analyzing-malware-behavior-with-cuckoo-sandbox

What this skill does

# Analyzing Malware Behavior with Cuckoo Sandbox

## When to Use

- A suspicious sample passed static analysis triage and requires behavioral observation in a controlled environment
- You need to capture network traffic, file drops, registry modifications, and API calls from a malware execution
- Determining the full infection chain including second-stage payload downloads and persistence mechanisms
- Generating behavioral signatures and YARA rules based on observed runtime activity
- Automated analysis of bulk malware samples requiring consistent reporting

**Do not use** when the sample is a known ransomware variant that may spread via network shares in a misconfigured sandbox; verify network isolation first.

## Prerequisites

- Cuckoo Sandbox 3.x installed on a dedicated analysis server (Ubuntu 22.04 recommended)
- Guest VMs configured with Windows 10/11 snapshots (Cuckoo agent installed, snapshots taken at clean state)
- VirtualBox, KVM, or VMware configured as the Cuckoo virtualization backend
- Isolated network with InetSim or FakeNet-NG for simulating internet services
- Suricata or Snort integrated for network-level signature matching during analysis
- Sufficient disk space for PCAP captures and memory dumps (minimum 500 GB recommended)

## Workflow

### Step 1: Submit Sample to Cuckoo

Submit the malware sample for automated analysis:

```bash
# Submit via command line
cuckoo submit /path/to/suspect.exe

# Submit with specific analysis timeout (300 seconds)
cuckoo submit --timeout 300 /path/to/suspect.exe

# Submit with specific VM and analysis package
cuckoo submit --machine win10_x64 --package exe --timeout 300 /path/to/suspect.exe

# Submit via REST API
curl -F "[email protected]" -F "timeout=300" -F "machine=win10_x64" \
  http://localhost:8090/tasks/create/file

# Submit URL for analysis
curl -F "url=http://malicious-site.com/payload" -F "timeout=300" \
  http://localhost:8090/tasks/create/url

# Check task status
curl http://localhost:8090/tasks/view/1 | jq '.task.status'
```

### Step 2: Monitor Execution in Real-Time

Track the analysis progress and observe live behavior:

```bash
# Watch Cuckoo analysis log
tail -f /opt/cuckoo/log/cuckoo.log

# Monitor analysis task status
cuckoo status

# Access Cuckoo web interface for live screenshots and process tree
# Navigate to http://localhost:8080/analysis/<task_id>/
```

Key behavioral events to watch during execution:
- Process creation chain (parent-child relationships)
- Network connection attempts to external IPs
- File drops in temporary directories or system folders
- Registry modifications to Run keys or service entries
- API calls related to encryption (CryptEncrypt), injection (WriteProcessMemory), or evasion

### Step 3: Analyze Process Activity

Review the process tree and API call trace from the Cuckoo report:

```python
# Parse Cuckoo JSON report programmatically
import json

with open("/opt/cuckoo/storage/analyses/1/reports/report.json") as f:
    report = json.load(f)

# Process tree analysis
for process in report["behavior"]["processes"]:
    pid = process["pid"]
    ppid = process["ppid"]
    name = process["process_name"]
    print(f"PID: {pid} PPID: {ppid} Name: {name}")

    # Extract suspicious API calls
    for call in process["calls"]:
        api = call["api"]
        if api in ["CreateRemoteThread", "VirtualAllocEx", "WriteProcessMemory",
                    "NtCreateThreadEx", "RegSetValueExA", "URLDownloadToFileA"]:
            args = {arg["name"]: arg["value"] for arg in call["arguments"]}
            print(f"  [!] {api}({args})")
```

### Step 4: Review Network Activity

Examine network connections, DNS queries, and HTTP requests:

```python
# Network analysis from Cuckoo report
network = report["network"]

# DNS resolutions
print("DNS Queries:")
for dns in network.get("dns", []):
    print(f"  {dns['request']} -> {dns.get('answers', [])}")

# HTTP requests
print("\nHTTP Requests:")
for http in network.get("http", []):
    print(f"  {http['method']} {http['uri']} (Host: {http['host']})")
    if http.get("body"):
        print(f"    Body: {http['body'][:200]}")

# TCP connections
print("\nTCP Connections:")
for tcp in network.get("tcp", []):
    print(f"  {tcp['src']}:{tcp['sport']} -> {tcp['dst']}:{tcp['dport']}")

# Extract PCAP for deeper Wireshark analysis
# PCAP location: /opt/cuckoo/storage/analyses/1/dump.pcap
```

### Step 5: Examine File System and Registry Changes

Document persistence mechanisms and dropped files:

```python
# File operations
print("Files Created/Modified:")
for f in report["behavior"].get("summary", {}).get("files", []):
    print(f"  {f}")

# Dropped files with hashes
print("\nDropped Files:")
for dropped in report.get("dropped", []):
    print(f"  Path: {dropped['filepath']}")
    print(f"  SHA-256: {dropped['sha256']}")
    print(f"  Size: {dropped['size']} bytes")
    print(f"  Type: {dropped['type']}")

# Registry modifications
print("\nRegistry Keys Modified:")
for key in report["behavior"].get("summary", {}).get("keys", []):
    print(f"  {key}")
```

### Step 6: Review Signatures and Scoring

Check Cuckoo's behavioral signatures and threat scoring:

```python
# Behavioral signatures triggered
print("Triggered Signatures:")
for sig in report.get("signatures", []):
    severity = sig["severity"]
    name = sig["name"]
    description = sig["description"]
    marker = "[!]" if severity >= 3 else "[*]"
    print(f"  {marker} [{severity}/5] {name}: {description}")
    for mark in sig.get("marks", []):
        if mark.get("call"):
            print(f"      API: {mark['call']['api']}")
        if mark.get("ioc"):
            print(f"      IOC: {mark['ioc']}")

# Overall score
score = report.get("info", {}).get("score", 0)
print(f"\nOverall Threat Score: {score}/10")
```

### Step 7: Extract Memory Dump Artifacts

Analyze the full memory dump captured during execution:

```bash
# Memory dump is saved at:
# /opt/cuckoo/storage/analyses/1/memory.dmp

# Use Volatility to analyze the memory dump
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.pslist
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.malfind
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.netscan
```

## Key Concepts

| Term | Definition |
|------|------------|
| **Dynamic Analysis** | Executing malware in a controlled environment to observe runtime behavior including system calls, network activity, and file operations |
| **Sandbox Evasion** | Techniques malware uses to detect virtual/sandbox environments and alter behavior to avoid analysis (sleep timers, VM checks, user interaction checks) |
| **API Hooking** | Cuckoo's method of intercepting Windows API calls made by the malware to log function names, parameters, and return values |
| **InetSim** | Internet services simulation tool that responds to malware network requests (HTTP, DNS, SMTP) within the isolated analysis network |
| **Process Injection** | Malware technique of injecting code into legitimate processes; detected by monitoring VirtualAllocEx and WriteProcessMemory API sequences |
| **Behavioral Signature** | Rule-based detection matching specific sequences of API calls, file operations, or network activity to known malware behaviors |
| **Analysis Package** | Cuckoo module defining how to execute a specific file type (exe, dll, pdf, doc) within the guest VM for proper behavioral capture |

## Tools & Systems

- **Cuckoo Sandbox**: Open-source automated malware analysis system providing behavioral reports, network captures, and memory dumps
- **InetSim**: Internet services simulation suite providing fake HTTP, DNS, SMTP, and other services for isolated malware analysis networks
- **FakeNet-NG**: FLARE team's network simulation tool that intercepts and redirects all network traffic for analysis
- **Suricata**: Network IDS/IPS integrated with Cuckoo for real-time signature-based detection of malicious network traffic
- **Volatility**: Memory forensics framework used to analyze m