How to Analyze Malware Dynamically Using Cuckoo

Nowadays, It’s tough to detect a malware we have doing this manually or automatically, Today we will see how to analyze malware dynamics using cuckoo which is free and open source tool.

Disclaimer : “For the most part i will try to explain you how to automate the malware analysis with open-source tools, by which beginners can understand how a malware(virus) gets executed and damages the computer i will try not to use technical jargon as much for a layman ” .

What is Cuckoo Sandbox

Before we understand cuckoo, we have to understand what is a malware (virus), I know when so called virus term is used we get scared , Although it’s just a piece of code which gets executed accidentally or by various methods this malware can have various purposes but the basic and initial purpose is that this piece of code wants to damage your computer.

For this purpose of demonstration I will download piece of malware and we will tries to understand malware’s behavior using this awesome software cuckoo.

Now, let’s try to understand what is Cuckoo Sandbox ,

It’s fascinating to think, what if we can run a piece of malware (virus) in a completely controlled and isolated environment before it can even get into the host machine, nowadays most of the endpoint security use these kind of technology to decide where the piece of code is malware or not, They create these mini virtual machines and run the piece of code in it and with the help of system logs they generate a dynamic report with the help of other software's, something Fireeye MVX engine also do, learn more about it here.

Cuckoo Sanbox Architecture

Cuckoo’s uses many open source tools for his dynamic analysis.

Technology used by Cuckoo Sandbox

Now, The fun part begin, I will run a dangerous piece of malware into my sand boxed environment and we will try to analyze the dynamics of that malware, The malware which we will analyze will be WannaCry 2.0 which i have downloaded from here, I want you to have fun with these live malware detonate these in a safe environment, if you don’t know what you are doing. Please remember that these are live and dangerous malware! and cause harm to your data and even people.

Now to analysis part

You might be thinking why I took WannaCry Ransomware, Well it causes over 100 million worth of damage, it will be interesting to know how these malware authors were thinking but before we jump into it, let’s try to understand what kind of analysis usually get performed to determined weather it is a malware or not. Basically first is Static Analysis and second is Dynamic Analysis, you might ask which one is better both take different approaches in different situation , if you are in a fast production environment where time is money you might go for static, as dynamic analysis can take quite some time, We gonna take look at both.

Understanding Basic Malware Behavior

This is how a typical malware author will design his malware.

When we were kids we always feel terrified when it comes to viruses and malwares, As malware analysis is highly technical job, but i want you to understand it is just a computer instruction written in form of program. By the end of it you should not feel phobic to computer viruses.

Now, what i have done is very base level of whole malware analysis game, feel free to dig deep into it checking out the assembly code of malware, opening it into debugger, extracting strings, checking out libraries through PEStudio and many more.

My purpose today is to see what result we can get by fully automating the process.

This is Cuckoo’s Dashboard

Once I submitted the Malware cuckoo immediately uses all his dependencies to start his analysis and showed us the result

It shows us the summery, as what type of file it is, we can see that it is a executable file, in windows you might get familiar with .exe extension file yes that’s what it is here, beside that we can see some section named as MD5, SHA1.etc with random string attached to it, that’s a HASH a hash is just a one way function and could be generated by any program it’s unique in nature and easy to perform mathematical operation but extremely difficult to reverse it, this is how your Facebook passwords are securely stored on the internet. so, what we can do we will see that as well.

Cuckoo’s results are divided into 3 basic part and color coded in Blue, Yellow and Red where blue is less malicious event and red being the most.

First, as we can see cuckoo generated this blue section, where in first event ransomware wants to know your computer name, maybe the author is single and heartbroken, it also checks if any process is being debugged by the debugger, it also check how much ram you have got in your system why you ask. WOW! , this malware author is really smart he don’t want to execute the malware if it is in virtualized environment as mini virtual environment can run with small amount of ram which we are but i tricked the malware to think as he is in the host environment by just increasing the amount of ram and generating multiple DNS query with some tools, this malware also crashes some of the windows processes that’s interesting.

Before we studied a basic malware behavior where we learnt it always want to connect to his command and control server here WannaCry also doing that, at 1st event we can see it want to listen from 12 servers although i want to know where these command and control destination IP is with the help of TCP dump(tool for network analysis) and proxy tool but this malware spread through the network by exploiting Eternal blue exploit and i don’t want to create another Virtual Machine i get it i don’t want to create a snapshot as well i am lazy, back to topic, Alright look at the 12th and 13th event this malware author desperately want to know if his code is been in analysis or not and wants to identify sandbox evasion how did i bypass those you may ask that’s another topic for another day.

Now these are fun, at first WannaCry want’s to auto-run itself when at windows startup cuckoo identify this event as way too much malicious for a normal computer, also it want to configure your boot files that’s bad stuff , if you take a look at 5th event from top it started encrypting your file one by one and in the 6th event even start deleting files what file it might be thinking maybe your anti virus program or something else, if you see the 8th event it also removing any backup which was presented in you system, this malware is way to much brutal, the 12th event is also interesting as it install Tor(learn more about TOR here) on the machine which will further encrypts hackers Command and Control Server’s network traffic by which people won’t be able to find out the where the hacker is located okay so this is now most of the hackers maintain their anonymity, at last we can see it encrypt your data and replace the file with new file extension

At last I copied that piece of HASH and paste it into www.virustotal.com website and here are the results 67/71 Anti virus said it’s Malicious

67 Anti Virus companies found this malicious

Pheww, Today we learn a lot about malware now we can consider ourselves free from virus phobia haha, Thank you if you come this long i am including a this full zip file to look at if you interested in further investigation download it from here. Make sure to open this zip file in a virtual machine .

By the way if you learn something new today consider sharing it, As Rumi said “A candle loses none of it’s light by lighting another”