Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT 2018)

IEEE Xplore Compliant - Part Number: CFP18BAC-ART; ISBN:978-1-5386-1974-2

Dynamic Malware analysis Using Cuckoo Sandbox

Sainadh Jamalpur, Yamini Sai Navya, Perla Raja, Gampala Tagore, G.Rama Koteswara Rao
Department of Information Technology
V.R. Siddhartha Engineering College, kanuru, Vijayawada

Abstract—In the rapid use of the Internet the malware authors physical harm to the resources. While running these files in
take the advantage by creating a new type of malwares and sandbox, the sandboxing system can highlight malicious
spreading it through the different ways to affect the millions of activities, such as modification entry in registry, deleting,
users. Malwares are difficult to detect and defensive mechanisms uploading files in a system. Sandbox separate actual machine
are often failed because of the signature based security solutions from virtualized machine and create a separate network with
software’s. In this paper we have shown how to use sandboxing
apart from original network for doing a malware analysis
technology to detect the untrusted code samples of the malware
by performing the two approaches and determine their behavior easier. It is like interrogation happens in a protected manner.
by examiniging the behavior investigation of the malware by Where we can observe the malicious activity of the malware
using the cuckoo sandbox. Cuckoo is a malicious code so that we can understand the behavior of the malware more
investigation tool which examines the malware more detail and practically without damage our existing system.
provides the comprehensive results based on the series of tests The rest of the paper is organized as follows: in Section II we
made by it. study different types of sandbox software tools used for the
malware investigation. In Section III we discuss about the
configurations of a malware executable. In Section IV
Keywords—Attacks, Malware investigation, and Detection,
Security, Cuckoo Sandbox;
conceptualizes the code investigation of malicious code. In
Section V we discuss the experimental results of the behavior
I. INTRODUCTION analysis in cuckoo sandbox. Finally, Section VI conclusions
and future work.
Malware is also known as malicious software. It is a malicious
code developed with the intention of damaging the function of II. DIFFERENT TYPES OF SANDBOXES
a system. Malware has the capacity to disorder the normal
Sandboxes offer a restricted system space to run the untrusted
operation by infecting the system or network. It enters a
suspicious executable files and provide a protected
system either through multiple media or gets Downloaded into
environment to the host system. The malicious files are
the system as a genuine application. Once it gets into the
executed in a jail like environment which doesn’t have a
system, it checks for vulnerabilities and infects the system, if
access to the host machine network resources, file system and
the system is highly vulnerable. Generally, antimalware
cannot damage the host device. It is a good idea to provide a
defensive solutions are signature dependent and run inside the
comprehensive solution for malware investigation by
host machines. They are inadequate to thwart the emerging
providing a tightly controlled environment for doing
advanced malware attacks. Malwares are different and
investigation. Malicious files are meant to be run in this safe
designed to be target vulnerability which is a door for malware
environment so we can analyze and observe the malicious
entering into our organization [15]. This high progression of
behavior of the untrusted file. This type of virtual hosting
malware has given rise to the need for a tough distrustful. how
technology has increasing rapidly to protect actions of
we are being targeted to the attacker. Most of us think like our
untrusted software code. For example, the user browse the
traditional security monitoring solutions can save our
World Wide Web (www) in the web browsers if the user
organizations by preventing them being executed. According
clicks on the unwanted java applets, Iframes or web pages the
to Google there are 30,000 websites were hacked every day,
sandbox prevent the access to the operating system. There is
we cannot believe on the security monitoring solutions like
web browser sandboxing technology which can restrict the
firewalls, IDS, IPS, are unguarded and helpless towards new
malicious access in which user clicks on to the advertisements
exploits. Some high level malwares [14] still capable to
s displaying on the websites while browsing the internet are
discover vulnerable services and software’s in our system
used web browser based plug-ins. Most of the malicious code
because of using outdated software's and services. So we
is spread through the portable documents, office document
should harden our organization [12] systems by installing the
files, so it is good idea to open these types of documents using
daily updates, and security patches released by the software
sandbox. Now we are going to discuss Some of the popular
vendor so that we can reduce the future attacks. Apart from
sandboxes which are more used by the security researchers are
the conventional signature-based systems, defense
Cuckoo [1], Malwr [2], ThreatExpert [18],JoeSandbox, Trend
professionals in organization are also used sandboxing
Micro among others. Rest of this paper we used to investigate
technologies to identify the new type of malwares; Sandbox is
the malware in cuckoo sandbox.
traditional approach in which we can execute files in a self-
governing virtual computerized technology excluding any

978-1-5386-1974-2/18/$31.00 ©2018 IEEE 1056

Authorized licensed use limited to: University of Portsmouth. Downloaded on February 28,2024 at 12:55:05 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT 2018)
IEEE Xplore Compliant - Part Number: CFP18BAC-ART; ISBN:978-1-5386-1974-2

IV. MANUAL MALICIOUS CODE INVISTIGATION

Basically there are two approaches for malware
investigation. One approach is gathering the footprint details
A. Malwr of the malicious code which is called as Manual analysis.
Malwr is a open source online platform which is used to Second approach is behavior investigation; in which we run
perform malicious code investigation, where anyone can the malicious code and observe the how it is behavior like
submit the malware sample for analyzing the malware in a what files are it is downloaded from the internet and uploaded
cuckoo sandbox. Cuckoo can execute and examine malware files to the attacker servers, and what type of modifications it
sample in protected way and give the very detailed report in made in the registry items etc. the combination of these two
html/xml format. approaches enables us to understand more detailed about the
malicious code.
B. JoeSandbox Now we perform the code investigation. We examine the
research.exe piece of malicious software by using the code
Joe sandbox is one of popular fully automated malware analysis tools.
analysis system like Anubis and Malwr. It provides the
features called deep analysis and agile sandbox and unlimited
inputs which supports all type of file formats it can also
analyze the android apps also. It finally generates the report
after successfully analyze the behavior of the malware sample
in XML, JSON,HTML,PDF etc..

C. ThreatExpert Fig.1. Extracting functions using Dependency Walker

ThreatExpert is a online malware analysis system. It provides

a simple user interface where we can analyze the malware We can see the above import functions more detailed
samples by submitting them. After analyze the malware we
can see a detailed report where we can see the time stamp of 1. MapViewOfFile: This function mapping into the
the malware which means when the malware is created the address space of a calling process. Malware can make
what type of packers used by the malware author, what is changes to the actual file once it is mapped.
level of security etc. 2. CreateFileMappingA: Creates or opens a named or
unnamed file mapping object for a specified file.
III. MALICIOUS CODE SAMPLE 3. FindFirstFileA: It searches for a directory or
subdirectory for a file which maps a particular name
Here below Table I depict the malicious code configurations 4. FindNextFileA: It can search for a file from the
as report by VirusTotal [4]. previous call to the FindFirstFile, FindFirstFileEx, or
FindFirstFileTransacted functions.
TABLE I.
5. CopyFileA: create a copy of the file
MALWARE CONFIGURATIONS

Malware Characterization Since that the malware is trying to search for a particular file
S. No
Attribute Value
and attempting to read/write an existing file in the system via
SHA1 Digest 9dce39ac1bd36d877fdb0025ee88fdaff0627
MapViewOfFile. It is also trying to copy/dropping a file to
1 value cdb another location.
2 File size 16 KB (16000bytes )

3 Type of File Win32 EXE

Original File
4 Name m1.exe
PE32 executable for MS Windows (GUI)
5 Magic literal
Intel 80386 32-bit
Disclosure
6 percentage 40/67

Fig.2. Using IDA PRO extracting the import information

978-1-5386-1974-2/18/$31.00 ©2018 IEEE 1057

Authorized licensed use limited to: University of Portsmouth. Downloaded on February 28,2024 at 12:55:05 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT 2018)
IEEE Xplore Compliant - Part Number: CFP18BAC-ART; ISBN:978-1-5386-1974-2

We setup Cuckoo on Linux operating system with

distributed firewall by updating the iptables of Linux system.
We can see the above there is a CopyFileA function which is The main purpose of this to protect the host system. Cuckoo
being called in the exe where Lab01-01.dll is copied to doesn’t work without python programming language. Cuckoo
c:\windows\system32\kerne132.dll notice that ‘1’ instead of required following libraries to work accurately they are
‘l’. Based on the above image the malware copies all the YARA, Voltality, Pydeep etc.
functions of “kernel32.dll” to the export table of “Lab01-
01.dll” and copies into the system32 directory as
“kerne132.dll” which acts as a DLL forwarder. It will forward
the functions to the real “kernel32.dll”.

Fig.3. indicates the warning message

In the above image indicates the warning message which

means if we open malware accidentally we will get infected.
Fig.5. Cuckoo Sandbox Architecture

We use Ubuntu operating system as our cuckoo host and

windows XP, Windows7 operating as a cuckoo guests
operating systems. The guest operating systems are installed
on the virtulbox and their network configure as a host-only
network interface which separate the cuckoo host actual
network from the virtual network. The cuckoo agent act as
communication medium between the cuckoo host and cuckoo
guest.

Fig.4. Copy duplicate file with original file

Fig.6. Process Tree
The malware searches for the string “kernel32.dll” and
replaces it with “kerne132.dll” in the import directory of the In the above figure, we can see as soon as the malware
exe. executed it creates the following process along with the main
executables. Each process has its different task we can see in
the process list that notepad.exe file is opened which means
V. DYNAMIC MALICIOUS CODE INVISTIGATION
that malware is trying to write something message to the user.
Dynamic malicious code investigation performed by using the The malware drops the files in the temp folder when the user
sandboxes. Where untrusted samples are submitted to executes it. And perform the further execution of the malware
sandboxes. Security analysts are used sandboxes to discover
the malicious code of the sample by running them in a jail like
environment.
We chose Cuckoo sandbox for performing dynamic
malware analysis. The primary goal of this, we can able to run
cuckoo supports virtual guests includes the VMware, KVM or
Virtual box. This virtualization software’s are able to run
Windows, Linux and Mac operating systems. Not only binary
files, Cuckoo facilitate us to do the analysis of URLs. After
completing investigation the results are record in a cuckoo
internal database finally it generates the report.

978-1-5386-1974-2/18/$31.00 ©2018 IEEE 1058

Authorized licensed use limited to: University of Portsmouth. Downloaded on February 28,2024 at 12:55:05 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT 2018)
IEEE Xplore Compliant - Part Number: CFP18BAC-ART; ISBN:978-1-5386-1974-2

Fig.10. Modifies the Register Files

Fig.7. Dropped Files
The malware sample will encrypt the files with the following
extensions

. asm .jpg .xml .jpe .txt .db .3ds.xls .dgn

. bmp .vsd .pdf ...tif .1cd .csv .ods .mdb .gbr .v2i
.gif .doc. png ..mdf .sdf . tex .dwg .dxf .gho
.stl .zip .dbf. cry .ma .ppt .acc .vpd .odt
..7z .cpp . tax .pas . bak .rar

Every file in our system is encrypted with their own

extensions and it is impossible to decrypt. After successful
encryption it also deletes the shadows in the client machine.
The shadow files are back up files which can be deleted by the
malware sample

Fig.8. Write message to the notepad

We see earlier in the process tree that malware opens the

notepad write something that indicates that the malware tries
to talk with the users by displaying the following message.

We can see the Attackers use the following E-mail address

Fig.11.Shadow file deleted

The malware uses the Delete Shadows /All /Quiet to delete the
shadows in the system.

After changing the registry keys and deletes the shadow copies
of the system, at last, the malware displays the following
warning message to the user

Fig.9. Email address of the attacker

The malware tries to edit the register files to write something

which is displayed each time when we startup of the system.

978-1-5386-1974-2/18/$31.00 ©2018 IEEE 1059

Authorized licensed use limited to: University of Portsmouth. Downloaded on February 28,2024 at 12:55:05 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT 2018)
IEEE Xplore Compliant - Part Number: CFP18BAC-ART; ISBN:978-1-5386-1974-2

REFERENCES
[1] Cuckoo Sandbox tool https://www.cuckoosandbox.org.
[2] Malwr – Malware Analysis by Cuckoo Sandbox, https://malwr.com.
[3] VirusTotal – Free Online Virus, Malware, and URL Scanner
https://www.virustotal.com.
[4] PE.Explorer – www.heaventools.com/overview.htm.
[5] OleDBg – http://www.ollydbg.de.
[6] Greamo, C., Ghosh, A., Sandboxing and Virtualization: Modern Tools
for Combating Malware, Security & Privacy, IEEE,April 2011,
Volume:9, Issue: 2, pp.79-82.
[7] Dependency walker, http://www.dependencywalker.com/.
[8] IDA PRO, https://www.hex-rays.com/products/ida/.
[9] Immunity Debugger, http://www.immunityinc.com/products/debugger/.
Fig.12. Ransomware Message [10] VirtualBox, https://www.virtualbox.org/.
[11] Cuckoo sandbox book,
VI. CONCLUSION https://media.readthedocs.org/pdf/cuckoo/latest/cuckoo.pdf.
[12] PEview, http://wjradburn.com/software/.
Since the cyber attacks are increasing the day by day
[13] Mourad Hassan; Dr. Leune, Kees; Sleeping Your Way out of the
analyzing the malware samples take more time and it depends Sandbox, SANS Institute, 2015, http://www.sans.org/readingroom/
upon the cost of the analyze malware. We proposed an whitepapers/malicious/sleeping-sandbox-35797.
automated environment which is best suited for every [14] Practical malware analysis, https://www.blackhat.com/presentations/bh-
organization to check the maliciousness of the applications. dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf.
[15] FireEye Malware Analysis, http://www.fireeye.com/products/malware-
analysis.html.
When we are dealing with a malware for analysis we need a
[16] Analysis of Malware: Detecting Behavior & Anti-Reversing
complete protection from the malwares the automated Techniques, http://niiconsulting.com/checkmate/2014/04/analysis-of
behavior analysis using cuckoo sandbox provide a flexible malware-detecting-behaviour-anti-reversing-techniques.
solution for malware analysis, it generates a complete report [17] Anubis - Malware Analysis for Unknown Binaries.
based on the series of test made by it during the execution of https:www.anubis.iseclab.org.
the malicious code sample. [18] Threat Expert, http://www.threatexpert.com.
[19] Ramakoteswara Rao G.et al., “Enhancing The Impregnability of Linux
We also performed a code investigation of the malicious code Servers" International Journal of Network Security & Its Applications
(IJNSA), Vol.6, No.2, March 2014,pp.21-31, DOI :
sample. The behavior analysis takes a significant lesser 10.5121/ijnsa.2014.6202 2.
quantity of duration to complete the investigation. Cuckoo [20] Ganga Rama Koteswara Rao and Dr. R.Satya Prasad "Combating
sandbox provides a very detail report after successful Cross-Site Scripting Assaults Without Proprietary Software",
execution of the malware sample by using this we can International Journal of Applied Engineering Research Vol. 12, No.17,
2017, pp.6788-6796, ISSN:0973-4562.
underestimate the level of the malware it is.

978-1-5386-1974-2/18/$31.00 ©2018 IEEE 1060

Authorized licensed use limited to: University of Portsmouth. Downloaded on February 28,2024 at 12:55:05 UTC from IEEE Xplore. Restrictions apply.