█████████▄   ▄█        ▄██████▄     ▄██████▄  
   ███    ███ ███       ███    ███   ███    ███ 
   ███    ███ ███       ███    ███   ███    █▀  
  ▄███▄▄▄██▀  ███       ███    ███  ▄███        
 ▀▀███▀▀▀██▄  ███       ███    ███ ▀▀███ ████▄  
   ███    ██▄ ███       ███    ███   ███    ███ 
   ███    ███ ███▌    ▄ ███    ███   ███    ███ 
 ▄█████████▀  █████▄▄██  ▀██████▀    ████████▀ 

Cuckoo clock? no, Cuckoo box!

[ 2022, Jan 14th ] - Easily Analyze Viruses, spam, and more!

0x00: Intro

Any old antivirus will tell you IF a file is suspicious- but they usually stop there. No report on what the suspicious program-in-question was doing, what actually triggered the alert, or a rundown on why the file was ever suspicious in the first place.

For the most part, thats for the best- users want their computers to be secure, and don't really care about the nitty gritty details on how it gets there. Plus, spending time generating reports that most of said users cannot easily read or interpret is time that could be spent ensuring that the file did not cause further damage, or, at the very least, space that could be saved.

As for those of us that want to know what exactly was so dubious about that "free-game-crack-100%-works" download-
There's Cuckoo.



As their site states, you effectively give cuckoo malware, it analyzes it, and hands you a rather detailed report! All completely free of charge. In other words, its the easiest way to see all the juicy details of what a malicious file is up to, without putting your own hardware at risk.

0x01: How do I get Started?

The first step is to install Cuckoo on a Virtual Machine, where we'll scan all the viruses. I mean, we ARE going to be running (albeit sandboxed) viruses on this thing, so there's no such thing as being "too careful."

Personally, I'll be setting up Cuckoo inside a fresh "Ubuntu" virtual machine. Although setting up Cuckoo can be quite a bear, we do have a few options. Option 1: Find a VM for download with cuckoo already setup in it. This is the easiest route, but not the most secure. It also means downloading a ~30GB file, which could take days depending on where you live. Since I don't exactly have a way to host a 30GB file for you all, we're going with...

Option 2: we set up our own! worry not, I've found an excellent guide from James G., aka "Utopian Cyber Knight" here. Yes, there are a LOT of steps, but 90% of this *should* be as easy as copy-paste.



Some of my Personal Notes for the guide:

• When working with ip-tables, make sure to use the adapter from YOUR "ifconfig -a". it might not be the same as the authors!
• Step 16, you will likely need to run curl on a newer version of get-pip, the URL has changed.
• You'll probably want to increase the max-size of the report file (in cuckoo.conf) to around a gigabyte. The default is 128Mb which is not a lot. keep in mind that the conf file takes files sizes in bytes.

Now that we're all set up, its time to analyze some viruses! ... but wait, where do we actually get malware?! What madman would actually host such things?!

Enter "Das Makwerk", a website created by Malware Analyst Robert Svensson specifically for hosting up-to-date, password-zipped malware files for other curious researches to take apart!

Warning: these are REAL trojans that can and WILL do damage to your pc if improperly handled. do NOT unzip on your main pc. Only download these in your VM!

0x02: Scanning The Malware

Now that we've chosen and unzipped a malware file in the VM, its time to startup Cuckoo and have it take a look! I've submitted a file for analysis, which CAN be expected to take a while- often more than 10 minutes. At the bottom, in blue you can see how much space is free in several categories, which is quite useful.





Once the report is actually done, you can view the results in the "Recent" tab, or at the bottom of the dashboard page. This will bring you to the Summary page, where you get a nice overview of everything about the scanned file. Note that malware is auto-magically given a score from 1-10! (somehow this was so evil it got a 25)



The Summary is also nice because it lists all the sneaky stuff the virus got up to. Some of the malicious activity in my file was hair-raising indeed: Trying to wait around to avoid scans? checking against debugging?? Starts a listening server 11 times, Checking for human activity?! No wonder this thing got a 25/10!



However, to get to the super juicy information from this report, we'll take a look at the side bar, which you can see on the left of the previous picture.

As you can see, there are quite a few fields to dig through to find useful information.

The "Network" Tab will let us know about any connections, incoming or outgoing that were involved with the file- super useful for identifying Command-and-Control (C2) servers that could be used to control the virus, update it, or perform other malicious remote activities.
"Extracted artifacts" will let you see any files that could be grabbed from the program itself.

"Dropped files" will cleanly show all of the files the program created on the emulated pc. This section has some serious potential to get large, as viruses try and hide their intentions in a crowd of information. It can definitely be one of the most interesting fields though.

0x03: Conclusions

Cuckoo is a wonderful tool that can save us a lot of time compared to going through a virus manually. It gives a wonderfully detailed report, does hash-generation and virusTotal checks for us, and even takes care of a lot of the tedium of memory dumps and network capturing automatically. While nothing beats taking a look yourself, I think Cuckoo and tools of its kind are likely to stick around, as the sheer amount of malware on the 'net increases exponentially- and seeing that Cuckoo is in the process of an entire re-work at the time of this writing, I can't wait to see what comes next!