CS658: Topics in Malware Analysis &

Intrusion Detection

Group 9

Homework 5: Cuckoo Sandbox Assignment

Fall Semester 2024

Ankit Kaushik 220158

Mohsin Khan 241110612
Naman Kumar Jaiswal 220687
Sumit Rojaria 221104

1
CS658: Cuckoo Sandbox Assignment Group 9

Implementation Details
The goal of this project was to set up and utilize the Cuckoo Sandbox for dynamic mal-
ware analysis. The implementation involved multiple steps, including system configuration,
dependency installation, and manual adjustments for a functional environment.

Implementation Steps
1. Initial Setup Challenges
We attempted to use nested virtualization to set up the sandbox. However, after multiple
failures, we concluded that our hardware did not support nested virtualization effectively.

2. Environment Setup
To overcome these issues, we dual-booted the system with Ubuntu 22.04. The major depen-
dencies for Cuckoo Sandbox were installed in this environment.

3. Manual Installation
The final stages of the installation, including configuring VirtualBox and the Cuckoo envi-
ronment, were performed manually to resolve automation issues.

Execution
File Submission
Files were submitted to the sandbox using the following command:
cuckoo submit /path/to/sample

Running Cuckoo
The sandbox environment was initialized and managed using:
cuckoo
These steps generated detailed reports for malware and benign samples.

Conclusion
Despite initial challenges, the implementation was successfully completed. Cuckoo Sand-
box is now operational for dynamic malware analysis, providing detailed insights for each
submitted file.

2
CS658: Cuckoo Sandbox Assignment Group 9

Question-Answers:
From the reports on the malware – do you see one or more malware trying to
detect that it is being executed on a virtual machine? What are the indications
you are finding – which makes you believe it (they) is (are) trying to detect
whether it is running on a VM?
Yes, we saw multiple files trying to detect that it is being executed on a virtual machine.
They were primarily in Malware files. We had to look for keywords ’GetSystemMetrics’ and
’GetSystemInfo’ in the json reports.

Count the number of files created by each malware and add them up as count1.
Count the number of files created by the benign applications, and add them
up as count 2? Do you see any marked difference between count1 and count2?
Explain.
: For the Benign Files, the files created are as follows:
1: 1, 2:1, 3:0, 4:0, 5:1, 7:0, 9:5, 10:0, 19:2
This makes the total, count2 = 10. Note that File 3 recreated 2 files but did not create new
files as per cuckoo report.

For the Malware Files, the files created are as follows:

VirusShare 0b109c1cb3f6ae1eb5c8d415e9643c07:0,
VirusShare 0b109c1cb3f6ae1eb5c8d415e9643c07:14,
VirusShare 4c2fdd9f819d6b551df945c6bf5faec7:4,
VirusShare d8ecc13aba2945c22e6a6f92a26d7e01:0,
VirusShare 085de2518f08f8541d71b5e7fead31b4:4,
VirusShare 3d2ec4d503e282cc0db13d662b92c5e8:0,
VirusShare 65b23015f3b67ec35381c0fff4209b21:11,
VirusShare 0a426257e0f45255f4a7366c6e0a309e:11,
VirusShare 427a1136e5e470964ec6aa3a7bd991f8:4,
VirusShare 8acf123b9576b7e76c930637ab67f43b:0
This makes count1 = 48.

Obviously the malware files created more files than benign ones. Which is seen in the
answer

Count the number of files deleted by each malware and add them up as count3.
Count the number of files created by the benign applications, and add them up
as count 4? Do you see any marked difference between count3 and count 4?
Explain.
For the Benign Files, the files deleted are as follows:
This makes the total, count4 = 6.

For the Malware Files, the files deleted are as follows:

This makes count3 = 10.

3
CS658: Cuckoo Sandbox Assignment Group 9

Obviously the malware files deleted more files than benign ones. Which is seen in the
answer.

Count the number of files written to by each malware and add them up as count5.
Count the number of files written to by the benign applications, and add them
up as count 6? Do you see any marked difference? Explain.
For the Benign Files, the files written into are as follows:
This makes the total, count6 = 8.
For the Malware Files, the files written into are as follows:
This makes count5 = 36.

Obviously the malware files written into than benign ones. Which is seen in the answer

Which category of files (malware or benign) are creating more directories?

Malware files are creating a lot more directories as compared to Benign Files. The difference
is quite large – more than 3 times.

Which category of files (malware or benign) opened more registry keys?

Malware files opened much more registry keys as compared to Benign Files. The difference is
quite large – more than 4 times. Benign Files opened 469 Reg Keys while 2251 were opened
by malware.

Are any of the files trying to resolve any URL names to IP addresses? If so,
which category (malware or benign) are they?
None. As per the reports that were generated by Cuckoo on the 19 files, none of the reports
gave tried to resolve URL names to IP addresses. The dns servers tag of network were empty
for all json files.

Which category of files on average imported more DLLs? What APIs are being
imported and exported (make two lists – one combined list for all DLLs and
imported functions by malware files, and another combined list of all DLLs and
imported functions by benign files)?
Malware files imported more dlls than benign. Benign loaded 112 dlls in total. Malware
loaded 465. The lists of the imported dlls were created in python. After removing duplicates,
the lists were mostly specific. Even though there were multiple APIs, common to both lists,
most of them were unique to only one.