This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
2. AMA and Cyber Security Intelligence
2
이름: 최우석
소속
• 한국정보보호교육센터 f-NGS 연구소 팀장
• 성균관대학원 과학수사학과 3기
본업
사이버 시큐리티 연구
집필
Introduce myself
Coming
Soon
with
에이콘
기타
• 컨설팅 (안전성 진단)
▪ 웹 사이트 진단
▪ 공격 시나리오 기반 컨설팅
• 강의
▪ 악성코드 분야
▪ NISA, 금보원, SKT, 넥슨, 머니투데이, 쿠
시스, 산업통상자원부, 융합보안지원센터
등
• 발표
▪ 코드엔진, 신한시큐어, 한국정보보호학회,
KISA, FIOS 등
• 커뮤니티 활동
▪ 포렌식 인사이트, S2M
3. 역사 & 개론
개발 & 제작
유포 & 감염
조사 & 분석
복구 & 대응
예방 & 관리
AMA and Cyber Security Intelligence
3
Goals of my life
Playing
7. Cuckoo Sandbox Environment
7
Type of Malware Analysis's Method
Basic
Static Analysis
AV Test
Calculating Hash
Detecting of
Packer/Obfuscation
Extracting of String
Basic
Dynamic Analysis
Process Monitoring
Network Monitoring
Analyzing File System
Analyzing Registry
Advanced
Static Analysis
Analyzing File Format
Analyzing implicit
linking DLL
Disassembling
Decompiling
Advanced
Dynamic Analysis
Debugging
Analyzing explicit
linking DLL
Analyzing Memory
Analyzing
hidden function
Initial Analysis Detail Analysis
8. Cuckoo Sandbox Environment
8
Type of Malware Analysis's Method
in Cuckoo Sandbox
Implementation
Unimplemented
Basic
Static Analysis
AV Test
Calculating Hash
Detecting of
Packer/Obfuscation
Extracting of String
Basic
Dynamic Analysis
Process Monitoring
Network Monitoring
Analyzing File System
Analyzing Registry
Advanced
Static Analysis
Analyzing File Format
Analyzing implicit
linking DLL
Disassembling
Decompiling
Advanced
Dynamic Analysis
Debugging
Analyzing explicit
linking DLL
Analyzing Memory
Analyzing
hidden function
Initial Analysis Detail Analysis
9. Cuckoo Sandbox Environment
9
Open Source License
34%
25%
15%
6%
6%
14%
0% 5% 10% 15% 20% 25% 30% 35% 40%
GNU GPL 2.0 & 3.0
MIT
Apache 2.0
BSD 3
GNU LGPL 2.1
Other
2016 Open Source License Top 5
https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends
10. Cuckoo Sandbox Environment
10
Open Source License Comparison
Licenses Link Distribute Modify Patent Using Private Re-License Brand
GNU GPL Self Non-commercial Non-commercial O O Non-commercial O
MIT O O O X O O X
Apache O O O O O O X
BSD O O O X O O X
GNU LGPL Limit Non-commercial Non-commercial O O Non-commercial O
http://www.bloter.net/archives/209318
11. Sandbox is mechanism for separating execution regions in the cyber security
Controlled by hardware or software resources
Sandbox mainly use virtualization
Virtualization
• CPU-dependent
• Hypervisor
• Virtual Machines
Cuckoo Sandbox Environment
11
Sandbox
12. Type of Hypervisor
Type 1 - VT-d support in CPU
Type 2 - VT-x support in CPU
Cuckoo Sandbox Environment
12
Hypervisor
Hardware Type 1 Hypervisor
OS
Hardware Host OS Type 2 Hypervisor
Guest OS
13. Purchasing a computer for each operating system is a waste
Hardware cost, OS cost, Electronic cost, Resource waste in computer
Malware analysis
An isolated environment is required
in Cuckoo Sandbox
If host OS is the Ubuntu, it will be uncomfortable to use
• For this reason, use nested virtualization
• Nested virtualization support in the VMware Workstation (Type 2)
Cuckoo Sandbox Environment
13
Hypervisor in Cuckoo Sandbox
Hardware
Host OS
(Windows 10)
Type 2 Hypervisor
(VMware Workstation) Guest OS
(Ubuntu Server)
Type 2 Hypervisor
(Virtualbox)
Sandboxes
Guest OS
(Ubuntu Desktop)
14. Requirements
Easily exposed to hackers
• Intentionally set to vulnerable
• Configure for a variety of situations
Monitoring everything accessing the system
Type of Honeypot Project
• Honeynet
▪ Build at the infrastructure level
▪ Early Honeypot Project
• Client Honeypot
▪ Same call HoneyClient
▪ Run at the client level
▪ Mainly Internet Security
Cuckoo Sandbox Environment
14
Honeypot Project
15. High interactivity client honeypot
Similar to the real environment
• Pros
▪ Ability to detect new attacks
• Cons
▪ High performance deviation, High costs, A lot of time wasted
Low interactivity client honeypot
Simulation
• Pros
▪ Low performance deviation, Low cost, Fast detection
• Cons
▪ No new attack detection
Hybrid client honeypot
First detection use low interactivity honeypot, second detection use high interactivity honeypot
Cuckoo Sandbox Environment
15
Type of Client Honeypot
16. 소목차
Introduction
Cuckoo Sandbox
History of Cuckoo Sandbox
Analyzable file type
Operating principle
Pros and Cons
Technology
Functionalities
Demonstration
17. Introduction Cuckoo Sandbox
17
History of Cuckoo Sandbox
Rapid’s
Magnificent7
Malwr
Open
Cuckoo
Foundation
Brucon
2013
Malwr
Reload
New
Website
2012 2013 2014 2015
Dec
v0.5
Oct
v1.1.1Sep
v0.42
Aug
v0.41
Jul
v0.4
Apr
v0.6
Apr
v1.1
Jan
v1.0
Blackhat
2013
Consultancy
Service
Honey
Project
Google
SoC
Feb
v0.32
Dec
v0.3
Nov
v0.2
20112010
Feb
v0.1
Mar
v1.2
Jan
v2.0
2016 2017
Jan
v2.0
RC2
RC1
Jan
v2.0
19. Introduction Cuckoo Sandbox
19
Operating principle
Submit Malware
Report
Analyzed
Data
Web Service Core Sandbox
Cuckoo Sandbox
20. Pros
Open source code
Produced by python language
Provides both CLI and GUI modes
Provide REST API
• Control by HTTP protocol
• System connectivity
Permanent bug patches and version upgrades
• User community & Feedback of researchers
Multiple sandboxes can be configured
• If system resources remain...
Feedback the latest malware issues
• ex, Added DDE analysis function
Introduction Cuckoo Sandbox
20
Pros and Cons (1/2)
21. Cons
Core functionality is documented well, but additional functionality is insufficient
If encounter problems, report any issue or self fix the source code
• Issue solving is optional
Functionalities may be removed without prior consent
Release progress even if unfinished
• Improvement by participant
• May affect business operations
Not all malware is analyzed well
• Environment configuration is very important
• Weakness in anti-technology (Anti-Debugging, Anti-Virtualizing ...)
Limitation of detail analysis
• Can not analyze functions according to specific commands
Introduction Cuckoo Sandbox
21
Pros and Cons (2/2)
22. Cuckoo Core Server
Ubuntu 16.04 LTS Desktop 64 bit
CPU 4 Core, Memory 16 GB
Sandbox x 5
Win7 SP1 64 bit
CPU 1 Core, Memory 1024 MB
Cuckoo Sandbox Application
2.0.5.3
Introduction Cuckoo Sandbox
22
Environment
23. Introduction Cuckoo Sandbox
23
Infrastructure
Host OS Type 2 Hypervisor
Type 2 Hypervisor
Cuckoo Core Service
(Ubuntu 16.04 Desktop)
Other Service
(Ubuntu 16.04 Server)
24. Database
Scheduling - RDBMS(SQLite, PostgreSQL, MariaDB)
Web - NoSQL(MongoDB)
Search - NoSQL(ElasticSearch)
Support type of hypervisor
Type 1 - XenServer, VMware(ESX, vSphere), KVM, Qemu
Type 2 - VMware(Workstation), Virtualbox
Physical Sandbox - Fog Project
Android Emulate - AVD
Memory
Volatility (with baseline Analysis)
Introduction Cuckoo Sandbox
24
Technology (1/3)
25. Pattern and Signature
Network Pattern - Snort, Suricata
Static Binary Pattern - Yara
Behavior Log Pattern - Only use in Cuckoo Sandbox with python coding
Network
Type of Network Line - Proxy, VPN, Tor Network
Analyzing - Moloch, MiTMProxy
Server
Main Web Service - Django
Distributed and API Service - Werkzeug
Change server type - Nginx + uWSGI
• Increase Stability
Introduction Cuckoo Sandbox
25
Technology (2/3)
26. Behavior Analysis
The agent communicates with Cuckoo Core using XML-RPC protocol
Type of Reports
HTML, PDF, JSON, Web Service
Intelligence
MISP
System Management
ICINGA, Supervisord
Supporting Android Analysis
GooglePlay, Droidmon, ApkInfo,
ETC
VirusTotal, Certification Pinning at PE
Introduction Cuckoo Sandbox
26
Technology (3/3)
27. Hash for malware
ssdeep, imphash
Support of archive type malware
E-Mail, OLE, ZIP
Analyzing Lateral Movement
Announce 2.0-RC1, but not implementation
Network routing
no routing, drop routing, dirty line, InetSim, Tor, VPN
TLS/HTTPS capturing and decrypting
MiTMProxy, HTTPReplay
• But, it has some problem
• HTTPReply is not implementation Certification Pinning
Introduction Cuckoo Sandbox
27
Functionalities (1/5)
28. Baseline analysis in analyzing memory
It's not documentation!!
Only in JSON report (not view in Web report)
Extracting URL in process memory
When I test with a memory DNS malware, this function is not extract URL.
Static Binary Pattern and Behavior Log Pattern
Static Binary Pattern uses YARA
Behavior Log Pattern should use Cuckoo's dependent functions
• To need python programming
YARA 3.7.1 can use the Cuckoo Sandbox dependency function.
• But, Cuckoo Sandbox 2.0.5.3 is not support YARA 3.7.1
Introduction Cuckoo Sandbox
28
Functionalities (2/5)
29. Malicious quantify
Using Behavior Log Pattern
Max is 10 but possible over 10
Comparing malware
Using API call order
It is well implemented in 1.x version, but in 2.x version
Implementing a distributed system
It's not documentation!!
Implementation using REST API service
Provide dedicated web services
Gevent for asynchronous systems, Greenlet for coroutine
Not enough
• Not support integrated database, only analyzing a file type
Introduction Cuckoo Sandbox
29
Functionalities (3/5)
31. Mass analysis
Ability to separate functions
Introduction Cuckoo Sandbox
31
Functionalities (5/5)
Start
Submit
Start analyzing
End analyzing
Generate report
End
Core(analyzing and reporting)
Yes
No
Other Malware
Start
Submit
Start analyzing
End analyzing
End
Generate report
End
Core(analyzing)
Sub Core(reporting)
No No
Yes Yes
Other Malware Other report
33. JOESandbox Cloud- https://joesecurity.org/joe-security-products
BASIC version - (Only Online) Windows + Android
PRO version - (Standalone) + macOS + iOS + API + Cookbook (Virtual and physical support) + ...
Report Sample
Introduction Cuckoo Sandbox
33
Other automated malware analysis tools (1/3)
34. Hybrid-analysis - https://www.hybrid-analysis.com/
Free Service - Only Win7, Only File, Analysis submit limit 30, Sample download
Private Cloud - Win 10, IoC, YARA, URL, Various reports
Full Standalone - SIEM system integration(CEF syslog), Custom signature test, Memory dump
Report Sample
Introduction Cuckoo Sandbox
34
Other automated malware analysis tools (2/3)
35. any run - https://any.run/
Semi automated cloud malware analysis tools
• Free
• Live access to the virtual machines
Report Sample
Introduction Cuckoo Sandbox
35
Other automated malware analysis tools (3/3)
36. 소목차
Cyber Security
Intelligence
Other automated malware analysis tools
Cyber Security Intelligence
Used by many intelligence analysts
Binary intelligence & limitation
37. Purpose
Identify attacker
Predict the future through the past
• Incident Response(Establish preventive policy)
Cyber Security Intelligence
37
Cyber Security Intelligence
Tactics, Techniques and Procedures
https://en.wikipedia.org/wiki/PLA_Unit_61398
http://detect-respond.blogspot.kr/2013/03/the-pyramid-of-pain.html
38. Automated malware analysis and Cyber Security Intelligence
Purpose
• Automatically analyze numerous malware and accumulate analytical data
Used by many intelligence analysts
VirusTotal used Cuckoo Sandbox
Cyber Security Intelligence
38
Cyber Security Intelligence
39. Used by many intelligencer in cyber security
Cyber Security Intelligence
39
Cyber Security Intelligence
https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
40. Used by many intelligencer in cyber security
Cyber Security Intelligence
40
Cyber Security Intelligence
https://www.rsaconference.com/writable/presentations/file_upload/anf-t10_implementing-an-automated-incident-response-architecture.pdf
41. Used by many intelligencer in cyber security
Cyber Security Intelligence
41
Cyber Security Intelligence
https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
43. Binary intelligence
Same mean client-side intelligence but, not strictly
Various attack type statistics used by binaries
If collect a lot of malware, can analyze the association
Limitation of binary intelligence
Counter intelligence
• Vulnerability of evidence
More data to overcome
• Need server-side intelligence
▪ But, no ownership and investigation
Cyber Security Intelligence
43
Binary intelligence & limitation
46. Conclusion
46
with Digital Forensics
Include Digital Forensics process in Incident Response
Importance of DFIR
• But, availability vs. integrity
So many question (Can ~ be evidence?)
Can information gathered from the Internet be evidence?
Can malware analysis information be evidence?
Can data without a chain of custody be evidence?
Can data collected from untrusted tools be evidence?
...
No!
Digital evidence is very regrettable in Korea
• And, too difficult to follow the speed of rapid development
• Rapid of singularity!!
Information collected by intelligence activities can not be evidence