piece of action that our malware want to do: ping master outside the network, modify registry, clone it self, delete files, etc. All this is logged to report, generated, screenshots taken every few secods, and sent to you. Now, you get the full picture of what that malware was, where it go, what it did.

Sample report output:


I also highly recommend to see this explanation of one of the authors, Juriaan Bremer:



I suggest to take a look @ this product, install it, and support development :).


This article is my own opinion, and does not necessarily represent my past or current employer's positions, strategies or opinions. The materials in this article are provided "as is"and the author will not be liable for any direct, indirect or incidental damages arising out or relating to any use or distribution of them.