Cuckoo Sandbox plugins for Malware Analysis

Bam, bam, bam - I just shot the malware down

You can try to reinvent something for Cuckoo Sandbox, or you can simply use the awesome community which provides a massive list of plugins which you can use for your private Cuckoo Sandbox lab.

Cuckoo Sandbox can be used to analyze malware samples. The Cuckoo Sandbox environment will run the malware in an isolated environment, which allows Cuckoo Sandbox to analyze the malware on behavior and connections.

The Cuckoo Sandbox allows you to gather various signatures which can be used in reports. Once you have gained unique signatures, you will be able to search them on the web to find similar or additional reports on the specified signature.

Cuckoo Sandbox uses the VirusTotal website to scan the sample for malware. The VirusTotal API will then report back to your own and private Cuckoo Sandbox environment. The report will provide insight on the antivirus hit rate.

Searching in Cuckoo Sandbox

The current Cuckoo Sandbox project does allow you to search your database for signatures, but it does not provide a clear interface on the “allowed” search queries which can be made on your private Cuckoo Sandbox environment.

To fix that, I have visited the Malwr.com website, which runs on Cuckoo Sandbox and I have copied the available search syntaxes which are provided in Cuckoo Sandbox.

Installing the plugins

Now lets get back to the plugins, in the Cuckoo Sandbox folder on your computer, you will have a folder which is called /utils. In the /utils folder you will be able to find various scripts which will help you to manage and update your Cuckoo Sandbox environment.

The script which you are interested in, is the “community.py” script. I could give you all the commands to run the script immediately, but that would not be wise as it could corrupt your Cuckoo Sandbox environment.

Go ahead and navigate to the utils folder and hit the following command:

Sudo python community.py –help

This command will show you the available commands. The community.py script will fetch shared plugins from the GIT Cuckoo Sandbox community project.

Plugins for Cuckoo Sandbox Malware Analysis

antidbg_devices.py
antidbg_windows.py
antiemu_wine.py
antisandbox_mouse_hook.py
antisandbox_productid.py
antisandbox_unhook.py
antivirus_virustotal.py
antivm_generic_bios.py
antivm_generic_disk.py
antivm_generic_ide.py
antivm_generic_scsi.py
antivm_generic_services.py
antivm_vbox_acpi.py
antivm_vbox_devices.py
antivm_vbox_files.py
antivm_vbox_keys.py
antivm_vbox_libs.py
antivm_vbox_window.py
banker_cridex.py
banker_prinimalka.py
banker_spyeye_mutex.py
banker_zeus_mutex.py
banker_zeus_p2p.py
banker_zeus_url.py
bitcoin_opencl.py
bot_athenahttp.py
bot_dirtjumper.py
bot_drive.py
bot_drive2.py
bot_madness.py
bot_russkill.py
bypass_firewall.py
downloader_cabby.py
exec_crash.py
infostealer_browser.py
infostealer_ftp.py
injection_createremotethread.py
injection_runpe.py
locker_regedit.py
locker_taskmgr.py
network_bind.py
network_http.py
network_icmp.py
network_irc.py
network_smtp.py
network_tor.py
network_tor_service.py
origin_langid.py
packer_entropy.py
packer_upx.py
persistence_ads.py
persistence_autorun.py
rat_beebus_mutex.py
rat_fynloski_mutex.py
rat_pcclient.py
rat_plugx_mutex.py
rat_spynet.py
rat_xtreme_mutex.py
recon_checkip.py
recon_fingerprint.py
recon_systeminfo.py
sniffer_winpcap.py
spreading_autoruninf.py
targeted_flame.py