Please consider donating:


HITB2012AMS Day 1 – One Flew Over The Cuckoos Nest

One Flew Over The Cuckoos Nest – Automated Malware Analysis

Claudio Guarnieri, senior researcher at iSight Partner, and part of the Shadowserver Foundation and the HoneyPot project.  He works with malware on a daily basis, maintains and is the main developer of the Cuckoo Sandbox, which is also the main topic of his talk.

Claudio explains that there are some other people involved with the Cuckoo sandbox development and wants to make sure those guys receive proper credits for their work as well, even if they are not in the room.  Big thumbs up to Dario Fernandes and Alessandro Tanasi

Manual analysis of malware takes a lot of time. You might have to to deal with unpacking routines, polymorphic code, and all kinds of other time consuming tasks. Multiply that with the number of malware to analyze, it’s clear that automation is needed.

Claudio explains that he wanted to write his own tools because the available commercial tools were expensive and don’t necessarily do what he wants them to do.  There are some cons about automation too – some parts of malware code might not get reached, it might be hard to detect the environment, and so on.

To prepare for an automated malware analysis, you’ll need to set your expectations right.  The analysis environment needs to be designed properly and you need a good way to gather data, Claudio explains.   You need to ask yourself if you need a sandbox in the first place.  What do you expect to achieve? What info is going to be most relevant and who is going to use the results?  What do you want to analyze ?   file formats ?  What version ? What app ?  Browsers ?  Do you want it to communicate with the outside or not ?  There’s plenty of questions you should ask yourself in order to perform a good analysis.

Based on those questions and requirements, Claudio decided to write the Cuckoo sandbox.  It uses virtualization, open source, started as a Google Summer of Code project (in 2010) and heavily based on python code.  Recently, it won the first round of the Rapid7 Magnificent7 contest.

It generates Win32 function call trace, dropped files, screenshots, network traffic dumps and comprehensive reports. Claudio continues by explaining some of the major components of the Cuckoo sandbox : the scheduler, the analyzer and how API’s get hooked.


  • Main component
  • Dispatches pending tasks
  • 100% python


  • instruments the guest
  • runs the malware
  • 100% python


  • DLL using chook to install hooks in API’s (used to replace WIndows Detours, because that was easily detected by malware).

Images say more than words, so Claudio decides to use a series of demos to showcase how Cuckoo works, what type of analysis you can perform and what the analysis output contains (network dumps, dropped files, reports, etc).

Because Cuckoo is really based on python code, you can write your own specific scripts … the sky is the limit.  By default, Cuckoo uses VirtualBox, but you can easily change it to use VMWare or other tools.   All of the VM management is part of python classes, so you can simply write your own.

Cuckoo also includes “signatures”, implemented as python classes.  You can use them to look for patterns or specific events, assign a description and severity level, and are used to give context to the reports (to make them readable by non-malware experts). It can also be used to receive alerts.  He showed 2 examples; one that monitors the execution of an exe file, and a second one that tries to detect if a PDF file is trying to load embedded Flash content.

The possibilities are massive and I bet he can go on for hours showing what you can do with the framework. So, If you haven’t played with it, grab a copy and try it out.  All you need is a box running VirtualBox, a Windows guest machine and you can start analyzing malware with ease.

Finally, Claudio explains that they plan on making it easier for people to contribute, and reaches out to the community to help out.  Future plans for the Cuckoo Sandbox include a web based interface, improved windows analysis, support for other OSes (Mac OS X ?), and support for native machines.  He also mentioned they have plans to allow people to submit malware analysis results to and use it as a community resource.

Impressive stuff.



© 2012 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!


Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?

Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories