Skip to content

CuckooSandbox#

README

CuckooSandbox#

CuckooSandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities.

  • Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments.
  • Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
  • Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
  • Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.

The analyzer comes in two different flavour to analzye url or file with internet access.

Requirements#

You need to have your cuckoosandox deployed in your infrastructure. You can download it and follow installation instructions.

The address of the machine must be se as url parameter and relative token as the value for the token parameter. Depending on your network configuration you can configure verifyssl and cert_path accordingly.

CuckooSandbox_File_Analysis_Inet#

Author: Andrea Garavaglia, LDO-CERT
License: AGPL-V3
Version: 1.2
Supported observables types:
- file
Registration required: False
Subscription required: False
Free subscription: False
Third party service: https://cuckoosandbox.org/

Description#

Cuckoo Sandbox file analysis with Internet access.

Configuration#

url URL
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
token API token
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
verifyssl Verify SSL certificate
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
cert_path Path to the CA on the system used to check server certificate
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

CuckooSandbox: Long report template

CuckooSandbox_Url_Analysis#

Author: Andrea Garavaglia, LDO-CERT
License: AGPL-V3
Version: 1.2
Supported observables types:
- url
Registration required: False
Subscription required: False
Free subscription: False
Third party service: https://cuckoosandbox.org/

Description#

Cuckoo Sandbox URL analysis.

Configuration#

url URL
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
token API token
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
verifyssl Verify SSL certificate
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
cert_path Path to the CA on the system used to check server certificate
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

CuckooSandbox: Long report template