Cuckoo Assignment
Cuckoo Assignment
Intrusion Detection
Group 9
1
CS658: Cuckoo Sandbox Assignment Group 9
Implementation Details
The goal of this project was to set up and utilize the Cuckoo Sandbox for dynamic mal-
ware analysis. The implementation involved multiple steps, including system configuration,
dependency installation, and manual adjustments for a functional environment.
Implementation Steps
1. Initial Setup Challenges
We attempted to use nested virtualization to set up the sandbox. However, after multiple
failures, we concluded that our hardware did not support nested virtualization effectively.
2. Environment Setup
To overcome these issues, we dual-booted the system with Ubuntu 22.04. The major depen-
dencies for Cuckoo Sandbox were installed in this environment.
3. Manual Installation
The final stages of the installation, including configuring VirtualBox and the Cuckoo envi-
ronment, were performed manually to resolve automation issues.
Execution
File Submission
Files were submitted to the sandbox using the following command:
cuckoo submit /path/to/sample
Running Cuckoo
The sandbox environment was initialized and managed using:
cuckoo
These steps generated detailed reports for malware and benign samples.
Conclusion
Despite initial challenges, the implementation was successfully completed. Cuckoo Sand-
box is now operational for dynamic malware analysis, providing detailed insights for each
submitted file.
2
CS658: Cuckoo Sandbox Assignment Group 9
Question-Answers:
From the reports on the malware – do you see one or more malware trying to
detect that it is being executed on a virtual machine? What are the indications
you are finding – which makes you believe it (they) is (are) trying to detect
whether it is running on a VM?
Yes, we saw multiple files trying to detect that it is being executed on a virtual machine.
They were primarily in Malware files. We had to look for keywords ’GetSystemMetrics’ and
’GetSystemInfo’ in the json reports.
Count the number of files created by each malware and add them up as count1.
Count the number of files created by the benign applications, and add them
up as count 2? Do you see any marked difference between count1 and count2?
Explain.
: For the Benign Files, the files created are as follows:
1: 1, 2:1, 3:0, 4:0, 5:1, 7:0, 9:5, 10:0, 19:2
This makes the total, count2 = 10. Note that File 3 recreated 2 files but did not create new
files as per cuckoo report.
Obviously the malware files created more files than benign ones. Which is seen in the
answer
Count the number of files deleted by each malware and add them up as count3.
Count the number of files created by the benign applications, and add them up
as count 4? Do you see any marked difference between count3 and count 4?
Explain.
For the Benign Files, the files deleted are as follows:
This makes the total, count4 = 6.
3
CS658: Cuckoo Sandbox Assignment Group 9
Obviously the malware files deleted more files than benign ones. Which is seen in the
answer.
Count the number of files written to by each malware and add them up as count5.
Count the number of files written to by the benign applications, and add them
up as count 6? Do you see any marked difference? Explain.
For the Benign Files, the files written into are as follows:
This makes the total, count6 = 8.
For the Malware Files, the files written into are as follows:
This makes count5 = 36.
Obviously the malware files written into than benign ones. Which is seen in the answer
Are any of the files trying to resolve any URL names to IP addresses? If so,
which category (malware or benign) are they?
None. As per the reports that were generated by Cuckoo on the 19 files, none of the reports
gave tried to resolve URL names to IP addresses. The dns servers tag of network were empty
for all json files.
Which category of files on average imported more DLLs? What APIs are being
imported and exported (make two lists – one combined list for all DLLs and
imported functions by malware files, and another combined list of all DLLs and
imported functions by benign files)?
Malware files imported more dlls than benign. Benign loaded 112 dlls in total. Malware
loaded 465. The lists of the imported dlls were created in python. After removing duplicates,
the lists were mostly specific. Even though there were multiple APIs, common to both lists,
most of them were unique to only one.