[Emerging-Sigs] Useful Tool: Cuckoo CAPE Sandbox

Kevin Ross kevross33 at googlemail.com
Thu Apr 11 23:26:43 HDT 2019


Just to make those who may not know of this aware but deal with malware
there is a fork of cuckoo-modified called CAPE which is mantained
https://github.com/ctxis/CAPE - have a read of the description for this as
while not exhaustive it covers some of what it can do. There is a public
version of am older version running here for online analysis

I have been contributing a lot of signatures to it over the last year
onwards. Why I thought it would be interesting to put out there as many of
us deal with a lot of malicious code.

- Its key benefit is it can extract and identify malware code. This
includes binaries. code injection techniques (doppleganging, thread
injections etc.), shellcode and configurations. So for instance if you run
Emotet or Trickbot you gets its configuration with all the CnC servers and
for malware other settings too making it easier to extract CnCs rather than
execute and hope you get them to run short of finding networking code in a
debugger. It covers a lot of prolific malware, RATs and some other things.

 It is fully maintained and heavily developed on from original and
excellent cuckoo-modified branch.

- It now has a new loader for handling malware and even a debugger
introduced which you can select to use with various options.

- Like cuckoo-modified I find it follows and executes windows malware very
well so I find it is more reliable at this than Cuckoo 2 currently such as
following code injection and other actions not followed.

- It supports Suricata too for it running PCAPs against during analysis
(which cuckoo-modified did and Cuckoo 2 main branch does also).

- It supports static analysis of many file types with appropriate tools
available to it such as JAR decompiling, some PDF stuff and office
documents with the oletools suite.

- While not present yet once debugger work has been finished there is
hopeful talk of adding further exploit detection in the future. While it
like cuckoo-modified already had stack pivot detection and anomalies
(process martians, payloads etc) the aim would be do add more techniques
linked to the new debugger. Examples of these techniques that could be
possible would be using research and implementations such as from Cisco's
Pyrebox (excellent if you haven't had a look as it has a lot of malware
analysis capabilities)
https://github.com/Cisco-Talos/pyrebox/tree/master/exploit_detect  and
maybe Endgame's Maxwell
https://www.endgame.com/blog/technical-blog/hunting-exploit-kits. Pyrebox
is excellent as an interactive tool if you haven't seen it and there is
some talk in this article along with some other tools for analysing
equation editor exploit here

So for those interested have a look. I hope you come to try it if you
haven't already and spread the word of it as being a useful tool to have in
your arsenal

Kind Regards.
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190412/2f2791a2/attachment.html>

More information about the Emerging-sigs mailing list