CuckooSandbox#
README
CuckooSandbox#
CuckooSandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities.
- Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments.
- Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
- Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
- Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.
The analyzer comes in two different flavour to analzye url or file with internet access.
Requirements#
You need to have your cuckoosandox deployed in your infrastructure. You can download it and follow installation instructions.
The address of the machine must be se as url parameter and relative token as the value for the token parameter.
Depending on your network configuration you can configure verifyssl and cert_path accordingly.
CuckooSandbox_Url_Analysis#
Author: Andrea Garavaglia, LDO-CERT
License: AGPL-V3
Version: 1.2
Supported observables types:
- url
Registration required: False
Subscription required: False
Free subscription: False
Third party service: https://cuckoosandbox.org/
Description#
Cuckoo Sandbox URL analysis.
Configuration#
| url | URL |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| token | API token |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| verifyssl | Verify SSL certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| cert_path | Path to the CA on the system used to check server certificate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
CuckooSandbox_File_Analysis_Inet#
Author: Andrea Garavaglia, LDO-CERT
License: AGPL-V3
Version: 1.2
Supported observables types:
- file
Registration required: False
Subscription required: False
Free subscription: False
Third party service: https://cuckoosandbox.org/
Description#
Cuckoo Sandbox file analysis with Internet access.
Configuration#
| url | URL |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| token | API token |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| verifyssl | Verify SSL certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| cert_path | Path to the CA on the system used to check server certificate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
