Cuckoo and analyzer comm

1. Dr. Muhammad Abid,
DCIS, PIEAS

2. Cuckoo Sandbox Architecture
Agent

3. Inside the Virtual Machine - Agent
Listening Agent
Accepts a connection
Cuckoo host connects
Cuckoo host sends zip file
Agent unpacks zip file
Analyzer Python code
Configuration files
The sample to analyze
Agent runs the Analyzer

4. Inside the Virtual Machine - Analyzer
Using configuration file “analysis.conf” setup
different parameters, e.g. pipe names, result
server ip and port, analysis package name,
etc.
Create command pipe “self.command_pipe”
and log pipe “self.log_pipe_server”
Command pipe: enables communication b/w
cuckoo monitor & analyzer
Log pipe: enables communication b/w
cuckoo monitor & cuckoo host (real-time)

5. Inside the Virtual Machine - Analyzer
Analysis package: determines the analysis
package for a file sample or URL
For ULR analysis package is “ie”
For PE files analysis package is “exe”
Analysis package runs the ULR or sample
Start Auxiliary modules one by one:

6. Inside the Virtual Machine - Analyzer
Hide the Cuckoo Analyzer & Cuckoo Agent
Initialize zer0m0n with our compiled Yara
rules
Run the analysis package
Inject monitor monitor-x86.dll using inject-x86.exe
Analyzer waits for analysis to complete
Once analysis completed it reports to agent
using POST to http://127.0.0.1:8000/status

7. Cuckoo Monitor Communication with
Analyzer/ Cuckoo Host

8. VM: File being deleted or overwritten
Use pipe("FILE_DEL:%Z", filepath); inside
hook handler
Examples of hook handlers(hooks.c):
BOOL WINAPI New_kernel32_DeleteFileW
BOOL WINAPI
New_kernel32_MoveFileWithProgressW
NTSTATUS WINAPI New_ntdll_NtDeleteFile
Analyzer uploads file to cuckoo host with
process pids who accessed this file
CommandPipeHandler: _handle_file_del

9. VM: Write to a New/Existing File
Use pipe("FILE_NEW:%Z", filepath); inside
hook handler
Examples of hook handlers(hooks.c):
NTSTATUS WINAPI New_ntdll_NtWriteFile
HRESULT WINAPI
New_urlmon_URLDownloadToFileW
Analyzer uploads file to cuckoo host with
process pids who accessed this file. This
happens after analysis completed.
CommandPipeHandler: _handle_file_new

10. VM: Cuckoo Monitor Injection
Use pipe("PROCESS:%d", pid);
Examples of hook handlers(hooks.c):
HANDLE WINAPI
New_kernel32_CreateRemoteThread
NTSTATUS WINAPI
New_ntdll_RtlCreateUserThread
NTSTATUS WINAPI
New_ntdll_NtCreateThreadEx
Analyzer injects cuckoo monitor dll.
CommandPipeHandler: _handle_process

11. VM: File Move
Use pipe("FILE_MOVE:%Z::%Z", input,
output);
Examples of hook handlers(hooks.c):
BOOL WINAPI
New_kernel32_MoveFileWithProgressW
NTSTATUS WINAPI
New_ntdll_NtSetInformationFile
Analyzer replaces old file name with new file
name. Once analysis completed analyzer
uploads file to cuckoo host with process pids
(including old file pids)
CommandPipeHandler: _handle_move_file

12. Other Commands for Command Pipe
pipe("PROCESS2:%d,%d,%d", pid, tid,
HOOK_MODE_ALL);
pipe("KILL:%d", pid);
pipe("INFO:io=NULL");
pipe("DUMPMEM:%d", pid);
pipe("CRITICAL:Handle case where the log
handle is closed "

13. Other Commands for Command Pipe
pipe("DEBUG:Following legitimate IE11
process: %Z!", cmdline);
pipe("DEBUG:Error resolving function
%z!%z.",
pipe("WARNING:StartupInfo is none, this
should never happen.");
pipe("LOADED:%d,%d",
get_current_process_id(), g_monitor_track);

14. Format Specifiers in Command Pipe
z -> (char *) -> zero-terminated ascii string
Z -> (wchar_t *) -> zero-terminated unicode
string
s -> (int, char *) -> ascii string with length
S -> (int, wchar_t *) -> unicode string with
length
o -> (UNICODE_STRING *) -> unicode
string

15. Format Specifiers in Command Pipe
O -> (OBJECT_ATTRIBUTES *) -> wrapper
around unicode string
d -> (int) -> integer
x -> (int) -> hexadecimal integer
X -> (uint64_t) -> 64-bit hexadecimal integer
p -> (void *) -> pointer as hexadecimal