zer0m0n & ReactOS Build Environment

Posted on Wed 14 September 2016 in zer0m0n by Jurriaan Bremer

Many of you will know zer0m0n, a kernel driver developed for Cuckoo Sandbox by Nicolas Correia, Adrien Chevalier, and Cyril Moreau. In particular, zer0m0n has been developed to improve the analysis capabilities of Cuckoo as well as to further hide its presence.

After almost three years of part-time development by the French guys, the time has come for the Cuckoo team to mainstream its integration and usage. However, as most if not all Cuckoo developers (and users) run Linux-based operating systems, it is preferable that we find a way to develop 32-bit and 64-bit Windows kernel drivers on Linux-based systems.

After reaching out to Alex Ionescu, the Windows kernel guru himself, I was informed that ReactOS has an entire ReactOS Build Environment (aka RosBE from now on). This was all pretty easy to get started with and I had built my own ReactOS kernel within the hour, or so. Unfortunately though, based on the limited resources available on this topic, currently it’s not possible to build a 64-bit ReactOS kernel on non-Windows based systems. Naturally this needs to be investigated, as ReactOS provides everything else that you will be needing for building Windows kernel drivers (API definitions, header files ...

Continue reading

Analysis of nested archives with Cuckoo Sandbox: SFlock 0.1 release

Posted on Sat 10 September 2016 in sflock by Jurriaan Bremer and Sander Ferdinand

It has been almost six years since Cuckoo Sandbox started out. Ever since then, it’s had the same, basic file submission capabilities. With the release of the first version of the SFlock library and Cuckoo’s new and upcoming Web Interface (still to be announced) this is about to change.

Those analyzing malicious documents attached to incoming emails with Cuckoo may have noticed the lack of proper .zip support, let alone other popular archive formats such as .rar, .7z, and .ace (an ancient archive format that’s been getting a lot of attention in spamruns in recent months).

Although we are still actively working on the new Web Interface, which has not yet been finished off, we can already show some screenshots regarding the new submission page that represent the functionality the sflock library exposes to Cuckoo Sandbox.

Following we have submitted a couple of files. Namely the following three:

  • eml_nested_eml.eml, an email with another email as attachment containing a Microsoft Office Word document as well as a cuckoo.png image, based on a sample by @edwincheese.
  • msg_invoice.msg, an email with an embedded Microsoft Outlook Macro object containing a Firefox 43.0.1 installer executable, based on ...

Continue reading

VMCloak 0.4.1 release

Posted on Sat 27 August 2016 in vmcloak by Jurriaan Bremer and Rasmus Männa

Recently we, Rasmus Männa and myself, released the latest version for VMCloak, an Automated Virtual Machine Generation and Cloaking utility tailored to be used with Cuckoo Sandbox. This release brings a couple of really neat features and enhancements:

  • 32-bit and 64-bit Windows 8.1 and Windows 10 support.
  • Improved command-line interface.
  • Start on basic unittesting.
  • ISO mode installation (for non-VirtualBox targets).
  • VirtualBox 5.0 and 5.1 support.
  • Many more dependencies and versions.
  • Securely download dependencies over https.

Other recent changes (from version 0.3.13 and earlier) include the following changes:

  • 32-bit and 64-bit IE9, IE10, and IE11.
  • Windows 7 upgrade to Windows 7 SP1.
  • Changing the desktop wallpaper (which defaults to doge).
  • Office 2010 support alongside the Office 2007 support.

A partial list of supported dependencies (packages that may be installed in the VM) goes as follows:

  • Adobe PDF Reader 9.0.0 (default), 9.1.0, 9.2.0, 9.3.0, 9.3.3, 9.3.4, 9.4.0, 9.5.0, 10.1.4, 11.0.2, 11.0.3, 11.0.4, 11.0.6, 11.0.7, 11.0.8, 11.0.9, and 11.0.10.
  • Chrome
  • CuteFTP 9.0.5 ...

Continue reading