Scribd
Upload
5 views

CT5194 - Malware Lab 2

Uploaded by

mahdizaidi50
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

CT5194 - Malware Lab 2

Uploaded by

mahdizaidi50
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

CT5194 – Malware LAB 2

Cuckoo Sandbox
A Cuckoo Sandbox is a tool that is used to launch malware in a secure and isolated
environment, the idea is the sandbox fools the malware into thinking it has infected a
genuine host. The sandbox will then record the activity of the malware and generate
a report on what the malware has attempted to do while in this secure environment.

These are great for security teams and malware analysts as they can be used to
quickly gather IOC’s (Indicators of Compromise) which may be required for a security
incident or a starting point for a piece of intel, it gives you quick and detailed
information on how the malware is likely to behave.

In this lab, we will run experiments on an online dashboard provided by Cuckoo


Sandbox. We will be using the same sha256 hashes as used in the previous lab

Malware sha256
031ed94b13f6292ca38061ac20d5c784c6470d3f52b207a959bedf0ed12c0665
01e45abb29d308bb9402e7a7509bbd39fcf51fae5962fb40fcd13a04b6a87afd
04b7de2bad29f978f2386400dec309fa69a3ddfbed04278d1b96d6f5fb9fe77a
05dc7b24be0359720c2ac68c53966378063e51d23251cb9993be37300b195265

• Open the dashboard


• Click on Search
• Input 031ed94b13f6292ca38061ac20d5c784c6470d3f52b207a959bedf0ed12c0665
• The Following Analysis will appear
• Now click on Analysis #4136029
• The summary of the analysis will appear and it will show how malicious this file
is.

Question 1: Now check the signatures and tell how many antivirus engines in IRMA
and virus total reported it malicious.

Question 2: Now check the static analysis tab and tell if the section info same as the
virus total or if there is a difference.

✓ Now click on the behavioural analysis and you have a quick view of what type of APIs
are called during the execution of malicious code. Look under different tabs i.e. file,
process, network etc.

• Time & API shows the time and API name


• Arguments show what arguments are called by API.
• Status 1 shows that API has been called.
• Return values show the return value after the API has been called
• Repeat show whether API is repeatedly been called

Under Dropped file tab you can see image files dropped by the malicious code.

✓ Now under the export analysis tab, uncheck all files except the report, and download
it. The file will be in JSON format.

Task: Download all the JSON reports for provided hashes and save them under
the cuckoo-Malware directory. You already have JSON of the same hashes from
Virustotal as a result of previous lab activity. We will require them for lab
sessions.

Question 3: Now analyse two (static and dynamic) files of the same malware and
state any two differences in detail by keeping static and dynamic analysis in mind.
Hint: check imports, API calls, and signature details.
Question 4: You are given a directory named "cuckoo" containing Cuckoo JSON files, each
representing a report for a malware sample (assuming each file is saved with its sha256.json).
Additionally, there's an Excel file named "mal.xlsx" that contains only a list of sha256. Your
task is to update this Excel file with API information extracted from the JSON files.

Write Python code to accomplish the following:


1. Loop through each JSON file in the "cuckoo" directory.
2. Extract the sha256 value from the filename (without the extension).
3. Open and read each JSON file to extract information under the "behaviour" key, specifically
under the "apistats" sub-key.
4. Flatten the nested dictionary obtained from "apistats" and store it as a flattened dictionary.
5. Check if the "mal.xlsx" Excel file already contains columns for each apistat function. If not,
add new columns to the Excel file.
6. Update the Excel file with the apistats information extracted from each JSON file, ensuring
that each sha256 value corresponds to its respective row in the Excel file.
7. Save the updated Excel file as "API.xlsx".
Sample Code:

import pandas as pd
import json
import os

# Read the existing excel file


df = pd.read_excel("mal.xlsx", index_col=0)

# Loop through the rows of the dataframe and get the sha256 values
for filename in os.listdir("cuckoo"):
if not filename.endswith(".json"):
continue
sha256 = filename.split(".")[0]
print(f"Opening JSON file for {sha256}...")
with open(os.path.join("cuckoo2", filename), "r") as f:
report = json.load(f)

# Check if the JSON report has the expected keys


if "behavior" not in report or "apistats" not in report["behavior"]:
print(f"JSON report for {sha256} does not have the expected keys")
continue

# Extract the apistats from the JSON report


apistats = report["behavior"]["apistats"]
apistats_dict = {}

# Flatten the nested dictionary and store it as a flattened dictionary


for key, value in apistats.items():
for k, v in value.items():
apistats_dict[k] = v

# Add new columns for any apistats functions that don't exist in the
dataframe
for func_name in apistats_dict:
if func_name not in df.columns:
df[func_name] = 0

# Update the dataframe with the apistats


df.loc[sha256] = 0
for col in df.columns:
if col in apistats_dict:
df.at[sha256, col] = apistats_dict[col]
else:
df.at[sha256, col] = 0

# Save the updated dataframe to the excel file


with pd.ExcelWriter("test.xlsx") as writer:
df.to_excel(writer, sheet_name="apistats")

This will generate an Excel file consisting of API and their counts in a separate Excel file.

Question 5: Based on the provided code your task is to extend this code to extract Portable
Executable (PE) imports from the Cuckoo JSON files and store them in the Excel file in a
structured format.
Note that the code currently reads JSON files from a directory, extracts specific
information (e.g., "apistats"), and updates an Excel file with this information.

1. Analyze the structure of the Cuckoo JSON files to identify the section containing
pe_imports.
2. Understand that PE imports do not have count values and need to be processed
differently compared to apistats.
3. For each PE import found in a JSON file, add its name as a new column in the Excel
file.
4. If a PE import exists for a SHA256 hash, mark the corresponding cell with a value of
1; otherwise, mark it with a value of 0.
5. Submit the revised code along with a brief explanation of the changes made and how
the PE import extraction was implemented. Also, submit the generated Excel file.

You might also like