1 Introduction
1.1 applications
often need to own some can program executable file is detected in the work, of course, we can VT, micro-step, and some other open-source platform for testing. Now we detected by open source build their own sandbox. The so-called sandbox is a security mechanism for separating running programs. He usually used to execute untested code, or from a third party vendor, untrusted web sites of untrusted programs. We can sandbox run in an isolated environment untrusted program, and access to information he has done.
Malware analysis is generally divided into two types: static analysis and dynamic analysis. Sandbox is the application of dynamic analysis, it is not static binary analysis, real-time execution and monitoring malware. This helps security analysts for details untrusted software, such as network behavior, static and dynamic analysis untrusted program. The results can be generated faster and help us against malicious software for analysis.
About 1.2 Cuckoo
Cuckoo is an open source automated malware analysis system, we can automatically run and analyze file with it, and you can get to a comprehensive analysis of the results,
Cuckoo can obtain the following types of results:
1. Track all generated by malware process calls executed
2. malicious software additions and deletions to change search execution in case
3. malware process memory output
network traffic packet format 4.PCAP track
5. in executing the software key shots
6. all machine memory output
1.3 Cuckoo module and analysis of sample types:
• the Generic Windows executables
• DLL Files
• PDF Documents
• in the Microsoft Office Documents
• URLs and HTML Files
• PHP scripts
• CPL Files
• Visual Basic (VB) scripts
• ZIP Files
• the Java JAR
• Python Files
• Almost anything else
1.4 Architecture
Cuckoo Sandbox is a central management software, process execution and analysis of samples. Each analysis in a separate physical or virtual machine starts, the host (for management software) and some clients (virtual machine or physical machine for analysis) when Cuckoo main components.
The core components that run in the sandbox of the host, the management analysis process, the client is an isolated environment, the malware analysis in which isolation. Cockoo architecture is as follows:
2. Deploy
Benpian take deployment docker's (next time with a few clouds host test)
2.1 depend on the environment
Blacktop • / Yara: 3.7
• Blacktop / Volatility: 2.6
• Docker
• Docker-Compose
• 16 STL Ubuntu Cloud Hosting
2.2 Ubuntu16 TSL cloud hosting
install Homebrew
start installation
git clone https://github.com/blacktop/docker-cuckoo cd docker-cuckoo docker-compose up -d For docker-machine curl $(docker-machine ip):8000/cuckoo/status For Docker for Mac curl localhost:8000/cuckoo/status
2.3 began to enter the
browser, enter http: // ip
3. Introduction
3.1 installation sandbox, we should ask ourselves what kind of goals you want to achieve:
1. What kind of documents
2. How much hope analytical processing
3. combination of those platforms were analyzed, each analysis platforms have their own advantages, combined with a more comprehensive and accurate
4. for purposes of this document, expected to get any kind of information
4. Use
5. Reference
https://github.com/cuckoosandbox/cuckoo
https://github.com/blacktop/docker-cuckoo#dependencies