CuckooAutoInstall - Auto Installer Script for Cuckoo Sandbox

What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

CuckooAutoInstall was created to avoid wasting time installing Cuckoo Sandbox in Debian Stable.

Usage

• Execute the script: sh cuckooautoinstall.sh
• Add a password for the user 'cuckoo' created by the script. Use: passwd cuckoo command.
• Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines using VBoxManage import virtual_machine.ova
• Add to the virtual machines with HostOnly option using vboxnet0: vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0 (use this command to list the VMs: VBoxManage list vms)
• Configure cuckoo: cuckoo/conf/cuckoo.conf, cuckoo/conf/auxiliary.conf & cuckoo/conf/virtualbox.conf
• Execute cuckoo (check the image output): cd cuckoo && python cuckoo.py
• Execute also webpy (default port 8080): cd cuckoo/utils && python web.py
• Execute also django using port 6969: cd cuckoo/web && python manage.py runserver 0.0.0.0:6969

Script features 
It installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django ...
It installs the last versions of: ssdeep, yara, pydeep-master & jansson.
It tries to solve common problems during the installation: ldconfigs, autoreconfs...
It installs by default virtualbox and creates the hostonlyif.
It creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines:

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

It enables run tcpdump from nonroot user:

sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

It creates the 'cuckoo' user in the system and it is also added this user to vboxusers group.
It enables mongodb in conf/reporting.conf
It fix the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py:

    TEMPLATE_DIRS = (
    "templates"
    )
For:
    TEMPLATE_DIRS = (
    ("templates"),
    )

Download CuckooAutoInstall

Read More

Viper - A binary management and analysis framework dedicated to malware and exploit researchers

Viper is a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research. Think of it as a Metasploit for malware researchers: it provides a terminal interface that you can use to store, search and analyze arbitraty files with and a framework to easily create plugins of any sort.

Download Viper

Read More

CrowdInspect - Scan of your running processes on Windows with Virus Total, WOT & MHR

CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

● --  (o Gray icon)

○ Not applicable/not available. No process is not able to be tested.

● ??  (o Gray icon)

○ The process did not allow us to test for code injection.

● OK  (o Green)

○ The process did not appear to have any evidence of thread injection.

● !!  (o Red icon)

○ The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.

VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

<http://www.virustotal.com>

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the VirusTotal database. This is probably good!

● 0% ... 100%  (o Green ... o Red icons)

○ The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.

Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

<http://www.teamcymru.com>

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

● !!  (o Red icon)

○ The entry DOES exist in the MHR database. The process is known to be malware. This is bad!

Web of Trust

Crowd-sourced domain name reputation system

<http://www.mywot.com>

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

● ??  (o Gray icon)

○ The entry does not exist in the WoT database.

● 0% ... 100%  (o Red ... o Green icons)

○ The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.

To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.

Download CrowdInspect

Read More

[Malheur v0.5.4] Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox

.

Download Malheur

Read More