Cuckoo Sandbox Research Articles

Detection of malicious software by analyzing the behavioral artifacts using machine learning algorithms

Malicious software deliberately affects the computer systems. Malware are analyzed using static or dynamic analysis techniques. Using these techniques, unique patterns are extracted to detect malware correctly. In this paper, a behavior-based malware detection technique is proposed. Various runtime features are extracted by setting up a dynamic analysis environment using the Cuckoo sandbox. Three primary features are processed for developing malware classifier. Firstly, printable strings are processed word by word using text mining techniques which produced a very high dimension matrix of the string features. Then we apply the singular value decomposition technique for reducing dimensions of string features. Secondly, Shannon entropy is computed over the printable strings and API calls to consider the randomness of API and PSI features. In addition to these features, behavioral features regarding file operations, registry key modification and network activities are used in malware detection. Finally, all features are integrated in the training feature set to develop the malware classifiers using the machine learning algorithms. The proposed technique is validated with 16489 malware and 8422 benign files. Our experimental results show the accuracy of 99.54% in malware detection using ensemble machine learning algorithms. Moreover, it aims to develop a behavior-based malware detection technique of high accuracy by processing the runtime features in a new way.

Building malware classificators usable by State security agencies

Sandboxing has been used regularly to analyze software samples and determine if these contain suspicious properties or behaviors. Even if sandboxing is a powerful technique to perform malware analysis, it requires that a malware analyst performs a rigorous analysis of the results to determine the nature of the sample: goodware or malware. This paper proposes two machine learning models able to classify samples based on signatures and permissions obtained through Cuckoo sandbox, Androguard and VirusTotal. The developed models are also tested obtaining an acceptable percentage of correctly classified samples, being in this way useful tools for a malware analyst. A proposal of architecture for an IoT sentinel that uses one of the developed machine learning model is also showed. Finally, different approaches, perspectives, and challenges about the use of sandboxing and machine learning by security teams in State security agencies are also shared.

Windows malware detection system based on LSVC recommended hybrid features

To combat exponentially evolved modern malware, an effective Malware Detection System and precise malware classification is highly essential. In this paper, the Linear Support Vector Classification (LSVC) recommended Hybrid Features based Malware Detection System (HF-MDS) has been proposed. It uses a combination of the static and dynamic features of the Portable Executable (PE) files as hybrid features to identify unknown malware. The application program interface calls invoked by the PE files during their execution along with their correspondent category are collected and considered as dynamic features from the PE file behavioural report produced by the Cuckoo Sandbox. The PE files’ header details such as optional header, disk operating system header, and file header are treated as static features. The LSVC is used as a feature selector to choose prominent static and dynamic features from their respective Original Feature Space. The features recommended by the LSVC are highly discriminative and used as final features for the classification process. Different sets of experiments were conducted using real-world malware samples to verify the combination of static and dynamic features, which encourage the classifier to attain high accuracy. The tenfold cross-validation experimental results demonstrate that the proposed HF-MDS is proficient in precisely detecting malware and benign PE files by attaining detection accuracy of 99.743% with sequential minimal optimization classifier consisting of hybrid features.

On the viability of data collection using Google Rapid Response for enterprise-level malware research

With the increasing number of attacks on enterprises, which often involves the deployment of some form of malware, an automated method for performing large-scale triage has become essential to the timely resolution of an incident. The purpose of this project is to combine the data collection capabilities of Google Rapid Response (GRR) with the flexible automation of Cuckoo Sandbox, to collect data for training machine learning models that perform triage on enterprise machines. To evaluate the viability of this approach, we investigate the artifacts that can be collected using GRR and whether they provide salient features for triage automation. Furthermore, we consider the speed of data collection and the consistency of the collected data when scaling the analysis environment to include more machines. Moreover, we develop multiple simulations of benign computer usage for both generating the benign dataset and as real-world background activities when injecting malware samples. Examples of the simulations include surfing the web, using a word editor, and python coding using an IDE. We investigated a total of 39 Windows artifacts that can be remotely collected using GRR's StartFlowAndWait API. StartFlowAndWait blocks execution until the artifacts are collected or until an error message is received. Collecting all 39 artifacts required over 1 h on a dedicated network connection between the analysis VM and the GRR server. However, handpicking only 11 artifacts reduces the average data collection time to 4 min. We also found that increasing the number of analysis machines caused less artifacts to be successfully collected. This drop in reliability is due to network congestion and the waste of other computing resources from the blocking mechanism of StartFlowAndWait. Although GRR is designed for large-scale deployment, we found that the default configuration of GRR is not sufficient for malware research data collection when using StartFlowAndWait instead of StartFlow.

International Network Performance and Security Testing Based on Distributed Abyss Storage Cluster and Draft of Data Lake Framework

The megatrends and Industry 4.0 in ICT (Information Communication & Technology) are concentrated in IoT (Internet of Things), BigData, CPS (Cyber Physical System), and AI (Artificial Intelligence). These megatrends do not operate independently, and mass storage technology is essential as large computing technology is needed in the background to support them. In order to evaluate the performance of high-capacity storage based on open source Ceph, we carry out the network performance test of Abyss storage with domestic and overseas sites using KOREN (Korea Advanced Research Network). And storage media and network bonding are tested to evaluate the performance of the storage itself. Additionally, the security test is demonstrated by Cuckoo sandbox and Yara malware detection among Abyss storage cluster and oversea sites. Lastly, we have proposed the draft design of Data Lake framework in order to solve garbage dump problem.

Insights gained from constructing a large scale dynamic analysis platform

As the number of malware samples found increases exponentially each year, there is a need for systems that can dynamically analyze thousands of malware samples per day. These systems should be reliable, scalable, and simple to use by other systems and malware analysts. When handling thousands of malware, reprocessing a small percentage of the malware due to errors can be devastating; a reliable system avoids wasting resources by reducing the number of errors.In this paper, we describe our scalable dynamic analysis platform, perform experiments on the platform, and provide lessons we have learned through the process. The platform uses Cuckoo sandbox for dynamic analysis and is improved to process malware as quickly as possible without losing valuable information. Experiments were performed to improve the configuration of the system's components and help improve the accuracy of the dynamic analysis. Lessons learned presented in the paper may aid others in the development of similar dynamic analysis systems.

Anatomy of ransomware malware: detection, analysis and reporting

Rapidly increasing malware samples pose a serious threat to cyber security especially when they are not getting detected by security tools and techniques. Malware writers obfuscate the malware samples to conceal malicious code inside a legitimate executable to evade antivirus solutions and tamper it without changing its genuine structure to exploit target machines and remain fully undetected (FUD). Thus, it is a major challenge before Cyber Clean operations run by various government agencies to monitor malicious activities in their official network. Ransomware is a malware that encrypts documents to breach information on victim machine and asks for ransom to provide the decryption key. This paper presents the results of static and dynamic analysis of nine prominent variants of ransomware samples obtained from renowned malware repositories. A test bed is prepared to analyse these samples in Cuckoo's sandbox environment to monitor altered files/directories, tampered registry keys, Command and Control (C&C) and accessed application programming interfaces (APIs). At the end of this paper, we present the observations from our experimental analysis and provide remedial measures to deal with these samples, which would more likely impact the future analysis of ransomware.

Anatomy of ransomware malware: detection, analysis and reporting

Rapidly increasing malware samples pose a serious threat to cyber security especially when they are not getting detected by security tools and techniques. Malware writers obfuscate the malware samples to conceal malicious code inside a legitimate executable to evade antivirus solutions and tamper it without changing its genuine structure to exploit target machines and remain fully undetected (FUD). Thus, it is a major challenge before Cyber Clean operations run by various government agencies to monitor malicious activities in their official network. Ransomware is a malware that encrypts documents to breach information on victim machine and asks for ransom to provide the decryption key. This paper presents the results of static and dynamic analysis of nine prominent variants of ransomware samples obtained from renowned malware repositories. A test bed is prepared to analyse these samples in Cuckoo's sandbox environment to monitor altered files/directories, tampered registry keys, Command and Control (C&C) and accessed application programming interfaces (APIs). At the end of this paper, we present the observations from our experimental analysis and provide remedial measures to deal with these samples, which would more likely impact the future analysis of ransomware.

Enhanced Intrusion Tolerant System for Mobile Payment

Objectives: To prevent malicious software and hacking in near field communication-based mobile payments, this paper suggests a new intrusion tolerant system. Methods/Statistical analysis: As Cuckoo Sandbox restricts the access to the system resources of the applet transmitted through the network, this new intrusion tolerant system adopted Cuckoo Sandbox for the intrusion detection and the safe normal service of the operation system from various malicious attacks. To enhance the intrusion tolerant level, the scalable intrusion-tolerant architecture for distributed service is adopted to analyze the status of the system and the risk in the current environment through the intrusion detection, which optimizes the security level of a system. Findings: The intrusion tolerant system suggested in this paper may cover various malicious applications such as network attacks to the weak service, data driven attack to applications, privilege escalation or intruder login, main file access from intruders, and host-based attacks. This system prevents the access to the server cluster and blocks direct attacks by forming a barrier layer with a firewall and the proxy. It can detect various attacks through checking the file integrity by the operation of challenge/response protocol. This system also finds the infected server by checking the responses from each server. In addition, this system has much more active corresponding level than the existing scalable intrusion-tolerant architecture. In this intrusion detection system, both the data analysis and detection proceed simultaneously through the migration of the system, which maintains the operation of the system as it was. This virtualization technique is good for the implementation of the intrusion tolerance system and the migration of the mobile payment system in active state to another system. Especially, the live migration method is very effective to minimize the loss of time and data. Application/Improvements: Especially, this intrusion tolerant system makes the operating system safe from mobile payments intrusion and malicious software.

A Complete Dynamic Malware Analysis

Now a days thousands of malware samples are received by anti-malware companies on daily basis. And these large numbers are send for analysis by a number of automated analysis tools. These tool automatically execute a program in a controlled environment and generate a report describing the program’s behaviour. This research paper is a contribution towards the Dynamic Malware analysis. The aim is to provide the general malware features found in recent malware by performing dynamic malware analysis using cuckoo sandbox executed on Windows XP (SP3). This paper also discusses the detailed information about techniques & tools used in dynamic malware analysis.

Accurate mobile malware detection and classification in the cloud.

As the dominator of the Smartphone operating system market, consequently android has attracted the attention of s malware authors and researcher alike. The number of types of android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox’s features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consists of two parts: anomaly detection engine performing abnormal apps detection through dynamic analysis; signature detection engine performing known malware detection and classification with the combination of static and dynamic analysis. We evaluate our system using 5560 malware samples and 6000 benign samples. Experiments show that our anomaly detection engine with dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.16 %) and acceptable false positive rate (1.30 %); it is worth noting that our signature detection engine with hybrid analysis can accurately classify malware samples with an average positive rate 98.94 %. Considering the intensive computing resources required by the static and dynamic analysis, our proposed detection system should be deployed off-device, such as in the Cloud. The app store markets and the ordinary users can access our detection system for malware detection through cloud service.

How to detect the Cuckoo Sandbox and to Strengthen it?

Nowadays a lot of malware are analyzed with virtual machines. The Cuckoo sandbox (Cuckoo DevTeam: Cuckoo sandbox. http://www.cuckoosandbox.org , 2013) offers the possibility to log every actions performed by the malware on the virtual machine. To protect themselves and to evande detection, malware need to detect whether they are in an emulated environment or in a real one. With a few modifications and tricks on Cuckoo and the virtual machine we can try to prevent malware to detect that they are under analyze, or at least make it harder. It is not necessary to apply all the modifications, because it may produce a significant overhead and if malware checks his execution time, it may detect an anomaly and consider that it is running in a virtual machine. The present paper will show how a malware can detect the Cuckoo sandbox and how we can counter that.

Differential malware forensics

In this paper we present a malware forensics framework for assessing and reporting on the modus operandi of a malware within a specific organizational context. The proposed framework addresses the limitations existing dynamic malware analysis approaches exhibit. More specifically we extended the functionality of the cuckoo sandbox malware analysis tool in order to automate the process of correlating and investigating the analysis results that multiple executions of a suspect binary on distinct and specific system configurations can produce. In contrast to standard malware analysis methods that assess the potential damage a malware may cause in general, this approach enables the analyst to identify contingent behavioral changes when the malware is executed and answer questions relating to the malware's activities within a specific environment. By doing this, the analyst is in the position to report on the actual rather theoretical actions a malware has performed, allowing the stakeholders to make informed recovery decisions. In this context, we identify the necessary forensic readiness prerequisites which are critical for the successful application and adoption of the proposed framework.