I'm Cuckoo for Malware: Cuckoo Sandbox and Dynamic Malware Analysis

step in our analysis an overview of hookah moving some of these features - our and then riddled in through my our samples so really the goal of this talk is to not make you a master malware analysis to give you kind of a few seeds to start thinking about if you want to look at my resume playing sandbox what are some of the ways that you can approach it and what it wouldn't look so that's kind of where I'm gonna go of this and again feel free to ask questions if you have my best you guys know at a time at the end tonight I have a spirit engineers orientations we do a lot of community work around here I do a

lot of Software Assurance work and patient destiny is now also a podcast which is prime security podcast so if you guys hear that anything today - yes this is if you like me have some posts do some introductions to Python how to use that and testable do a lot of open source work and also I love to travel left-fin to Moceri comment right at this point it's one of my hobbies when I'm not staring at computer also you can follow me on Twitter I can get up to 95 followers they have 92 so a lot of times when you think of which is looking at a piece of code on dynamic is basically running the malware or it sense that you

have and see what it does maybe running executable running a PLO opening a document worked out or something like that playing via fiber openings that publish see what goes on in the system you do them but we get too deep into that we do need to talk about static now because that's where they kind of started off and the malware analysis community so static static analysis is analyze the progress they can be in any deposit you run because again power spread by being run in all cases but in every dump it never data TCP dump and then people use debugger to examine a lot of them the information comes from this is through file metadata to a lot of files after

ended to it a lot of information that can give you information about the file and work notes from an instance of legitimate source amount so here you can see examples but don't know how to pronounce that company name but it doesn't look weird legitimate to me and say if you thought the original five languages are ashamed to even look at these certificates every sign application a lot of cases now not where is being signed using for signatures and things like that and it's a good indicator so one of these samples that look at recent its final attempt there's a lot of information on some of the web basically some I took a legitimate sign certificate signed an hour and now it's

rejected it's been with the CR else but for most before long I was considered digit and through your checklist you can look at the development environment where the system information a lot of people who meet these in there especially guys that was trying to like create things uh left and right to get him out of order and even quit when look at the top of this you can see or was developed it was developed in this money for DUI I don't think many legitimate shops more information is that compiled line so the power on this piece I'm looking at for this 1992 the minimum OS version was for which is for those with Windows nets

before and he or was released in 1996 so this this application was developed for your keyboards proper wire used on the operating system Britney Spears is not another thing you can look at with satin awesomeness the different places who press and occupation tools that are in there and career names a lot of times in it especially like the word macros and things like that you'll see people that use these operators to change all their variable names into nonsense and make it harder for the analyst to figure out what's going on and have to like figure out you have backtrack and go in there look at that this is one example smart assembly you just get this by running stratum on this

specific example smart assembly it is a obfuscator it doesn't really hypothetically this is another this is a Word document that had two macros event and all of these variables are just nonsense and a lot of times you have to go back in piecing together to figure out what's going on what's the program actually write so you can read the code you can read a lot of cases the scripts that are in macros and try to back in and figure out what's going on with that is necessarily Tony what's gonna do especially cooking and pulls down worker so what why do you want to do and really what is it so these obfuscation techniques will mask you from static analysis over time

and they don't you know about malware others do not want you to look at the figure out what the new when you find ways to you can run it on your own system up here got some powers and then you can run it on an isolated physical system doing this it and going in with friends exactly some people do it because it's easier but to actually control the environment but it's so what screaming so this is for something like Cooper content it's a matter how the platform you can run all these operating systems XP the newer version to run Linux Android and OSX and it supports a bunch of architecture check on VirtualBox KTM workstation be aware as

in server and you can actually set up their mental license wrong does registry analysis process analysis all this philosophy that's just a lot of cool stuff that you can do with you but what I'm here to do when you consider going back to slices considered common employ your sandbox so everybody likes to go to VM and share their friends right so the problem when you do that if you go to whoo-hoo Nesta p.m. you have a together analysis via and then you inside the heart petrol challenge with something like that is you can only have a 32-bit Ness p.m. so if you got some 64-bit mower or you want to try oxy for the environment yeah so flat Pam's Apple

is 5 you know something where you have a we don't here and I'm here and he has that and you could just kind of scale out it's it's much more scalable but it it's harder to manage it requires a little bit of finagling service counts and all this stuff to actually control it so when you do it on your environment it's it's important to consider what you're setting off or are you just trying to set up a few things and run some samples down and are not familiar with it in that case yeah you don't necessarily care 32-bit patients or not you're setting up or an enterprise or something where you're going to be running hundred

examples through it you probably don't want to do something like a flat architecture out there if sharing a front again so how's the work so this is a very complicated diagram basically go through you submit it or whether they've got their website an API computed has a has both and it goes to the analysis machine where executed this machine listens and monitors the changes in monitor to the network traffic memory once it's completed worse opium den ownerships everything after approving machine and cuckoo processes it who is sitting here and everything like that and he get a nice pretty report at the end so summarize the process for you submit five who presented to be in

direct infusion it performs analysis on of entrepreneur and any different words that humane to make distributions for there is the distribution which is wrong cuckoo sandbox our and then brad specular is actually being a form of 1.2 and made a lot of customizations to it and these are kind of the two main force that people use we talked about got links here I don't know if I mentioned but I did with the slides I want to give up and so who do 1.2 not going to focus on this with too much anymore I think that a new version out its really helpful guys about two weeks ago before as our grantee slides in this brand

person group duty so version 1.2 only sports 32-bit analysis of Windows XP and Windows 7 really good documentation it's got a lot of you know it's from 2015 so there's a lot of community support around it really good signatures they're not they're not updated very much anymore it's very stable what I mean execution trafficking I can't go much into this because nobody does it anymore one of us released about two weeks ago 2.0 at least Canada to has both 32-bit and 64-bit motive support it has Android OS X and Linux support the documentation is very or they kind of figured out yourself which isn't impossible but it's a period work they have added innovated in corn export

reports and updated community signatures it has snort and Sarah Caudill penetration which is really cool if you're doing a lot with traffic network traffic of botnets and things like that you can set your samples to generate with snort rules and things like that and little support for encrypted traffic which is really cool because a lot of these new samples out there they tripped everything that they do so if you can middle that man know that it's really need to look at traffic and then they have matters for export which is terrible use it but sandbox based on an agility is something that I move forward with which is basically you run your sandbox without a sample and then when

you run the sample that is you get the TV Asian team that makes mine bring out its memory only so that they would take a volatility example of that so you don't have anything is of course like registries of Windows processes it's just everybody's already rooted and then develop any sandbox is basically version 1.2 boo boo but they had a 64-bit under support normalized registry names which makes it a lot

what they used something to tool out there or manual proxy it's it uses that to proxy or to to grab the traffic so basically hi police violently that you can too much but I think that's about worth because basically it's gonna grab into traffic so sure for support - yeah

two-pointer actually goes up for support as whole bunch of network options a lot of cases I use and personally I wanna see is trying to make connections out but I actually don't care about the network traffic so I think you have a lot of network especially with this more toward proxy and everything like that so that those features are there so again 1 1 2 to spend their shamrocks normalize registry names very easy to read these whereas before you have really long registry run this kind of cuts it down makes it much easier to process service monitoring much better signatures they're way better way to you can time on hours with your sharing this with the

team again look at so I would say it this ease that was really being there interesting anything do more digging in this better than digging in my sandbox and impact again tools I'm gonna do this a little bit better alright a little bit later but now we're almost trying to detect that they're running in the sandbox a lot so it's it's really beneficial to be able to say hey I want to find ways to obviate the sandbox and evade that detection and it's also very stable very good documentation and they regularly update sandbox a very brief comparison of the two spender does not have and Reuter was actually my export and it does not have face lining and Gugu is

not commenting our company analyzed registry because that's just general comparison if you would have asked me before the to Dino RC 2 version I would have recommend and spend their hands down but now our c2 is a lot more stable so if you're going to play with something you might consider claims that it has a lot more of data features it's a lot bigger team supporting it it's pretty solid but there yeah documentation right there still working so good supports the bunch of analysis packages one here but most of us things you can turn with our executables for documents sometimes Java applications PDFs and things like that and it does a pretty good job when your submitted it automatically

detects it but you can also tell it if you've got a sample that's like not not flagging correctly and say hey this is a

again I'm going to go over some quick pages that that could who has by default you can submit you get a package selection machine selection override the timeout value how long it'll actually execute the samples so you can set a default but if you know the sample takes forever transitive weight system out you said you're gonna overwrite that context option so if you got an out where the only execute song on a certain time it actually set your VM to go to that time in disable video interaction so if a sample pops up a window who automatically tries to click through the windows and say open things to close things a bit next cancel things like

that and then you can enable or disable memory non-secure volatility in Salman's overview page has information you can set up your signatures to work with you who your community based signatures or custom signatures gives information on DNS and other network traffic and then process in registry entity you can see you see will file open without some modified deleted single registry and processes that announced two pages kind of goes over our guests as we talked earlier all those reporting static analysis page you get a lot of information here's an important actual checks on compile times metadata memory information that imports at the kernels APIs these are really important because Santa executable in certain sentence and that way you didn't take what type of

malware will be back and it puts in the virus code when you get information if the sampler you're submitting is actually gonna power the behavior analysis page they're going to show that Santa this towards the end is really cool it's it goes over into the console sample you see it is the Santa we submitted but it also spawned off several applications inside of it so a lot of the times of you execute a sample you want to see like all right I'm spending this but what is expiring offices explore windows spawning off some sort of firewall rule with running Adobe PDF something like that and inside here you can actually see all this and then you

can actually get a process my process breakdown from what the sample is doing and it's filter what's really cool network analysis page has a breakdown of tap type time traffic DNS TCP UDP IRC I see a bunch of stuff and if it's in plain text and I think within a little you can also see this now you can actually look at what traffic's being sent so you have somebody that's running a backdoor you can see the connection and establishes the what and what is special trading through network data and who filter through all that it is really cool one then you can also download the app file whatever filters to that offline availability drive files page if

application so that most of our patients appear in songs I think you're gonna get next its next time it's gonna drop a bunch of stuff you're harder who tracks every single file that is extracted from the file and then you can actually go in and see if it's been analyzed through fires good when you can resubmit the sample or analysis or word is a text file you can read the contents of the text file and then there's a whole bunch of additional pages or recording and comments and things like that which don't really provide too much information but very good let's change gears in now routers are smart they know that that we're trying to figure out

whether going and you know trying to bypass but they're doing create their tools so I asked you guys are so tools that I used to detective so here's a brief list they can check her processed names or you have virtual buffybot sprayed that get see my registry entry all of these if you saw any of these tools they have a whole set of registry users of device names VMs house VirtualBox and vmware all these a standard device net seek you I would see to you ideas that are associated with them the MAC addresses for all of the third default nits are in a certain range same five theaters is a lot of home and it's not a guarantee but

you know they they have a standard set of IP ranges that are associated with those auto start edge rates again your VirtualBox trays start menu icon Wilson date and time it's there's so much an enemy search for and via malware above just not on this handle in a check so they are there's exactly if you guys out there that have developer tools that that actually go ended and hardened females and the way they garden it is they take they spray the system with different things and they'll create different faith processes that they know malware authors are looking for and again it's you know it's security through obscurity yes but you know I think that'll do that

and it's somewhat of it I do not know off the top of my head but I can look them up there they have given up projects that so detection countermeasure is kind of hinted at some of these countermeasures just briefly but remove these be eminently the registry keys change your device names change your MAC addresses don't install to install those the toolbox or the different additions that are companies via happening your dance may not run as optimally as as they should but at same time the goal is to avoid malware and earth to avoid detection convert them you don't have to make their system will use this is actually really important really underrated before you take your

snapshot I booked it didn't compute go browse the Internet at the time so open some applications it's also applications that you don't need on there make sure that you know that what these applications do because if they're making never trainees network connections while you're be analyzing you don't want to have a lot of white noise that's gonna impact your analysis so you want to know what's on your system and know that that's why the certain thing you're having but you do want to make it look used because a lot of being a lot of our said hey look like pianos it got any losers on it doesn't have any models and the Downloads directory and no cutoff

how do i CPU and out more than a gator children being overly used all that round so it's not big deal with an alligator there's to love therefore p.m. book it's really cool I committed some code to this one it's by one of you who Santos authors and basically what it'll do is it spin up in the antiquary room for one of a handful of operating systems you can install case application stack on it and it also applies a handful of configuration items that avoid detection so it's a really cool software stack its automated and is pretty fun takes out a pop of man work that you ever put it use that put in verify denominators so you're anti anti

DN detection counters there is a cool tool up there called PA thirty Armitage you're running through your sandbox and then it'll generate it runs a whole bunch of checks and then generates a report in an intelligent power sandbox did what what has on one fail it doesn't get updated often maybe once or twice a year but it's still pretty good to like get a good start from so one last note on the ends and this is kind of hinted on based on what I've been talking about report now it behaves differently in different departments right so sometimes it executes sometimes it does you need multiple environments and testament of your sanity if you're really trying to

be thorough you know an application gonna run differently on Adobe Acrobat 9 versus 10 winces or 7-zip or any applications out there saying with your mouth especially our work what browsers out there you never try a system with Windows 8 or 9 9 10 Firefox from different software versions because a lot of these things try to find a application that has a known vulnerability and exploit that vulnerability so in fact one abilities able to be exploited on your system that you're going to get a lot more information than if it just starts up does it check and then it shuts down so let's look at peace now so this one is one you started actually and we run it

what is it actually it's a at this piece of Syrian malware that was distributed to target distance in Syria I'm using something called a lot of bending as like the type of network so that information is really interesting on it it is to look at the prompted the legal copyright time is five years before the composite or yet an original environment so one of the things that these smaller doesn't reaches out to his malware site hurt his dynamic DNS site Aliyah analyses very well so but she's like a new Syrian singer so a lot of people would look at this traffic especially if you're in Syria yes and then it's a college okay so much

more advanced multiple startup rushing these are committed and it gets one of the most common things we see and when looking at key loggers is this get a sneaky state would you see this you're almost guaranteed to have a a key logger - it's now the really cool thing is his execution tree so look at it the original name of the cyclone santhu that is used on Etsy and then it spawned itself and inside that spawn you see 332 instances of chrome ds8 again things that should pass a lot of patience that there's sandboxing things if they're if it's looking for an executable but inside that chrome dot exe you see a meditation man you might know that

[Music] opening fire so it's opening Fargo for this chrome taxi to go out and do stuff

and application where it's poppin' it's opening it's actually opening in the temporary so I don't know how many chrome WFTV people run from many I see under temporary but I don't know that the safe place for whitelist permits and then it runs all these other services to basically gathering information about the system from here and then if you look at the signatures that are popping on it we have a lot you got a lot this is just with the basic community signatures these are getting updated all the time about community and possibility creation so you can see to the bigger ones very red plucks information as a fingerprint the system against the windows ID problems so again

this is to say thank you for fingerprints and this one's on the spinner sandbox but actually lightly signatures are on both they didn't think there's a few people that try to port the signatures but yeah both versions will pop a dozen signatures on the sample that's one reason I like using this a lot of demos because there's so much information that you can get out [Music] actually going back to this thing again if you might want to download the nomicon Syrian not order something like that they had a whole bunch of it's really on site living people people with any weird was it hey next one we have is looter WMC and it's a chimera ransomware it's one of

the big things you see on this one is it spiders almost every single folder on the system you get all your Program Files very British spider all your users are infuser spider and then you notice a lot of interesting things if you modify files in the deleted on so you see a whole bunch of Halloween house in 2005 and but how much is on your system and then progra deleted file there's any file as a doc cryptic station and then you get this nice little box about your files are encrypted not HTML so it's really nice in the hood of your car across those encryption to get ready looking at it this through static IP calls so it

reaches out to a certain IP and I guess the sentence the the encryption key of form up online and then it also tries to go out and identify what your aunty has a certain sum that application together because a lot of these authors are trying to make it make sure that the right person is on walking slow because that's nice you don't think you should be up not lock somebody else's box right and then a lot of crypto balls that you see with ransomware associated here you see these two PLL's and the extensions that are loaded with Krypton or key has working all these injured or Windows systems as Windows service matters that infamous were just using stuff it's on

Windows they'll need to import custom libraries or anything like that and Microsoft provides a great ecosystem to cook all your files another really cool one that i've got here is autohotkey I see I don't know what he not exe means sure somebody had some use word but it's not a petty of ants ransomware and so this one his scans all of your systems for anti artists and shuttle moment and in some cases it'll shut down it doesn't shut down and then ratifies decibel drive here Michael that is your master shredder hit that a little bit so you see some improvement crypto balls to come out five executable that have built potentially call and wrote something

called into DLL and TM rates part aired what this is is an undocumented Windows API that restarts the system so why would you want to start up the system it's really weird well with that mr. Neuberger right so it's a very it includes that reboots the system and then everybody custom kernel that when your system starts up it starts to appear everything for you thanks again encryption is good right one of the cool things and I haven't gotten a chance to try this yet because again it's only my bucks one weeks ago the original has something called analysis preview Island so for now I like this it will try to reboot the system who who tries to survive that and

then continuing the analysis which has began really cool feature that we have so this is just the beginning there's tons of information out there about cuckoo sejoon I really recommend our analysis cookbook the prepper map and practical malware analysis if you're gonna look at the memory houses the art of memory forensics is required guys and do the volatility framework which is what do we use this for memory analysis and then there's a few Twitter people out there this will drive 0 lots and lots of malware and you just go find the samples and run with your families and then to who others into there's B I don't really go that much but again I'm trying to get 95 quality

and the stock and III really good information on malware and I also recommend brevity podcast Primus security dumb men me some of the guys thank you and then we haven't been posting easy got bored there's a guy out there that most a lot of information how to set up certain sandboxes and what I think really really good information check that out so this is me again muffled screaming hear from it laugh or get up nothing's been around for a while and they're always tweaking it and a lot of product samples have you can go into fugu and actually add this file step or make setup click on was it tries to you say oh I see you next one so I know the

text next and I'll click on that a lot of people been adding things for different languages and different herbage just based on those samples that they're submitting to make sure it goes through

[Music] it's it's been in whoo-hoo for at least two and a half years I haven't try to do that it's probably possible so what I thought I my personal experience is I use it a lot for work so I have a giant Software Assurance partner so we try to detect unwanted behaviors from some samples of software that we know we think are legit so we try to establish baselines and say hey Martina deviating these baselines we don't want this so obviously now where it is that falls within that range but I had done too much memory analysis person so they where you're comfortable was I think when I started off I was running everything with it again at the end

within a vm how I was using VirtualBox virtual box was was their default use virtual environment for a long time right now I'm using ESS because I have rights against Excel and it's really easy to use once you're comfortable with it it's really nice especially if you're submitting a bunch of samples to do it so you just have to have a service account I'll spin those games up and shut down everything like that so it really is look you're comfortable with I don't think any of them have any drawbacks so they don't have a commercial license this it's gplv3 depending on what your uses think it's a problem you can get I know the guys have like some sort of support

thing that they sell to people but it's only support it's not up using application because the application you if you're talking about running examples of it you need to see what it looks for like if it's trying to answer daily files and then if you wanted to keep you play through p.m. believe it and put files in there and see what it does right so it does have a it has network that sorts of network analysis tools in there so you can see it's trying to

[Music]

so I just want me to find out who developer guys a little bit development but I'm not a developer but so if we go back to one of the slides that so including the behavior on the house I think each of these executables everything that they do inside of it it actually does have a time stamp on it so you can get that information as far as the timeline pills but each individual application everything every kind of does something even though maybe simple spinning off at the exit shutting it down which is harmful us that are associated with that so I don't think there's any way to get a pretty timeline out there but it does have a third thing

is seven prominent associate that if you need to

[Music] so you read so if you think you have one sample when you want to run against multiple environments or like a piano as well as seven verses of BMS windows they think that they can have anything that does very hard a lot of those cases are they think developing your own script that would cost against the API so you can specify the name Yardley genes everyone so if you know your my sample that it's going to act differently in different environments it might be smart to just do the whole of a handful of posts that will go to each and every VM and your environment but that's the shooting that's pretty easy it's built

in today