Cuckoo Sandbox is a malware analyses system used in the iTES-Project. It represents a weightful factor in the direction of automated malware testing in a secured environment.We use the Cuckoo-Sandbox to tests out sensors on malware samples. To achieve this goal, we had to modify Cuckoo-Sandbox. At first we had to create a system that gives us the possibility to use Cuckoo-Sandbox on different servers while maintaining one pool of jobs and on a result database.
For this purpose we developed the Hermes Analysis System. Cuckoo-Sandbox was also modified for the use of sensors and we evaluated a concept for rebooting the Virtual Machines (VM).
Cuckoo-Reboot:
We extended the Cuckoo-Sandbox with a reboot function. This is important for analysis of modern malware, because they work in different steps. At first they produce some payload by downloading compontns and change the windows registry to evade AntiVirus-Scanner. The malware starts its malicious behavior after the reboot of the system. For a full analalysis of the malware, we need to trigger a system reboot and exclude false positives and false negatives.
The Cuckoo-Sandbox has no build-in reboot feature, so we have to implement some changes. There are two possible concepts for a reboot-mechanism. First of all, we could extend the Cuckoo-Sandbox on the host system. This includes many changes which could bear the risk to generate bugs in Cuckoo-Sandbox itself, so we decided to trigger the reboot from the guest system. An auxiliary module copies a small reboot-agent in the Windows-Startup directory, which continues the analysis after reboot. When the sample is finished, the system gets the command to reboot by the command-line interpreter. The system is rebooting and the malware starts it's malicious behavior which we can now log with the Cuckoo-Monitor and a reboot-analyzer. This second way to realise a reboot needs less changes on the Cuckoo and the Windows-Virtual Machine.
In summary we developed a new auxiliary module called prereboot, a small reboot-agent which is copied in the Windows-Startup directory and an reboot-analyzer.