Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » EDG Tools of the Trade » EDG Tools of the Trade Home
Owner: User #2064619
Cuckoo Sandbox
Overview
Cuckoo is an open source automated malware analysis system.
It’s used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated Windows operating system.
It can retrieve the following type of results:
- Traces of win32 APIApplication Programming Interface calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAPPacket capture format format.
- Screenshots of Windows desktop taken during the execution of the malware.
- Full memory dumps of the machines (including automatic running of Volatility).
For answers to general questions see: cuckoo.pdf
Instance
An in-work instance is at http://10.3.2.118:8080/. The instance has a 32-bit Windows XPWindows operating system (Version) SP3 sandbox and a 32-bit Windows 7 SP1 sandbox. Both sandboxes are limited to "host-only" networking and will not be able to resolve external network resources on DEVLAN (see TODO).
TODO
ID | Status | Task | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | incomplete | 64-bit: Test out 64-bit support – no mention of limitation to 32-bit windows for cuckoo. |
|||||||||||||||
2 | incomplete | DEVLAN Infrastructure:
|
|||||||||||||||
6 | incomplete | ICE analysis package: Add support for ICEIn-memory Code Execution FireAndCollect and FireAndInteract modules. | |||||||||||||||
7 | incomplete | Dirty word scanner |
|||||||||||||||
8 | incomplete | Cross-correlation: Explore search and database features – can we have it generate reports with "similar" samples? |
Comments:
-
2014-11-12 09:11 [User #524297]:
fantastic