Cuckoo Sandbox - University of Delawarecavazos/cisc850-spring2017/...CISC 850 : Cyber Analytics...
Transcript of Cuckoo Sandbox - University of Delawarecavazos/cisc850-spring2017/...CISC 850 : Cyber Analytics...
CISC 850 : Cyber Analytics
Leonardo De La RosaInstitute for Financial Services Analytics
University of Delaware
Cuckoo Sandbox
CISC 850 : Cyber Analytics
Cuckoo Sandbox• Automated malware analysis system.
• Uses virtualization and supports Bare-metal environments.
• Analyzes different malicious files.
• Python based. Easy to customize.
CISC 850 : Cyber Analytics
• Trace API calls.
• Generate Behavioral profile and signatures.
• Dump and analyze Network Traffic.
• Capture file dumps.
• Take screenshots during execution of the analysis.
What Cuckoo can do
CISC 850 : Cyber Analytics
Cuckoo’s Architecture
Cuckoo host
Analysis Guests
Bare-metal System
Virtual Environment
CISC 850 : Cyber Analytics
Execution Flow
Submit a Task
Launch Virtual
MachineExecute Malware
Log Results
Generate Reports
CISC 850 : Cyber Analytics
Drawbacks• Malware checks for virtualization software:
Ø Registry keys.Ø Devices (CD-ROM, HDD).Ø Background processes.Ø IP addresses.
• Evasive techniques:
Ø Time triggers.Ø Extended sleep.Ø User interaction.