├── data ├── yara │ ├── memory │ │ ├── .gitignore │ │ └── index_memory.yar │ ├── urls │ │ └── .gitignore │ └── binaries │ │ ├── shellcodes.yar │ │ └── embedded.yar ├── src │ └── binpackage │ │ ├── Makefile │ │ └── execsc.c ├── peutils │ └── UserDB.TXT ├── html │ ├── img │ │ ├── glyphicons-halflings.png │ │ └── glyphicons-halflings-white.png │ ├── sections │ │ ├── errors.html │ │ ├── screenshots.html │ │ ├── javascript_hooks.html │ │ ├── signatures.html │ │ ├── shellcode_detect.html │ │ ├── info.html │ │ └── url.html │ ├── error.html │ ├── success.html │ ├── js │ │ └── functions.js │ ├── report.html │ └── pagination-rpp.html ├── signature_overlay.json └── test-internet.vbs ├── web ├── dashboard │ ├── __init__.py │ ├── urls.py │ └── views.py ├── static │ ├── img │ │ ├── next.png │ │ ├── prev.png │ │ ├── close.png │ │ └── loading.gif │ ├── graphic │ │ ├── cuckoo.png │ │ └── background.png │ └── fonts │ │ ├── glyphicons-halflings-regular.eot │ │ ├── glyphicons-halflings-regular.ttf │ │ ├── glyphicons-halflings-regular.woff │ │ └── glyphicons-halflings-regular.woff2 ├── templates │ ├── standalone_error.html │ ├── analysis │ │ ├── behavior │ │ │ ├── index.html │ │ │ ├── _tree.html │ │ │ ├── _tree_process.html │ │ │ ├── _chunk.html │ │ │ ├── _search.html │ │ │ ├── _api_call.html │ │ │ └── _search_results.html │ │ ├── static │ │ │ ├── _strings.html │ │ │ ├── index.html │ │ │ └── _antivirus.html │ │ ├── overview │ │ │ ├── _url.html │ │ │ ├── _screenshots.html │ │ │ ├── index.html │ │ │ ├── _summary.html │ │ │ └── _file.html │ │ ├── memory │ │ │ ├── _yarascan.html │ │ │ ├── _callbacks.html │ │ │ ├── _malfind.html │ │ │ ├── _apihooks.html │ │ │ ├── _idt.html │ │ │ ├── _modscan.html │ │ │ ├── _timers.html │ │ │ ├── _devicetree.html │ │ │ ├── _ssdt.html │ │ │ ├── _gdt.html │ │ │ ├── _messagehooks.html │ │ │ ├── _pslist.html │ │ │ └── _svcscan.html │ │ ├── network │ │ │ ├── _http.html │ │ │ ├── _hosts.html │ │ │ ├── _irc.html │ │ │ ├── _icmp.html │ │ │ ├── _dns.html │ │ │ ├── _udp.html │ │ │ └── index.html │ │ ├── procmemory │ │ │ └── index.html │ │ ├── admin │ │ │ └── index.html │ │ ├── pending.html │ │ └── report.html │ ├── error.html │ ├── success.html │ ├── base.html │ ├── submission │ │ ├── complete.html │ │ └── status.html │ ├── footer.html │ ├── compare │ │ ├── _info.html │ │ ├── _summary_table.html │ │ ├── hash.html │ │ └── left.html │ ├── dashboard │ │ └── index.html │ └── header.html ├── compare │ ├── __init__.py │ └── urls.py ├── web │ ├── __init__.py │ ├── urls.py │ ├── headers.py │ ├── wsgi.py │ └── local_settings.py ├── analysis │ ├── __init__.py │ ├── templatetags │ │ ├── __init__.py │ │ └── analysis_tags.py │ ├── forms.py │ └── urls.py ├── submission │ ├── __init__.py │ └── urls.py └── manage.py ├── analyzer └── windows │ ├── lib │ ├── jsh │ │ ├── .rnd │ │ ├── run.bat │ │ ├── add_javascript_hook_new.py │ │ ├── extract_chrome_log.py │ │ └── server.py │ ├── __init__.py │ ├── api │ │ └── __init__.py │ ├── core │ │ ├── __init__.py │ │ ├── startup.py │ │ ├── packages.py │ │ └── config.py │ └── common │ │ ├── __init__.py │ │ ├── exceptions.py │ │ ├── rand.py │ │ ├── hashing.py │ │ └── constants.py │ ├── bin │ └── execsc.exe │ ├── dll │ ├── cuckoomon.dll │ ├── cuckoomon_bson.dll │ └── cuckoomon_netlog.dll │ └── modules │ ├── __init__.py │ ├── auxiliary │ ├── __init__.py │ ├── runningProcesses.py │ ├── disguise.py │ └── screenshots.py │ └── packages │ ├── __init__.py │ ├── exe.py │ ├── cpl.py │ ├── ie.py │ ├── msi.py │ ├── vbs.py │ ├── bin.py │ ├── pdf.py │ ├── xls.py │ ├── ps1.py │ ├── ppt.py │ ├── doc.py │ ├── python.py │ ├── generic.py │ ├── applet.py │ ├── html.py │ ├── dll.py │ └── ie_jsh.py ├── requirements.txt ├── docs ├── book │ └── src │ │ ├── _images │ │ ├── logo │ │ │ └── cuckoo.png │ │ ├── schemas │ │ │ └── architecture-main.png │ │ └── screenshots │ │ │ ├── shared_folders.png │ │ │ ├── windows_network.png │ │ │ ├── fog_scheduled_job.png │ │ │ ├── windows_registry.png │ │ │ ├── windows_security.png │ │ │ ├── fog_host_management.png │ │ │ └── fog_image_management.png │ │ ├── development │ │ ├── index.rst │ │ └── development_notes.rst │ │ ├── usage │ │ ├── index.rst │ │ ├── clean.rst │ │ ├── start.rst │ │ └── results.rst │ │ ├── introduction │ │ ├── index.rst │ │ └── license.rst │ │ ├── customization │ │ ├── index.rst │ │ └── auxiliary.rst │ │ ├── installation │ │ ├── host │ │ │ ├── index.rst │ │ │ └── installation.rst │ │ ├── guest │ │ │ ├── index.rst │ │ │ ├── cloning.rst │ │ │ ├── agent.rst │ │ │ ├── creation.rst │ │ │ └── requirements.rst │ │ ├── index.rst │ │ └── guest_physical │ │ │ ├── index.rst │ │ │ ├── creation.rst │ │ │ └── requirements.rst │ │ └── index.rst ├── README └── AUTHORS ├── lib ├── __init__.py ├── cuckoo │ ├── __init__.py │ ├── core │ │ └── __init__.py │ └── common │ │ ├── __init__.py │ │ ├── defines.py │ │ ├── constants.py │ │ ├── colors.py │ │ ├── exceptions.py │ │ └── config.py └── maec │ └── __init__.py ├── modules ├── __init__.py ├── auxiliary │ └── __init__.py ├── machinery │ ├── __init__.py │ ├── kvm.py │ └── esx.py ├── processing │ ├── __init__.py │ ├── dropped.py │ ├── jsh.py │ ├── runningprocessessnapshot.py │ ├── procmemory.py │ ├── strings.py │ ├── targetinfo.py │ ├── debug.py │ ├── captipper.py │ └── analysisinfo.py ├── reporting │ ├── __init__.py │ └── jsondump.py └── signatures │ ├── __init__.py │ ├── DetectShellcode.py │ ├── DetectsNewProcess.py │ ├── creates_exe.py │ ├── DetectDEPBypass.py │ ├── DetectStackPivot.py │ ├── DetectWerProcess.py │ ├── generic_metrics.py │ ├── DetectBufferShellcode.py │ └── DetectDEPInHeap.py ├── tests ├── sniffer_tests.py ├── colors_tests.py ├── reporter_tests.py ├── processor_tests.py ├── database_tests.py ├── abstracts_tests.py └── config_tests.py ├── conf ├── auxiliary.conf ├── reporting.conf ├── physical.conf └── processing.conf └── utils ├── db_migration ├── script.py.mako ├── alembic.ini └── env.py ├── clean.sh └── stats.py /data/yara/memory/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /data/yara/urls/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /web/dashboard/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /data/src/binpackage/Makefile: -------------------------------------------------------------------------------- 1 | execsc.exe: execsc.c 2 | i586-mingw32msvc-cc -Wall -o $@ $< 3 | 4 | -------------------------------------------------------------------------------- /data/peutils/UserDB.TXT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/data/peutils/UserDB.TXT -------------------------------------------------------------------------------- /web/static/img/next.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/img/next.png -------------------------------------------------------------------------------- /web/static/img/prev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/img/prev.png -------------------------------------------------------------------------------- /web/static/img/close.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/img/close.png -------------------------------------------------------------------------------- /web/static/img/loading.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/img/loading.gif -------------------------------------------------------------------------------- /web/templates/standalone_error.html: -------------------------------------------------------------------------------- 1 |
ERROR :-(
{{error}}
2 | -------------------------------------------------------------------------------- /analyzer/windows/lib/jsh/.rnd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/analyzer/windows/lib/jsh/.rnd -------------------------------------------------------------------------------- /web/static/graphic/cuckoo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/graphic/cuckoo.png -------------------------------------------------------------------------------- /analyzer/windows/bin/execsc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/analyzer/windows/bin/execsc.exe -------------------------------------------------------------------------------- /web/static/graphic/background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/graphic/background.png -------------------------------------------------------------------------------- /analyzer/windows/dll/cuckoomon.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/analyzer/windows/dll/cuckoomon.dll -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | sqlalchemy 2 | bson 3 | jinja2 4 | pymongo 5 | bottle 6 | pefile 7 | django 8 | chardet 9 | nose 10 | -------------------------------------------------------------------------------- /data/html/img/glyphicons-halflings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/data/html/img/glyphicons-halflings.png -------------------------------------------------------------------------------- /docs/book/src/_images/logo/cuckoo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/logo/cuckoo.png -------------------------------------------------------------------------------- /analyzer/windows/dll/cuckoomon_bson.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/analyzer/windows/dll/cuckoomon_bson.dll -------------------------------------------------------------------------------- /analyzer/windows/dll/cuckoomon_netlog.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/analyzer/windows/dll/cuckoomon_netlog.dll -------------------------------------------------------------------------------- /data/html/img/glyphicons-halflings-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/data/html/img/glyphicons-halflings-white.png -------------------------------------------------------------------------------- /web/templates/analysis/behavior/index.html: -------------------------------------------------------------------------------- 1 | {% include "analysis/behavior/_tree.html" %} 2 |
3 | {% include "analysis/behavior/_processes.html" %} -------------------------------------------------------------------------------- /data/signature_overlay.json: -------------------------------------------------------------------------------- 1 | { 2 | "creates_exe": { 3 | "severity": 2, 4 | "alert": false, 5 | "custom_attribute": "machete" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /web/static/fonts/glyphicons-halflings-regular.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/fonts/glyphicons-halflings-regular.eot -------------------------------------------------------------------------------- /web/static/fonts/glyphicons-halflings-regular.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/fonts/glyphicons-halflings-regular.ttf -------------------------------------------------------------------------------- /web/static/fonts/glyphicons-halflings-regular.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/fonts/glyphicons-halflings-regular.woff -------------------------------------------------------------------------------- /docs/book/src/_images/schemas/architecture-main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/schemas/architecture-main.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/shared_folders.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/shared_folders.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/windows_network.png -------------------------------------------------------------------------------- /web/static/fonts/glyphicons-halflings-regular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/web/static/fonts/glyphicons-halflings-regular.woff2 -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_scheduled_job.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/fog_scheduled_job.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_registry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/windows_registry.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/windows_security.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_host_management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/fog_host_management.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_image_management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7h3rAm/CuckooSploit/master/docs/book/src/_images/screenshots/fog_image_management.png -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/compare/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. -------------------------------------------------------------------------------- /web/web/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. -------------------------------------------------------------------------------- /lib/cuckoo/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/maec/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/analysis/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. -------------------------------------------------------------------------------- /web/submission/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. -------------------------------------------------------------------------------- /lib/cuckoo/core/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/common/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/auxiliary/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/machinery/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/processing/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/reporting/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/signatures/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/analysis/templatetags/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. -------------------------------------------------------------------------------- /analyzer/windows/lib/api/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/core/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_tree.html: -------------------------------------------------------------------------------- 1 |

Process Tree

2 | 7 | -------------------------------------------------------------------------------- /analyzer/windows/modules/auxiliary/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /tests/sniffer_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from nose.tools import assert_equals 6 | -------------------------------------------------------------------------------- /web/templates/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

4 |
ERROR :-(
{{error}}
5 | {% endblock %} -------------------------------------------------------------------------------- /web/templates/success.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

4 |
Great! :-)
{{message}}
5 | {% endblock %} -------------------------------------------------------------------------------- /web/templates/base.html: -------------------------------------------------------------------------------- 1 | {%include "header.html" %} 2 |
3 | {% autoescape on %} 4 | {% block content %}{% endblock %} 5 | {% endautoescape %} 6 |
7 | {%include "footer.html" %} 8 | -------------------------------------------------------------------------------- /analyzer/windows/lib/jsh/run.bat: -------------------------------------------------------------------------------- 1 | @echo [+] Running Server 2 | @echo off 3 | start python server.py 8889 4 | 5 | @echo [+] Running MITMproxy 6 | @echo off 7 | start python "C:\Python27\scripts\mitmdump" -q -p 8888 -s "%cd%\add_javascript_hook.py" --anticache 8 | -------------------------------------------------------------------------------- /web/templates/analysis/static/_strings.html: -------------------------------------------------------------------------------- 1 |
2 |
3 | {% for string in analysis.strings %} 4 |
{{string}}
5 | {% endfor %} 6 |
7 |
-------------------------------------------------------------------------------- /docs/book/src/development/index.rst: -------------------------------------------------------------------------------- 1 | .. Development chapter frontpage 2 | 3 | Development 4 | =========== 5 | 6 | This chapter explains how to write Cuckoo's code and how to contribute. 7 | 8 | .. toctree:: 9 | 10 | development_notes 11 | code_style 12 | -------------------------------------------------------------------------------- /docs/book/src/usage/index.rst: -------------------------------------------------------------------------------- 1 | .. Usage chapter frontpage 2 | 3 | Usage 4 | ===== 5 | 6 | This chapter explains how to use Cuckoo. 7 | 8 | .. toctree:: 9 | 10 | start 11 | submit 12 | web 13 | api 14 | dist 15 | packages 16 | results 17 | clean 18 | utilities 19 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | class CuckooError(Exception): 6 | pass 7 | 8 | class CuckooPackageError(Exception): 9 | pass -------------------------------------------------------------------------------- /data/yara/memory/index_memory.yar: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2010-2014 Cuckoo Foundation. 2 | // This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | // See the file 'docs/LICENSE' for copying permission. 4 | 5 | // The contents of this file are Yara rules processed by procmemory.py processing 6 | // module. Add your signatures here. -------------------------------------------------------------------------------- /data/html/sections/errors.html: -------------------------------------------------------------------------------- 1 | {% if results.debug.errors %} 2 |
3 |

Errors

4 |
5 |
6 | 11 |
12 | {% endif %} -------------------------------------------------------------------------------- /web/dashboard/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | 5 | from django.conf.urls import patterns, url 6 | 7 | urlpatterns = patterns("", 8 | url(r"^$", "dashboard.views.index"), 9 | ) 10 | -------------------------------------------------------------------------------- /docs/book/src/introduction/index.rst: -------------------------------------------------------------------------------- 1 | .. Introduction chapter frontpage 2 | 3 | Introduction 4 | ============ 5 | 6 | This is an introductory chapter to Cuckoo Sandbox. 7 | It explains some basic malware analysis concepts, what's Cuckoo and how it can fit 8 | in malware analysis. 9 | 10 | .. toctree:: 11 | 12 | sandboxing 13 | what 14 | license 15 | 16 | -------------------------------------------------------------------------------- /data/html/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base-web.html" %} 2 | {% block content %} 3 |
4 |

Ouch! KaBoom!

5 |
6 |
7 |
8 | Error: {{error}} 9 |
10 |
11 | {% endblock %} -------------------------------------------------------------------------------- /web/submission/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django.conf.urls import patterns, url 6 | 7 | urlpatterns = patterns("", 8 | url(r"^$", "submission.views.index"), 9 | url(r"status/(?P\d+)/$", "submission.views.status"), 10 | ) 11 | -------------------------------------------------------------------------------- /tests/colors_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from nose.tools import assert_equals 6 | 7 | from lib.cuckoo.common.colors import color 8 | 9 | 10 | def test_return_text(): 11 | """Test colorized text contains the input string.""" 12 | assert "foo" in color("foo", 11) -------------------------------------------------------------------------------- /docs/book/src/customization/index.rst: -------------------------------------------------------------------------------- 1 | .. Customization chapter frontpage 2 | 3 | Customization 4 | ============= 5 | 6 | This chapter explains how to customize Cuckoo. 7 | Cuckoo is written in a modular architecture built to be as customizable as it can, 8 | to fit the needs of all users. 9 | 10 | .. toctree:: 11 | 12 | auxiliary 13 | machinery 14 | packages 15 | processing 16 | signatures 17 | reporting 18 | -------------------------------------------------------------------------------- /lib/cuckoo/common/defines.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | REG_NONE = 0 6 | REG_SZ = 1 7 | REG_EXPAND_SZ = 2 8 | REG_BINARY = 3 9 | REG_DWORD_LITTLE_ENDIAN = 4 10 | REG_DWORD = 4 11 | REG_DWORD_BIG_ENDIAN = 5 12 | -------------------------------------------------------------------------------- /modules/machinery/kvm.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common.abstracts import LibVirtMachinery 6 | 7 | class KVM(LibVirtMachinery): 8 | """Virtualization layer for KVM based on python-libvirt.""" 9 | 10 | # Set KVM connection string. 11 | dsn = "qemu:///system" 12 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/exe.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class Exe(Package): 8 | """EXE analysis package.""" 9 | 10 | def start(self, path): 11 | args = self.options.get("arguments") 12 | return self.execute(path, args) 13 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/rand.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | 4 | def random_string(minimum, maximum=None): 5 | if maximum is None: 6 | maximum = minimum 7 | 8 | count = random.randint(minimum, maximum) 9 | return "".join(random.choice(string.ascii_letters) for x in xrange(count)) 10 | 11 | def random_integer(digits): 12 | start = 10 ** (digits - 1) 13 | end = (10 ** digits) - 1 14 | return random.randint(start, end) 15 | -------------------------------------------------------------------------------- /data/html/success.html: -------------------------------------------------------------------------------- 1 | {% extends "base-web.html" %} 2 | {% block content %} 3 |
4 |

New Analysis

5 |
6 |
7 |
8 | GOOD! File {{submitfile}} was submitted for analysis with Task ID {{taskid}}. 9 |
10 |
11 | {% endblock %} -------------------------------------------------------------------------------- /docs/book/src/installation/host/index.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | Preparing the Host 3 | ================== 4 | 5 | Even though it's reported to run on other operating systems too, Cuckoo is 6 | originally supposed to run on a *GNU/Linux* native system. 7 | For the purpose of this documentation, we chose **latest Ubuntu LTS** as 8 | reference system for the commands examples. 9 | 10 | .. toctree:: 11 | 12 | requirements 13 | installation 14 | configuration 15 | -------------------------------------------------------------------------------- /web/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2010-2015 Cuckoo Foundation. 3 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 4 | # See the file 'docs/LICENSE' for copying permission. 5 | 6 | import os 7 | import sys 8 | 9 | if __name__ == "__main__": 10 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings") 11 | 12 | from django.core.management import execute_from_command_line 13 | 14 | execute_from_command_line(sys.argv) 15 | -------------------------------------------------------------------------------- /data/src/binpackage/execsc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main (int argc, char ** argv) { 6 | int fd; 7 | char buf[2048] = {0}; 8 | 9 | if (argc < 2) return 1; 10 | 11 | // read in shellcode from analysis target file 12 | fd = open(argv[1], 0); 13 | read(fd, buf, 2048); 14 | close(fd); 15 | 16 | // jump into shellcode 17 | int (*func)(); 18 | func = (int (*)()) buf; 19 | (int)(*func)(); 20 | 21 | return 0; 22 | } 23 | 24 | -------------------------------------------------------------------------------- /data/html/js/functions.js: -------------------------------------------------------------------------------- 1 | function showHide(id, lbl) { 2 | var e = document.getElementById(id); 3 | 4 | if (lbl !== "undefined") 5 | var l = document.getElementById(lbl); 6 | 7 | if(e.style.display == "none") { 8 | e.style.display = "block"; 9 | if (l) { 10 | l.innerHTML = "Collapse"; 11 | } 12 | } 13 | else { 14 | e.style.display = "none"; 15 | if (l) 16 | l.innerHTML = "Expand"; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /conf/auxiliary.conf: -------------------------------------------------------------------------------- 1 | [sniffer] 2 | # Enable or disable the use of an external sniffer (tcpdump) [yes/no]. 3 | enabled = yes 4 | 5 | # Specify the path to your local installation of tcpdump. Make sure this 6 | # path is correct. 7 | tcpdump = /usr/sbin/tcpdump 8 | 9 | # Specify the network interface name on which tcpdump should monitor the 10 | # traffic. Make sure the interface is active. 11 | interface = vboxnet0 12 | 13 | # Specify a Berkeley packet filter to pass to tcpdump. 14 | # bpf = not arp 15 | -------------------------------------------------------------------------------- /web/compare/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | 5 | from django.conf.urls import patterns, url 6 | 7 | urlpatterns = patterns("", 8 | url(r"^(?P\d+)/$", "compare.views.left"), 9 | url(r"^(?P\d+)/(?P\d+)/$", "compare.views.both"), 10 | url(r"^(?P\d+)/(?P\w+)/$", "compare.views.hash"), 11 | ) 12 | -------------------------------------------------------------------------------- /web/templates/submission/complete.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

4 |

Submission complete!

5 | The following tasks were added successfully: 6 | {% for task in tasks %} 7 | {{task}} 8 | {% endfor %}. 9 | Click on the links to monitor the status of the submission. 10 |
11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /data/html/sections/screenshots.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |

Screenshots

4 |
5 | {% if results.screenshots %} 6 | {% for shot in results.screenshots %} 7 | 8 | {% endfor %} 9 | {% else %} 10 | No screenshots available. 11 | {% endif %} 12 |
13 | -------------------------------------------------------------------------------- /web/analysis/forms.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django import forms 6 | 7 | from submission.models import Comment, Tag 8 | 9 | class CommentForm(forms.ModelForm): 10 | class Meta: 11 | model = Comment 12 | fields = ["message"] 13 | 14 | class TagForm(forms.ModelForm): 15 | class Meta: 16 | model = Tag 17 | fields = ["name"] 18 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_tree_process.html: -------------------------------------------------------------------------------- 1 |
  • 2 | {{process.name}} {{process.pid}} 3 | {% if process.children %} 4 |
      5 | {% for child in process.children %} 6 | {% with process=child template_name="analysis/behavior/_tree_process.html" %} 7 | {% include template_name %} 8 | {% endwith %} 9 | {% endfor %} 10 |
    11 | {% endif %} 12 |
    • 13 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest/index.rst: -------------------------------------------------------------------------------- 1 | =================== 2 | Preparing the Guest 3 | =================== 4 | 5 | At this point you should have configured the Cuckoo host component and you 6 | should have designed and defined the number and the names of the virtual 7 | machines you are going to use for malware execution. 8 | 9 | Now it's time to create such machines and to configure them properly. 10 | 11 | .. toctree:: 12 | 13 | creation 14 | requirements 15 | network 16 | agent 17 | saving 18 | cloning 19 | 20 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_url.html: -------------------------------------------------------------------------------- 1 |
    2 |

    URL Details

    3 |
    4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
    URL
    {{analysis.target.url}}
    16 |
    17 |
    -------------------------------------------------------------------------------- /data/html/sections/javascript_hooks.html: -------------------------------------------------------------------------------- 1 |
    2 |
    3 |

    JavaScript Hooks

    4 |
    5 | {% if results.jsh and results.jsh.has_jsh_log %} 6 | 7 | {% for res in results.jsh.output %} 8 | 9 | 10 | 11 | {% endfor %} 12 |
    {{ res }}
    13 | {% else %} 14 | Nothing to display. 15 | {% endif %} 16 |
    17 | -------------------------------------------------------------------------------- /docs/book/src/installation/index.rst: -------------------------------------------------------------------------------- 1 | .. Installation chapter frontpage 2 | 3 | Installation 4 | ============ 5 | 6 | This chapter explains how to install Cuckoo. 7 | 8 | .. note:: 9 | 10 | This documentation refers to *Host* as the underlying operating systems on 11 | which you are running Cuckoo (generally being a GNU/Linux distribution) and 12 | to *Guest* as the Windows virtual machine used to run the isolated analysis. 13 | 14 | .. toctree:: 15 | 16 | host/index 17 | guest/index 18 | guest_physical/index 19 | upgrade 20 | 21 | -------------------------------------------------------------------------------- /lib/cuckoo/common/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | 7 | _current_dir = os.path.abspath(os.path.dirname(__file__)) 8 | CUCKOO_ROOT = os.path.normpath(os.path.join(_current_dir, "..", "..", "..")) 9 | 10 | CUCKOO_VERSION = "1.2" 11 | CUCKOO_GUEST_PORT = 8000 12 | CUCKOO_GUEST_INIT = 0x001 13 | CUCKOO_GUEST_RUNNING = 0x002 14 | CUCKOO_GUEST_COMPLETED = 0x003 15 | CUCKOO_GUEST_FAILED = 0x004 16 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/cpl.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class CPL(Package): 8 | """Control Panel Applet analysis package.""" 9 | PATHS = [ 10 | ("SystemRoot", "system32", "control.exe"), 11 | ] 12 | 13 | def start(self, path): 14 | control = self.get_path("control.exe") 15 | return self.execute(control, "\"%s\"" % path) 16 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_screenshots.html: -------------------------------------------------------------------------------- 1 |
    2 |

    Screenshots

    3 | {% if analysis.shots %} 4 |
    5 | {% for shot in analysis.shots %} 6 | 7 | 8 | 9 | {% endfor %} 10 |
    11 | {% else %} 12 | No screenshots available. 13 | {% endif %} 14 |
    -------------------------------------------------------------------------------- /web/templates/analysis/memory/_yarascan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for x in analysis.memory.yarascan.data %} 11 | 12 | 13 | 14 | 15 | 16 | {% endfor %} 17 | 18 |
    OwnerRuleHexdump
    {{x.owner}}{{x.rule}}
    {{x.hexdump}}
    19 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_http.html: -------------------------------------------------------------------------------- 1 |

    HTTP Requests

    2 | {% if analysis.network.http %} 3 | 4 | 5 | 6 | 7 | 8 | {% for request in analysis.network.http %} 9 | 10 | 11 | 12 | 13 | {% endfor %} 14 |
    URIData
    {{request.uri}}
    {{request.data}}
    15 | {% else %} 16 |

    No HTTP requests performed.

    17 | {% endif %} -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ie.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class IE(Package): 8 | """Internet Explorer analysis package.""" 9 | PATHS = [ 10 | ("ProgramFiles", "Internet Explorer", "iexplore.exe"), 11 | ] 12 | 13 | def start(self, url): 14 | iexplore = self.get_path("Internet Explorer") 15 | return self.execute(iexplore, "\"%s\"" % url) 16 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest_physical/index.rst: -------------------------------------------------------------------------------- 1 | ====================================== 2 | Preparing the Guest (Physical Machine) 3 | ====================================== 4 | 5 | At this point you should have configured the Cuckoo host component and you 6 | should have designed and defined the number and the names of the physical 7 | machines you are going to use for malware execution. 8 | 9 | Now it's time to create such machines and to configure them properly. 10 | 11 | .. toctree:: 12 | 13 | creation 14 | requirements 15 | network 16 | ../guest/agent 17 | saving -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/msi.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class Msi(Package): 8 | """MSI analysis package.""" 9 | 10 | PATHS = [ 11 | ("SystemRoot", "system32", "msiexec.exe"), 12 | ] 13 | 14 | def start(self, path): 15 | msi_path = self.get_path("msiexec.exe") 16 | msi_args = "/I \"{0}\"".format(path) 17 | return self.execute(msi_path, msi_args) 18 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest/cloning.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | Cloning the Virtual Machine 3 | =========================== 4 | 5 | In case you planned to use more than one virtual machine, there's no need to 6 | repeat all the steps done so far: you can clone it. In this way you'll have 7 | a copy of the original virtualized Windows with all requirements already 8 | installed. 9 | 10 | The new virtual machine will also contain all the settings of the original one, 11 | which is not good. Now you need to proceed repeating the steps explained in 12 | :doc:`network`, :doc:`agent` and :doc:`saving` for this new machine. 13 | -------------------------------------------------------------------------------- /tests/reporter_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import tempfile 7 | from nose.tools import assert_equals 8 | 9 | from lib.cuckoo.common.abstracts import Report 10 | from lib.cuckoo.common.config import Config 11 | 12 | 13 | class ReportMock(Report): 14 | def run(self, data): 15 | return 16 | 17 | class ReportAlterMock(Report): 18 | """Corrupts results dict.""" 19 | def run(self, data): 20 | data['foo'] = 'notbar' 21 | return 22 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_hosts.html: -------------------------------------------------------------------------------- 1 |
    2 |

    Hosts

    3 | {% if analysis.network.hosts %} 4 | 5 | 6 | 7 | 8 | {% for host in analysis.network.hosts %} 9 | 10 | {% if host|slice:":7" != "192.168" %} 11 | 12 | {% endif %} 13 | 14 | {% endfor %} 15 |
    IP
    {{host}}
    16 | {% else %} 17 |

    No hosts contacted.

    18 | {% endif %} 19 |
    20 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_callbacks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for x in analysis.memory.callbacks.data %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
    TypeCallbackModuleDetails
    {{x.type}}{{x.callback}}{{x.module}}{{x.details}}
    21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/vbs.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | # Originally proposed by kidrek: 8 | # https://github.com/cuckoobox/cuckoo/pull/136 9 | 10 | class VBS(Package): 11 | """VBS analysis package.""" 12 | PATHS = [ 13 | ("SystemRoot", "system32", "wscript.exe"), 14 | ] 15 | 16 | def start(self, path): 17 | wscript = self.get_path("WScript") 18 | return self.execute(wscript, "\"%s\"" % path) 19 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_irc.html: -------------------------------------------------------------------------------- 1 |

    IRC traffic

    2 | {% if analysis.network.irc %} 3 | 4 | 5 | 6 | 7 | 8 | 9 | {% for irc in analysis.network.irc %} 10 | 11 | 12 | 13 | 14 | 15 | {% endfor %} 16 |
    CommandParamsType
    {{irc.command}}{{irc.params}}{{irc.type}}
    17 | {% else %} 18 |

    No IRC requests performed.

    19 | {% endif %} -------------------------------------------------------------------------------- /web/templates/analysis/memory/_malfind.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for mal in analysis.memory.malfind.data %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
    PIDProcess NameStartTag
    {{mal.process_id}}{{mal.process_name}}{{mal.vad_start}}{{mal.vad_tag}}
    21 | -------------------------------------------------------------------------------- /web/analysis/templatetags/analysis_tags.py: -------------------------------------------------------------------------------- 1 | from django.template.defaultfilters import register 2 | 3 | @register.filter("mongo_id") 4 | def mongo_id(value): 5 | """Retrieve _id value. 6 | @todo: it will be removed in future. 7 | """ 8 | if isinstance(value, dict): 9 | if value.has_key("_id"): 10 | value = value["_id"] 11 | 12 | # Return value 13 | return unicode(value) 14 | 15 | @register.filter("is_dict") 16 | def is_dict(value): 17 | """Checks if value is an instance of dict""" 18 | return isinstance(value, dict) 19 | 20 | @register.filter 21 | def get_item(dictionary, key): 22 | return dictionary.get(key, "") 23 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/hashing.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | BUFSIZE = 1024*1024 6 | 7 | 8 | def hash_file(method, path): 9 | """Calculates an hash on a file by path. 10 | @param method: callable hashing method 11 | @param path: file path 12 | @return: computed hash string 13 | """ 14 | f = open(path, "rb") 15 | h = method() 16 | while True: 17 | buf = f.read(BUFSIZE) 18 | if not buf: 19 | break 20 | h.update(buf) 21 | return h.hexdigest() 22 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/bin.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | from lib.api.process import Process 7 | 8 | class Shellcode(Package): 9 | """Shellcode (any x86 executable code) analysis package.""" 10 | 11 | def start(self, path): 12 | p = Process() 13 | dll = self.options.get("dll") 14 | p.execute(path="bin/execsc.exe", args=path, suspended=True) 15 | p.inject(dll) 16 | p.resume() 17 | p.wait() 18 | return p.pid 19 | -------------------------------------------------------------------------------- /docs/README: -------------------------------------------------------------------------------- 1 | README 2 | 3 | The documentation for installing, using and customizing Cuckoo Sandbox is 4 | available under different forms and formats. 5 | 6 | Under "docs/book/" you can find the complete Cuckoo Sandbox Book in three 7 | different formats: 8 | * HTML 9 | * PDF 10 | * Text 11 | 12 | Under "docs/books/src" you'll find the Sphinx sources used to build the book. 13 | 14 | Under "epydoc/" you'll find the Python documentation of Cuckoo's libs and apis 15 | generated by Epydoc. This directory contains two sub-directories: "host" and 16 | "guest", containing references for Cuckoo's Host and Guest components 17 | respectively. 18 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_chunk.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for call in chunk.calls %} 14 | 15 | {% include "analysis/behavior/_api_call.html" %} 16 | 17 | {% endfor %} 18 | 19 |
    TimeAPIArgumentsStatusReturnRepeated
    20 | -------------------------------------------------------------------------------- /web/templates/analysis/procmemory/index.html: -------------------------------------------------------------------------------- 1 | {% if analysis.procmemory %} 2 |
      3 | {% for proc in analysis.procmemory %} 4 |
    • {{proc.pid}} ({{proc.file}}) 5 | {% if proc.procmem_id %} 6 | Download 7 | {% endif %} 8 | {% for match in proc.yara %} 9 |

      Match: {{match.name}} 10 |

        11 | {% for string in match.strings %} 12 |
      • {{string}}
        • 13 | {% endfor %} 14 |

      15 | {% endfor %} 16 |
      • 17 | {% endfor %} 18 | {% endif %} 19 | -------------------------------------------------------------------------------- /web/templates/analysis/admin/index.html: -------------------------------------------------------------------------------- 1 | {% load analysis_tags %} 2 |
      3 | 4 | 5 | 6 | 8 | 9 | 10 | 12 | 13 | 14 | 16 | 17 | 18 | 20 |
      Task ID{{analysis.info.id}} 7 |
      Mongo ID{{analysis|mongo_id}} 11 |
      Cuckoo release{{analysis.info.version}} 15 |
      Delete 19 |
      21 |
      -------------------------------------------------------------------------------- /web/templates/footer.html: -------------------------------------------------------------------------------- 1 | 3 | 8 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /utils/db_migration/script.py.mako: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """${message} 6 | 7 | Revision ID: ${up_revision} 8 | Revises: ${down_revision} 9 | Create Date: ${create_date} 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = ${repr(up_revision)} 15 | down_revision = ${repr(down_revision)} 16 | 17 | from alembic import op 18 | import sqlalchemy as sa 19 | ${imports if imports else ""} 20 | 21 | def upgrade(): 22 | ${upgrades if upgrades else "pass"} 23 | 24 | 25 | def downgrade(): 26 | ${downgrades if downgrades else "pass"} 27 | -------------------------------------------------------------------------------- /web/web/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django.conf.urls import patterns, include, url 6 | 7 | urlpatterns = patterns("", 8 | url(r"^$", "dashboard.views.index"), 9 | url(r"^analysis/", include("analysis.urls")), 10 | url(r"^compare/", include("compare.urls")), 11 | url(r"^submit/", include("submission.urls")), 12 | url(r"^file/(?P\w+)/(?P\w+)/$", "analysis.views.file"), 13 | url(r"^full_memory/(?P\w+)/$", "analysis.views.full_memory_dump_file"), 14 | url(r"^dashboard/", include("dashboard.urls")), 15 | ) -------------------------------------------------------------------------------- /web/templates/analysis/overview/index.html: -------------------------------------------------------------------------------- 1 | {% include "analysis/overview/_info.html" %} 2 |
      3 | {% if analysis.info.category == "file" and analysis.target %} 4 | {% include "analysis/overview/_file.html" %} 5 | {% elif analysis.info.category == "url" %} 6 | {% include "analysis/overview/_url.html" %} 7 | {% endif %} 8 |
      9 | {% include "analysis/overview/_signatures.html" %} 10 |
      11 | {% include "analysis/overview/_screenshots.html" %} 12 |
      13 |
      14 |
      {% include "analysis/network/_hosts.html" %}
      15 |
      {% include "analysis/network/_dns.html" %}
      16 |
      17 |
      18 | {% include "analysis/overview/_summary.html" %} 19 | -------------------------------------------------------------------------------- /utils/clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) 2010-2015 Cuckoo Foundation. 3 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 4 | # See the file 'docs/LICENSE' for copying permission. 5 | 6 | echo "$PWD/clean.sh has been deprecated!" >&2 7 | echo "Please start using ./cuckoo.py --clean which also drops database tables." 8 | 9 | # I'm sure this can be done easier, but I'm not very familiar with bash 10 | # scripting.. So, here we go. Also, this only works from "./cuckoo" and 11 | # "./cuckoo/utils" directory, but it's still better than before. 12 | if [[ "$PWD/" = */utils/ ]]; then 13 | export PWD="${PWD:0:${#PWD}-6}" 14 | fi 15 | 16 | rm -rf "$PWD/db/" "$PWD/log/" "$PWD/storage/" 17 | find "$PWD/" -name '*.pyc' -exec rm {} \; 18 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_apihooks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for hook in analysis.memory.apihooks.data %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
      PIDProcess NameVictim FunctionHook TypeHooking Module
      {{hook.process_id}}{{hook.process_name}}{{hook.victim_function}}{{hook.hook_type}}{{hook.hooking_module}}
      23 | -------------------------------------------------------------------------------- /modules/signatures/DetectShellcode.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from lib.cuckoo.common.abstracts import Signature 4 | from subprocess import Popen, PIPE 5 | 6 | class DetectShellcode(Signature): 7 | name = "detect_shellcode" 8 | description = "Shellcode detected using engine_cli" 9 | severity = 3 10 | categories = ["exploit", "rop"] 11 | authors = ["Ilana Marcus"] 12 | minimum = "1.2" 13 | evented = True 14 | enabled = True 15 | def __init__(self, caller): 16 | Signature.__init__(self, caller) 17 | filter_categories = set(["process"]) 18 | 19 | def on_complete(self): 20 | if self.get_results("scd", {})["has_shellcode"]: 21 | return True 22 | return None 23 | 24 | 25 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_icmp.html: -------------------------------------------------------------------------------- 1 |

      ICMP traffic

      2 | {% if analysis.network.icmp %} 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for packet in analysis.network.icmp %} 11 | 12 | 13 | 14 | 15 | 16 | 17 | {% endfor %} 18 |
      SourceDestinationICMP TypeData
      {{packet.src}}{{packet.dst}}{{packet.type}}{{packet.data}}
      19 | {% else %} 20 |

      No ICMP traffic performed.

      21 | {% endif %} -------------------------------------------------------------------------------- /analyzer/windows/lib/common/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | from lib.common.rand import random_string 7 | 8 | 9 | ROOT = os.path.join(os.getenv("SystemDrive"), "\\", random_string(6, 10)) 10 | 11 | PATHS = {"root" : ROOT, 12 | "logs" : os.path.join(ROOT, "logs"), 13 | "files" : os.path.join(ROOT, "files"), 14 | "shots" : os.path.join(ROOT, "shots"), 15 | "memory" : os.path.join(ROOT, "memory"), 16 | "drop" : os.path.join(ROOT, "drop")} 17 | 18 | PIPE = "\\\\.\\PIPE\\" + random_string(6, 10) 19 | SHUTDOWN_MUTEX = "Global\\" + random_string(6, 10) 20 | -------------------------------------------------------------------------------- /data/yara/binaries/shellcodes.yar: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2010-2014 Cuckoo Foundation. 2 | // This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | // See the file 'docs/LICENSE' for copying permission. 4 | 5 | rule shellcode 6 | { 7 | meta: 8 | author = "nex" 9 | description = "Matched shellcode byte patterns" 10 | 11 | strings: 12 | $mz = { 4d 5a } 13 | $shell1 = { 64 8b 64 } 14 | $shell2 = { 64 a1 30 } 15 | $shell3 = { 64 8b 15 30 } 16 | $shell4 = { 64 8b 35 30 } 17 | $shell5 = { 55 8b ec 83 c4 } 18 | $shell6 = { 55 8b ec 81 ec } 19 | $shell7 = { 55 8b ec e8 } 20 | $shell8 = { 55 8b ec e9 } 21 | condition: 22 | not ($mz at 0) and 23 | any of ($shell*) 24 | } 25 | -------------------------------------------------------------------------------- /conf/reporting.conf: -------------------------------------------------------------------------------- 1 | # Enable or disable the available reporting modules [on/off]. 2 | # If you add a custom reporting module to your Cuckoo setup, you have to add 3 | # a dedicated entry in this file, or it won't be executed. 4 | # You can also add additional options under the section of your module and 5 | # they will be available in your Python class. 6 | 7 | [jsondump] 8 | enabled = yes 9 | indent = 4 10 | encoding = latin-1 11 | 12 | [reporthtml] 13 | enabled = yes 14 | 15 | [mmdef] 16 | enabled = no 17 | 18 | [maec40] 19 | enabled = no 20 | mode = overview 21 | processtree = true 22 | output_handles = false 23 | static = true 24 | strings = true 25 | virustotal = true 26 | 27 | [mongodb] 28 | enabled = no 29 | host = 127.0.0.1 30 | port = 27017 31 | db = cuckoo 32 | store_memdump = yes -------------------------------------------------------------------------------- /web/templates/analysis/memory/_idt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in analysis.memory.idt.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
      CPUIndexSelectorAddressModuleSection
      {{x.cpu_number}}{{x.index}}{{x.selector}}{{x.address}}{{x.module}}{{x.section}}
      25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_modscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for mod in analysis.memory.modscan.data %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
      Base AddressOffsetNameFileSize
      {{mod.kernel_module_base}}{{mod.kernel_module_offset}}{{mod.kernel_module_name}}{{mod.kernel_module_file}}{{mod.kernel_module_size}}
      23 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/pdf.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class PDF(Package): 8 | """PDF analysis package.""" 9 | PATHS = [ 10 | ("ProgramFiles", "Adobe", "Reader 8.0", "Reader", "AcroRd32.exe"), 11 | ("ProgramFiles", "Adobe", "Reader 9.0", "Reader", "AcroRd32.exe"), 12 | ("ProgramFiles", "Adobe", "Reader 10.0", "Reader", "AcroRd32.exe"), 13 | ("ProgramFiles", "Adobe", "Reader 11.0", "Reader", "AcroRd32.exe"), 14 | ] 15 | 16 | def start(self, path): 17 | reader = self.get_path("Adobe Reader") 18 | return self.execute(reader, "\"%s\"" % path) 19 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_timers.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in analysis.memory.timers.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
      OffsetDue TimePeriodSignaledRoutineModule
      {{x.offset}}{{x.due_time}}{{x.period}}{{x.signaled}}{{x.routine}}{{x.module}}
      25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_devicetree.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for service in analysis.memory.devicetree.data %} 11 | 12 | 13 | 14 | 21 | 22 | {% endfor %} 23 | 24 |
      Driver NameDriver OffsetDevices
      {{service.driver_name}}{{service.driver_offset}} 15 | {% for device in service.devices %} 16 | {% if device.device_name %} 17 | {{device.device_name}}, 18 | {% endif %} 19 | {% endfor %} 20 |
      25 | -------------------------------------------------------------------------------- /data/html/sections/signatures.html: -------------------------------------------------------------------------------- 1 |
      2 |
      3 |

      Signatures

      4 |
      5 | {% if results.signatures %} 6 | {% for sign in results.signatures %} 7 | {% if sign.severity == 1 %} 8 |
      9 | {% elif sign.severity == 2 %} 10 |
      11 | {% elif sign.severity >= 3 %} 12 |
      13 | {% else %} 14 |
      15 | {% endif %} 16 | {{sign.description}} 17 |
      18 | {% endfor %} 19 | {% else %} 20 | No signatures matched 21 | {% endif %} 22 |
      23 | -------------------------------------------------------------------------------- /conf/physical.conf: -------------------------------------------------------------------------------- 1 | [physical] 2 | # Specify a comma-separated list of available machines to be used. For each 3 | # specified ID you have to define a dedicated section containing the details 4 | # on the respective machine. (E.g. physical1,physical2,physical3) 5 | machines = physical1 6 | 7 | # Credentials to access the machine 8 | user = username 9 | password = password 10 | 11 | [physical1] 12 | # Specify the label name of the current machine as specified in your 13 | # physical machine configuration. 14 | label = physical1 15 | 16 | # Specify the operating system platform used by current machine 17 | # [windows/darwin/linux]. 18 | platform = windows 19 | 20 | # Specify the IP address of the current machine. Make sure that the IP address 21 | # is valid and that the host machine is able to reach it. If not, the analysis 22 | # will fail. 23 | ip = 192.168.56.101 24 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/xls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class XLS(Package): 9 | """Excel analysis package.""" 10 | PATHS = [ 11 | ("ProgramFiles", "Microsoft Office", "EXCEL.EXE"), 12 | ("ProgramFiles", "Microsoft Office", "Office11", "EXCEL.EXE"), 13 | ("ProgramFiles", "Microsoft Office", "Office12", "EXCEL.EXE"), 14 | ("ProgramFiles", "Microsoft Office", "Office14", "EXCEL.EXE"), 15 | ("ProgramFiles", "Microsoft Office", "Office15", "EXCEL.EXE"), 16 | ] 17 | 18 | def start(self, path): 19 | excel = self.get_path("Microsoft Office Excel") 20 | return self.execute(excel, "\"%s\"" % path) 21 | -------------------------------------------------------------------------------- /analyzer/windows/lib/jsh/add_javascript_hook_new.py: -------------------------------------------------------------------------------- 1 | from bs4 import BeautifulSoup 2 | from libmproxy.protocol.http import decoded 3 | import os; 4 | 5 | def start(context, argv): 6 | curdir = os.path.dirname(os.path.realpath('__file__')) 7 | with open(curdir + "\\JavaScriptHooks_new_arch.js", "r") as f: 8 | js = f.read() 9 | context.js = js 10 | 11 | def response(context, flow): 12 | with decoded(flow.response): # Remove content encoding (gzip, ...) 13 | html = BeautifulSoup(flow.response.content) 14 | if html.body: 15 | #print "This is the js:\n" + context.js 16 | javascript = html.new_tag("script") 17 | javascript.string = context.js 18 | html.body.insert(0, javascript) 19 | flow.response.content = str(html) 20 | context.log("Hooked JavaScript Functions.") -------------------------------------------------------------------------------- /web/templates/compare/_info.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 |
      IDCategoryNameMD5MachineCompleted OnDuration
      {{record.info.id}}{{record.info.category|upper}}{{record.target.file.name}}{{record.target.file.md5}}{{record.info.machine.name}}{{record.info.ended}}{{record.info.duration}} seconds
      25 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ps1.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | # Originally proposed by David Maciejak. 8 | 9 | class PS1(Package): 10 | """PowerShell analysis package.""" 11 | PATHS = [ 12 | ("SystemRoot", "system32", "WindowsPowerShell", "v1.0", "powershell.exe"), 13 | ("SystemRoot", "system32", "WindowsPowerShell", "v2.0", "powershell.exe"), 14 | ("SystemRoot", "system32", "WindowsPowerShell", "v3.0", "powershell.exe"), 15 | ] 16 | 17 | def start(self, path): 18 | powershell = self.get_path("PowerShell") 19 | args = "-NoProfile -ExecutionPolicy unrestricted -File \"{0}\"".format(path) 20 | return self.execute(powershell, args) 21 | -------------------------------------------------------------------------------- /data/html/report.html: -------------------------------------------------------------------------------- 1 | {% extends "base-report.html" %} 2 | {% block content %} 3 | {% include "sections/info.html" %} 4 | {% include "sections/errors.html" %} 5 | {% if results.info.category == "file" %} 6 | {% include "sections/file.html" %} 7 | {% elif results.info.category == "url" %} 8 | {% include "sections/url.html" %} 9 | {% endif %} 10 | {% include "sections/signatures.html" %} 11 | {% include "sections/screenshots.html" %} 12 | {% if results.info.category == "file" %} 13 | {% include "sections/static.html" %} 14 | {% endif %} 15 | {% include "sections/dropped.html" %} 16 | {% include "sections/network.html" %} 17 | {% include "sections/behavior.html" %} 18 | {% include "sections/volatility.html" %} 19 | {% include "sections/shellcode_detect.html" %} 20 | {% include "sections/javascript_hooks.html" %} 21 | {% endblock %} -------------------------------------------------------------------------------- /data/html/sections/shellcode_detect.html: -------------------------------------------------------------------------------- 1 |
      2 |
      3 |

      Shellcode Detection

      4 |
      5 | {% if results.scd and results.scd.has_shellcode %} 6 | 7 | 8 | {% for res in results.scd.outputs %} 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% endfor %} 16 |
      File NameEngine Cli OutputEngine Cli After JesusEngine Cli Hex Data
      {{ res.file_name }}{{ res.engine_cli_output }}{{ res.engine_cli_after_jesus_output }}{{ res.engine_cli_hexdata }}
      17 | {% else %} 18 | Nothing to display. 19 | {% endif %} 20 |
      21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ppt.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class PPT(Package): 8 | """PowerPoint analysis package.""" 9 | PATHS = [ 10 | ("ProgramFiles", "Microsoft Office", "POWERPNT.EXE"), 11 | ("ProgramFiles", "Microsoft Office", "Office11", "POWERPNT.EXE"), 12 | ("ProgramFiles", "Microsoft Office", "Office12", "POWERPNT.EXE"), 13 | ("ProgramFiles", "Microsoft Office", "Office14", "POWERPNT.EXE"), 14 | ("ProgramFiles", "Microsoft Office", "Office15", "POWERPNT.EXE"), 15 | ] 16 | 17 | def start(self, path): 18 | powerpoint = self.get_path("Microsoft Office PowerPoint") 19 | return self.execute(powerpoint, "\"%s\"" % path) 20 | -------------------------------------------------------------------------------- /web/templates/compare/_summary_table.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for record in records %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
      IDNameMachineCompleted OnDurationSelect
      {{record.info.id}}{{record.target.file.name}}{{record.info.machine.name}}{{record.info.ended}}{{record.info.duration}} secondsSelect
      -------------------------------------------------------------------------------- /web/templates/analysis/memory/_ssdt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | {% for x in analysis.memory.ssdt.data %} 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | {% endfor %} 25 | 26 |
      IndexTableEntrySyscall NameSyscall AddrSyscall ModnameHook?
      {{x.index}}{{x.table}}{{x.entry}}{{x.syscall_name}}{{x.syscall_addr}}{{x.syscall_modname}}{{x.hook_dest_addr}}: {{x.hook_name}}
      27 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/doc.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class DOC(Package): 8 | """Word analysis package.""" 9 | PATHS = [ 10 | ("ProgramFiles", "Microsoft Office", "WINWORD.EXE"), 11 | ("ProgramFiles", "Microsoft Office", "Office11", "WINWORD.EXE"), 12 | ("ProgramFiles", "Microsoft Office", "Office12", "WINWORD.EXE"), 13 | ("ProgramFiles", "Microsoft Office", "Office14", "WINWORD.EXE"), 14 | ("ProgramFiles", "Microsoft Office", "Office15", "WINWORD.EXE"), 15 | ("ProgramFiles", "Microsoft Office", "WORDVIEW.EXE"), 16 | ] 17 | 18 | def start(self, path): 19 | word = self.get_path("Microsoft Office Word") 20 | return self.execute(word, "\"%s\"" % path) 21 | -------------------------------------------------------------------------------- /web/analysis/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | 5 | from django.conf.urls import patterns, url 6 | 7 | urlpatterns = patterns("", 8 | url(r"^$", "analysis.views.index"), 9 | url(r"^(?P\d+)/$", "analysis.views.report"), 10 | url(r"^remove/(?P\d+)/$", "analysis.views.remove"), 11 | url(r"^chunk/(?P\d+)/(?P\d+)/(?P\d+)/$", "analysis.views.chunk"), 12 | url(r"^filtered/(?P\d+)/(?P\d+)/(?P\w+)/$", "analysis.views.filtered_chunk"), 13 | url(r"^search/(?P\d+)/$", "analysis.views.search_behavior"), 14 | url(r"^search/$", "analysis.views.search"), 15 | url(r"^pending/$", "analysis.views.pending"), 16 | url(r"^(?P\d+)/pcapstream/(?P[.,\w]+)/$", "analysis.views.pcapstream"), 17 | ) 18 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/python.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | class Python(Package): 8 | """Python analysis package.""" 9 | 10 | PATHS = [ 11 | ("HomeDrive", "Python24", "python.exe"), 12 | ("HomeDrive", "Python25", "python.exe"), 13 | ("HomeDrive", "Python26", "python.exe"), 14 | ("HomeDrive", "Python27", "python.exe"), 15 | ("HomeDrive", "Python32", "python.exe"), 16 | ("HomeDrive", "Python33", "python.exe"), 17 | ("HomeDrive", "Python34", "python.exe"), 18 | ] 19 | 20 | def start(self, path): 21 | python = self.get_path("Python") 22 | arguments = self.options.get("arguments", "") 23 | return self.execute(python, "%s %s" % (path, arguments)) 24 | -------------------------------------------------------------------------------- /web/web/headers.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import sys 6 | 7 | from django.conf import settings 8 | 9 | sys.path.append(settings.CUCKOO_PATH) 10 | 11 | from lib.cuckoo.common.constants import CUCKOO_VERSION 12 | 13 | class CuckooHeaders(object): 14 | """Set Cuckoo custom response headers.""" 15 | 16 | def process_response(self, request, response): 17 | response["Server"] = "Machete Server" 18 | response["X-Cuckoo-Version"] = CUCKOO_VERSION 19 | response["X-Content-Type-Options"] = "nosniff" 20 | response["X-Frame-Options"] = "DENY" 21 | response["X-XSS-Protection"] = "1; mode=block" 22 | response["Pragma"] = "no-cache" 23 | response["Cache-Control"] = "no-cache" 24 | response["Expires"] = "0" 25 | 26 | return response -------------------------------------------------------------------------------- /modules/processing/dropped.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | 7 | from lib.cuckoo.common.abstracts import Processing 8 | from lib.cuckoo.common.objects import File 9 | 10 | class Dropped(Processing): 11 | """Dropped files analysis.""" 12 | 13 | def run(self): 14 | """Run analysis. 15 | @return: list of dropped files with related information. 16 | """ 17 | self.key = "dropped" 18 | dropped_files = [] 19 | 20 | for dir_name, dir_names, file_names in os.walk(self.dropped_path): 21 | for file_name in file_names: 22 | file_path = os.path.join(dir_name, file_name) 23 | file_info = File(file_path=file_path).get_all() 24 | dropped_files.append(file_info) 25 | 26 | return dropped_files 27 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_gdt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% for x in analysis.memory.gdt.data %} 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | {% endfor %} 27 | 28 |
      CPUSelectorBaseLimitTypeDplGranularityPresent
      {{x.cpu_number}}{{x.selector}}{{x.base}}{{x.limit}}{{x.type}}{{x.dpl}}{{x.granularity}}{{x.present}}
      29 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_messagehooks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% for x in analysis.memory.messagehooks.data %} 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | {% endfor %} 27 | 28 |
      OffsetSessionDesktopThreadFilterFlagsFunctionModule
      {{x.offset}}{{x.session}}{{x.desktop}}{{x.thread}}{{x.filter}}{{x.flags}}{{x.function}}{{x.module}}
      29 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_dns.html: -------------------------------------------------------------------------------- 1 |
      2 |

      DNS

      3 | {% if analysis.network.dns %} 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for p in analysis.network.dns %} 11 | 12 | 13 | 18 | 19 | 20 | {% endfor %} 21 |
      NameResponsePost-Analysis Lookup
      {{p.request}} 14 | {% for a in p.answers %} 15 | {{a.type}} {{a.data|linebreaksbr}}{% if not forloop.last %}
      {% endif %} 16 | {% endfor %} 17 |       		{{ domainlookups|get_item:p.request }}
      22 | {% else %} 23 |

      No domains contacted.

      24 | {% endif %} 25 |
      26 | -------------------------------------------------------------------------------- /web/templates/compare/hash.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

      4 | 5 |
      6 |
      7 |

      Analysis 1

      8 | 9 | {% include "compare/_info.html" with record=left %} 10 |
      11 |
      12 |

      Analysis 2

      13 | 14 |

      You need to select the second analysis.

      15 | {% if records.count > 0 %} 16 |

      Following are all the analyses of the file with provided MD5 {{hash}}:

      17 | {% include "compare/_summary_table.html" %} 18 | {% else %} 19 |

      There is no analysis for the specified file or you selected the same selected analysis.

      20 | {% endif %} 21 |
      22 |
      23 | {% endblock %} 24 | -------------------------------------------------------------------------------- /web/templates/submission/status.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

      4 | {% if completed %} 5 |

      Good news! :-)

      The analysis is completed, you can view it here.
      6 | {% else %} 7 | 8 |
      9 |

      Hang on...

      10 |

      The analysis is not completed yet, it's still {{status}}. This page will refresh every 30 seconds.

      11 |
      12 |
      13 |
      14 |
      15 | {% endif %} 16 | {% endblock %} 17 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_pslist.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% for process in analysis.memory.pslist.data %} 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | {% endfor %} 27 | 28 |
      Parent PIDPIDNameCreate TimeExit Time# Threads# HandlesSession ID
      {{process.parent_id}}{{process.process_id}}{{process.process_name}}{{process.create_time}}{{process.exit_time}}{{process.num_threads}}{{process.num_handles}}{{process.session_id}}
      29 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_search.html: -------------------------------------------------------------------------------- 1 | 15 | 16 | 29 | -------------------------------------------------------------------------------- /docs/book/src/index.rst: -------------------------------------------------------------------------------- 1 | 2 | .. _index: 3 | 4 | =================== 5 | Cuckoo Sandbox Book 6 | =================== 7 | 8 | Cuckoo Sandbox is an *Open Source* software for automating analysis of suspicious files. 9 | To do so it makes use of custom components that monitor the behavior of the malicious 10 | processes while running in an isolated environment. 11 | 12 | This guide will explain how to set up Cuckoo, use it and customize it. 13 | 14 | Having troubles? 15 | ================ 16 | 17 | If you're having troubles you might want to check out the :doc:`FAQ ` 18 | as it may already have the answers to your questions. 19 | 20 | .. toctree:: 21 | 22 | faq/index 23 | 24 | Otherwise you can ask the developers and/or other Cuckoo users, see 25 | :doc:`Join the discussion `. 26 | 27 | Contents 28 | ======== 29 | 30 | .. toctree:: 31 | 32 | introduction/index 33 | installation/index 34 | usage/index 35 | customization/index 36 | development/index 37 | finalremarks/index 38 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_svcscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% for service in analysis.memory.svcscan.data %} 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | {% endfor %} 27 | 28 |
      NameDisplay NameBinary PathPIDTypeOrderOffsetState
      {{service.service_name}}{{service.service_display_name}}{{service.service_binary_path}}{{service.pricess_id}}{{service.service_type}}{{service.service_order}}{{service.service_offset}}{{service.service_state}}
      29 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest_physical/creation.rst: -------------------------------------------------------------------------------- 1 | ================================ 2 | Creation of the Physical Machine 3 | ================================ 4 | 5 | Once you have :doc:`properly installed <../host/requirements>` your imaging 6 | software, you can proceed on creating all the physical machines you need. 7 | 8 | Using and configuring your imaging software is out of the scope of this 9 | guide, so please refer to the official documentation. 10 | 11 | .. note:: 12 | 13 | You can find some hints and considerations on how to design and create 14 | your virtualized environment in the :doc:`../../introduction/sandboxing` 15 | chapter. 16 | 17 | .. note:: 18 | For analysis purposes you are recommended to use Windows XP Service Pack 19 | 3, but Cuckoo Sandbox also proved to work with Windows 7 with User 20 | Access Control disabled. 21 | 22 | 23 | When creating the physical machine, Cuckoo doesn't require any specific 24 | configuration. You can choose the options that best fit your needs. -------------------------------------------------------------------------------- /modules/processing/jsh.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2014 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import subprocess 7 | import re 8 | 9 | from lib.cuckoo.common.abstracts import Processing 10 | from lib.cuckoo.common.objects import File 11 | from subprocess import Popen, PIPE 12 | 13 | 14 | class jsh(Processing): 15 | 16 | order = 2 17 | 18 | def run(self): 19 | """Run analysis. 20 | @return: list of files with results. 21 | """ 22 | self.key = "jsh" 23 | results = {} 24 | results['has_jsh_log'] = True 25 | results['output'] = [] 26 | if os.path.exists(os.path.join(self.dropped_path, 'proxyLog.log')): 27 | with open(os.path.join(self.dropped_path, 'proxyLog.log'), 'r+') as f: 28 | data = f.readlines(); 29 | 30 | for line in data: 31 | results['output'].append(line) 32 | 33 | return results; 34 | -------------------------------------------------------------------------------- /analyzer/windows/lib/core/startup.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import logging 7 | 8 | from lib.common.constants import PATHS 9 | from lib.common.results import NetlogHandler 10 | 11 | log = logging.getLogger() 12 | 13 | def create_folders(): 14 | """Create folders in PATHS.""" 15 | for name, folder in PATHS.items(): 16 | if os.path.exists(folder): 17 | continue 18 | 19 | try: 20 | os.makedirs(folder) 21 | except OSError: 22 | pass 23 | 24 | def init_logging(): 25 | """Initialize logger.""" 26 | formatter = logging.Formatter("%(asctime)s [%(name)s] %(levelname)s: %(message)s") 27 | sh = logging.StreamHandler() 28 | sh.setFormatter(formatter) 29 | log.addHandler(sh) 30 | 31 | nh = NetlogHandler() 32 | nh.setFormatter(formatter) 33 | log.addHandler(nh) 34 | 35 | log.setLevel(logging.DEBUG) 36 | -------------------------------------------------------------------------------- /modules/signatures/DetectsNewProcess.py: -------------------------------------------------------------------------------- 1 | import re 2 | from lib.cuckoo.common.abstracts import Signature 3 | 4 | class CreatesProc(Signature): 5 | name = "creates_process" 6 | description = "Created processes: {0}" 7 | severity = 3 8 | categories = ["execution"] 9 | authors = ["Omri Herscovici", "Ilana Marcus"] 10 | minimum = "1.2" 11 | 12 | evented = True 13 | enabled = True 14 | 15 | def __init__(self, caller): 16 | Signature.__init__(self, caller) 17 | self.proc=[] 18 | 19 | def on_call(self, call, pid): 20 | if (call["api"] != "CreateProcessInternalW"): 21 | return 22 | 23 | if re.search("iexplore", self.get_argument(call, "CommandLine"), re.IGNORECASE): 24 | return 25 | 26 | prc_name = self.get_argument(call, "CommandLine") 27 | self.proc.append(prc_name) 28 | 29 | 30 | def on_complete(self): 31 | if self.proc: 32 | self.description = self.description.format(', '.join(self.proc)) 33 | return True 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /web/templates/analysis/static/index.html: -------------------------------------------------------------------------------- 1 |
      2 | 7 |
      8 |
      9 | {% if "PE32" in analysis.target.file.type %} 10 | {% include "analysis/static/_pe32.html" %} 11 | {% else %} 12 | No static analysis available. 13 | {% endif %} 14 |
      15 |
      16 | {% include "analysis/static/_strings.html" %} 17 |
      18 |
      19 | {% include "analysis/static/_antivirus.html" %} 20 |
      21 |
      22 |
      -------------------------------------------------------------------------------- /data/html/pagination-rpp.html: -------------------------------------------------------------------------------- 1 | 4 |
      5 | 16 |
      17 | -------------------------------------------------------------------------------- /conf/processing.conf: -------------------------------------------------------------------------------- 1 | # Enable or disable the available processing modules [on/off]. 2 | # If you add a custom processing module to your Cuckoo setup, you have to add 3 | # a dedicated entry in this file, or it won't be executed. 4 | # You can also add additional options under the section of your module and 5 | # they will be available in your Python class. 6 | 7 | [analysisinfo] 8 | enabled = yes 9 | 10 | [behavior] 11 | enabled = yes 12 | 13 | [debug] 14 | enabled = yes 15 | 16 | [dropped] 17 | enabled = yes 18 | 19 | [memory] 20 | enabled = no 21 | 22 | [network] 23 | enabled = yes 24 | 25 | [procmemory] 26 | enabled = yes 27 | 28 | [static] 29 | enabled = yes 30 | 31 | [strings] 32 | enabled = yes 33 | 34 | [targetinfo] 35 | enabled = yes 36 | 37 | [virustotal] 38 | enabled = yes 39 | timeout = 60 40 | # Add your VirusTotal API key here. The default API key, kindly provided 41 | # by the VirusTotal team, should enable you with a sufficient throughput 42 | # and while being shared with all our users, it shouldn't affect your use. 43 | key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088 44 | -------------------------------------------------------------------------------- /docs/book/src/introduction/license.rst: -------------------------------------------------------------------------------- 1 | ======= 2 | License 3 | ======= 4 | 5 | Cuckoo Sandbox license is shipped with Cuckoo and contained in the "LICENSE" 6 | file inside the "docs" folder. 7 | 8 | ========== 9 | Disclaimer 10 | ========== 11 | 12 | Cuckoo is distributed as it is, in the hope that it will be useful, but without 13 | any warranty neither the implied merchantability or fitness for a particular 14 | purpose. 15 | 16 | Whatever you do with this tool is uniquely your own responsibility. 17 | 18 | ================= 19 | Cuckoo Foundation 20 | ================= 21 | 22 | The `Cuckoo Foundation`_ is a non-profit organization incorporated as a 23 | Stichting in the Netherlands and it's mainly dedicated to support of the 24 | development and growth of Cuckoo Sandbox, an open source malware analysis 25 | system, and the surrounding projects and initiatives. 26 | 27 | The Foundation operates to secure financial and infrastructure support to our 28 | software projects and coordinates the development and contributions from the 29 | community. 30 | 31 | .. _`Cuckoo Foundation`: http://www.cuckoofoundation.org 32 | -------------------------------------------------------------------------------- /modules/processing/runningprocessessnapshot.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os.path 6 | import logging 7 | from lib.cuckoo.common.abstracts import Processing 8 | from lib.cuckoo.common.objects import File 9 | import json 10 | 11 | log = logging.getLogger(__name__) 12 | 13 | class RunningProcessesSnapshot(Processing): 14 | """General information about a file.""" 15 | 16 | def run(self): 17 | """Run file information gathering. 18 | @return: information dict. 19 | """ 20 | self.key = "running_processes" 21 | 22 | running_processes = [] 23 | 24 | p_log = os.path.join(self.logs_path, "running_processes.log") 25 | try: 26 | with open(p_log, 'r') as file: 27 | running_processes = json.load(file) 28 | except Exception as e: 29 | log.warning("Error in RunningProcessesSnapshot module: %s", e) 30 | return running_processes -------------------------------------------------------------------------------- /modules/signatures/creates_exe.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common.abstracts import Signature 6 | 7 | class CreatesExe(Signature): 8 | name = "creates_exe" 9 | description = "Creates a Windows executable on the filesystem" 10 | severity = 2 11 | categories = ["generic"] 12 | authors = ["Cuckoo Developers"] 13 | minimum = "0.5" 14 | 15 | # This is a signature template. It should be used as a skeleton for 16 | # creating custom signatures, therefore is disabled by default. 17 | # It doesn't verify whether a .exe is actually being created, but 18 | # it matches files being opened with any access type, including 19 | # read and attributes lookup. 20 | enabled = False 21 | 22 | def run(self): 23 | match = self.check_file(pattern=".*\\.exe$", 24 | regex=True) 25 | if match: 26 | self.data.append({"file": match}) 27 | return True 28 | 29 | return False 30 | -------------------------------------------------------------------------------- /docs/book/src/usage/clean.rst: -------------------------------------------------------------------------------- 1 | .. _cuckoo-clean: 2 | 3 | =========================== 4 | Clean all Tasks and Samples 5 | =========================== 6 | 7 | Since Cuckoo 1.2 a built-in **--clean** feature has been added which does not 8 | only have the same functionality as the now-deprecated :ref:`./utils/clean.sh 9 | utility `, but also drops all associated information of the 10 | tasks and samples in the database. If you submit a task after running 11 | **--clean** then you'll start with ``Task #1`` again. 12 | 13 | To clean your setup, run:: 14 | 15 | $ ./cuckoo.py --clean 16 | 17 | To sum up, this command does the following: 18 | 19 | * Delete analysis results. 20 | * Delete submitted binaries. 21 | * Delete all associated information of the tasks and samples in the configured database. 22 | * Delete all data in the configured MongoDB (if configured and enabled in reporting.conf). 23 | 24 | .. warning:: 25 | If you use this command you will delete permanently all data stored by Cuckoo in all 26 | storages: file system, SQL database and MongoDB database. Use it only if you are sure 27 | you would clean up all the data. -------------------------------------------------------------------------------- /docs/book/src/installation/guest/agent.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | Installing the Agent 3 | ==================== 4 | 5 | From release 0.4 Cuckoo adopts a custom agent that runs inside the Guest and 6 | that handles the communication and the exchange of data with the Host. 7 | This agent is designed to be cross-platform, therefore you should be able 8 | to use it on Windows as well as on Linux and OS X. 9 | In order to make Cuckoo work properly, you'll have to install and start this 10 | agent. 11 | 12 | It's very simple. 13 | 14 | In the *agent/* directory you will find and *agent.py* file, just copy it 15 | to the Guest operating system (in whatever way you want, perhaps a temporary 16 | shared folder or by downloading it from a Host webserver) and run it. 17 | This will launch the XMLRPC server which will be listening for connections. 18 | 19 | On Windows simply launching the script will also spawn a Python window, if 20 | you want to hide it you can rename the file from *agent.py* to **agent.pyw** 21 | which will prevent the window from spawning. 22 | 23 | If you want the script to be launched at Windows' boot, just place the file in 24 | the `Startup` folder. 25 | -------------------------------------------------------------------------------- /docs/book/src/customization/auxiliary.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | Auxiliary Modules 3 | ================= 4 | 5 | **Auxiliary** modules define some procedures that need to be executed in parallel 6 | to every single analysis process. 7 | All auxiliary modules should be placed under the *modules/auxiliary/* directory. 8 | 9 | The skeleton of a module would look something like this: 10 | 11 | .. code-block:: python 12 | :linenos: 13 | 14 | from lib.cuckoo.common.abstracts import Auxiliary 15 | 16 | class MyAuxiliary(Auxiliary): 17 | 18 | def start(self): 19 | # Do something. 20 | 21 | def stop(self): 22 | # Stop the execution. 23 | 24 | The function ``start()`` will be executed before starting the analysis machine and effectively 25 | executing the submitted malicious file, while the ``stop()`` function will be launched at the 26 | very end of the analysis process, before launching the processing and reporting procedures. 27 | 28 | For example, an auxiliary module provided by default in Cuckoo is called *sniffer.py* and 29 | takes care of executing **tcpdump** in order to dump the generated network traffic. 30 | -------------------------------------------------------------------------------- /analyzer/windows/modules/auxiliary/runningProcesses.py: -------------------------------------------------------------------------------- 1 | from lib.common.abstracts import Auxiliary 2 | from lib.common.results import NetlogFile 3 | import subprocess 4 | import json 5 | 6 | class Running_Processes(Auxiliary): 7 | def start(self): 8 | self.cmd = 'WMIC PROCESS get Caption,ProcessId,CommandLine /VALUE' 9 | 10 | def stop(self): 11 | all_running = [] 12 | proc = subprocess.Popen(self.cmd, shell=True, stdout=subprocess.PIPE) 13 | 14 | processes = proc.stdout.read().split("\r\r\n\r\r\n") 15 | 16 | for p in processes: 17 | p = p.strip() 18 | parts = p.split("\r\r\n") 19 | 20 | proc_dict = {} 21 | for kv_pair in parts: 22 | try: 23 | kv = kv_pair.split('=') 24 | proc_dict[kv[0]] = kv[1] 25 | all_running.append(proc_dict) 26 | except: 27 | continue 28 | proc.terminate() 29 | 30 | nf = NetlogFile("logs/running_processes.log") 31 | nf.sock.sendall(json.dumps(all_running)) 32 | nf.close() 33 | -------------------------------------------------------------------------------- /modules/reporting/jsondump.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import json 7 | import codecs 8 | 9 | from lib.cuckoo.common.abstracts import Report 10 | from lib.cuckoo.common.exceptions import CuckooReportError 11 | 12 | class JsonDump(Report): 13 | """Saves analysis results in JSON format.""" 14 | 15 | def run(self, results): 16 | """Writes report. 17 | @param results: Cuckoo results dict. 18 | @raise CuckooReportError: if fails to write report. 19 | """ 20 | indent = self.options.get("indent", 4) 21 | encoding = self.options.get("encoding", "utf-8") 22 | 23 | try: 24 | path = os.path.join(self.reports_path, "report.json") 25 | with codecs.open(path, "w", "utf-8") as report: 26 | json.dump(results, report, sort_keys=False, 27 | indent=int(indent), encoding=encoding) 28 | except (UnicodeError, TypeError, IOError) as e: 29 | raise CuckooReportError("Failed to generate JSON report: %s" % e) 30 | -------------------------------------------------------------------------------- /tests/processor_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import tempfile 7 | from nose.tools import assert_equals 8 | 9 | from lib.cuckoo.common.constants import CUCKOO_VERSION 10 | from lib.cuckoo.common.abstracts import Processing, Signature 11 | 12 | 13 | class ProcessingMock(Processing): 14 | def run(self): 15 | self.key = "foo" 16 | foo = { 17 | "bar" : "taz" 18 | } 19 | return foo 20 | 21 | class SignatureMock(Signature): 22 | name = "mock" 23 | minimum = CUCKOO_VERSION.split("-")[0] 24 | maximum = CUCKOO_VERSION.split("-")[0] 25 | 26 | def run(self, results): 27 | if "foo" in results: 28 | return True 29 | else: 30 | return False 31 | 32 | class SignatureAlterMock(SignatureMock): 33 | def run(self, results): 34 | results = None 35 | 36 | class SignatureDisabledMock(SignatureMock): 37 | enabled = False 38 | 39 | class SignatureWrongVersionMock(SignatureMock): 40 | minimum = "0.0..-abc" 41 | maximum = "0.0..-abc" 42 | 43 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest/creation.rst: -------------------------------------------------------------------------------- 1 | =============================== 2 | Creation of the Virtual Machine 3 | =============================== 4 | 5 | Once you have :doc:`properly installed <../host/requirements>` your virtualization 6 | software, you can proceed on creating all the virtual machines you need. 7 | 8 | Using and configuring your virtualization software is out of the scope of this 9 | guide, so please refer to the official documentation. 10 | 11 | .. note:: 12 | 13 | You can find some hints and considerations on how to design and create 14 | your virtualized environment in the :doc:`../../introduction/sandboxing` 15 | chapter. 16 | 17 | .. note:: 18 | 19 | For analysis purposes you are recommended to use Windows XP Service Pack 20 | 3, but Cuckoo Sandbox also proved to work with Windows 7 with User 21 | Access Control disabled. 22 | 23 | .. note:: 24 | 25 | KVM Users - Be sure to choose a hard drive image format that supports snapshots. 26 | See :doc:`saving` 27 | for more information. 28 | 29 | When creating the virtual machine, Cuckoo doesn't require any specific 30 | configuration. You can choose the options that best fit your needs. 31 | -------------------------------------------------------------------------------- /modules/processing/procmemory.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | 7 | from lib.cuckoo.common.abstracts import Processing 8 | from lib.cuckoo.common.objects import File 9 | from lib.cuckoo.common.constants import CUCKOO_ROOT 10 | 11 | class ProcessMemory(Processing): 12 | """Analyze process memory dumps.""" 13 | 14 | def run(self): 15 | """Run analysis. 16 | @return: structured results. 17 | """ 18 | self.key = "procmemory" 19 | results = [] 20 | 21 | if os.path.exists(self.pmemory_path): 22 | for dmp in os.listdir(self.pmemory_path): 23 | dmp_path = os.path.join(self.pmemory_path, dmp) 24 | dmp_file = File(dmp_path) 25 | 26 | proc = dict( 27 | file=dmp_path, 28 | pid=os.path.splitext(os.path.basename(dmp_path))[0], 29 | yara=dmp_file.get_yara(os.path.join(CUCKOO_ROOT, "data", "yara", "index_memory.yar")) 30 | ) 31 | 32 | results.append(proc) 33 | 34 | return results 35 | -------------------------------------------------------------------------------- /docs/book/src/installation/host/installation.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | Installing Cuckoo 3 | ================= 4 | 5 | Proceed with download and installation. Read :doc:`../../introduction/what` to 6 | learn where you can obtain a copy of the sandbox. 7 | 8 | Create a user 9 | ============= 10 | 11 | You either can run Cuckoo from your own user or create a new one dedicated just 12 | to your sandbox setup. 13 | Make sure that the user that runs Cuckoo is the same user that you will 14 | use to create and run the virtual machines, otherwise Cuckoo won't be able to 15 | identify and launch them. 16 | 17 | Create a new user:: 18 | 19 | $ sudo adduser cuckoo 20 | 21 | If you're using VirtualBox, make sure the new user belongs to the "vboxusers" 22 | group (or the group you used to run VirtualBox):: 23 | 24 | $ sudo usermod -a -G vboxusers cuckoo 25 | 26 | If you're using KVM or any other libvirt based module, make sure the new user 27 | belongs to the "libvirtd" group (or the group your Linux distribution uses to 28 | run libvirt):: 29 | 30 | $ sudo usermod -a -G libvirtd cuckoo 31 | 32 | Install Cuckoo 33 | ============== 34 | 35 | Extract or checkout your copy of Cuckoo to a path of your choice and you're 36 | ready to go ;-). 37 | 38 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/generic.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from random import randint 6 | 7 | from lib.common.abstracts import Package 8 | 9 | class Generic(Package): 10 | """Generic analysis package. 11 | The sample is started using START command in a cmd.exe prompt. 12 | """ 13 | PATHS = [ 14 | ("SystemRoot", "system32", "cmd.exe"), 15 | ] 16 | 17 | def start(self, path): 18 | cmd_path = self.get_path("cmd.exe") 19 | # Create random cmd.exe window title. 20 | rand_title = "".join([chr(randint(0, 128)) for i in xrange(0, randint(1, 10))]) 21 | # START syntax. 22 | # See: https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/start.mspx?mfr=true 23 | # start ["title"] [/dPath] [/i] [/min] [/max] [{/separate | /shared}] 24 | # [{/low | /normal | /high | /realtime | /abovenormal | belownormal}] 25 | # [/wait] [/b] [FileName] [parameters] 26 | cmd_args = "/c start /wait \"{0}\" \"{1}\"".format(rand_title, path) 27 | return self.execute(cmd_path, cmd_args) 28 | -------------------------------------------------------------------------------- /data/test-internet.vbs: -------------------------------------------------------------------------------- 1 | ' http://www.motobit.com/tips/detpg_read-write-binary-files/ 2 | Function SaveBinaryData(FileName, ByteArray) 3 | Const adTypeBinary = 1 4 | Const adSaveCreateOverWrite = 2 5 | 6 | ' create Stream object 7 | dim BinaryStream 8 | set BinaryStream = CreateObject("ADODB.Stream") 9 | 10 | ' specify stream type - we want to save binary data. 11 | BinaryStream.Type = adTypeBinary 12 | 13 | ' open the stream and write binary data To the object 14 | BinaryStream.Open 15 | BinaryStream.Write ByteArray 16 | 17 | ' save binary data to disk 18 | BinaryStream.SaveToFile FileName, adSaveCreateOverWrite 19 | End Function 20 | 21 | ' http://stackoverflow.com/questions/5907089/how-to-post-https-request-using-vbscript 22 | Function DownloadFile(FileName, Url) 23 | dim http 24 | set http = createobject("MSXML2.ServerXMLHTTP") 25 | 26 | http.Open "GET", Url, False 27 | 28 | ' 2 stands for SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS 29 | ' 13056 means ignore all server side cert error 30 | http.setOption 2, 13056 31 | http.Send 32 | 33 | ' read response body 34 | SaveBinaryData FileName, http.responseBody 35 | End Function 36 | 37 | DownloadFile "index.html", "http://google.com/" 38 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/applet.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import tempfile 6 | 7 | from lib.common.abstracts import Package 8 | 9 | class Applet(Package): 10 | """Java Applet analysis package.""" 11 | PATHS = [ 12 | ("ProgramFiles", "Mozilla Firefox", "firefox.exe"), 13 | ("ProgramFiles", "Internet Explorer", "iexplore.exe"), 14 | ] 15 | 16 | def make_html(self, path, class_name): 17 | html = """ 18 | 19 | 20 | 21 | 22 | 23 | 24 | """ % (path, class_name) 25 | 26 | _, file_path = tempfile.mkstemp(suffix=".html") 27 | with open(file_path, "w") as file_handle: 28 | file_handle.write(html) 29 | 30 | return file_path 31 | 32 | def start(self, path): 33 | browser = self.get_path("browser") 34 | class_name = self.options.get("class") 35 | html_path = self.make_html(path, class_name) 36 | return self.execute(browser, "\"%s\"" % html_path) 37 | -------------------------------------------------------------------------------- /modules/signatures/DetectDEPBypass.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from lib.cuckoo.common.abstracts import Signature 4 | from subprocess import Popen, PIPE 5 | 6 | class DetectDEPBypass(Signature): 7 | name = "detect_dep_bypass" 8 | description = "Detects a DEP bypass" 9 | severity = 1 10 | categories = ["exploit", "rop"] 11 | authors = ["Ilana Marcus"] 12 | minimum = "1.2" 13 | evented = True 14 | enabled = True 15 | def __init__(self, caller): 16 | Signature.__init__(self, caller) 17 | filter_categories = set(["process"]) 18 | self.has_dep_bypass = False 19 | self.api_call_functions = set() 20 | 21 | def on_call(self, call, pid): 22 | if call["api"] in ["NtAllocateVirtualMemory", "NtCreateFile", "WriteProcessMemory", "NtProtectVirtualMemory", "VirtualProtectEx", "NtWriteVirtualMemory", "memcpy"]: 23 | if self.get_argument(call, "DEPBypass") in ["1", 1]: 24 | self.has_dep_bypass = True 25 | self.api_call_functions.add(call["api"]) 26 | 27 | 28 | def on_complete(self): 29 | if self.has_dep_bypass: 30 | self.description += ": {0}".format(self.api_call_functions) 31 | return True 32 | return False 33 | -------------------------------------------------------------------------------- /modules/processing/strings.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os.path 6 | import re 7 | 8 | from lib.cuckoo.common.abstracts import Processing 9 | from lib.cuckoo.common.exceptions import CuckooProcessingError 10 | 11 | class Strings(Processing): 12 | """Extract strings from analyzed file.""" 13 | 14 | def run(self): 15 | """Run extract of printable strings. 16 | @return: list of printable strings. 17 | """ 18 | self.key = "strings" 19 | strings = [] 20 | 21 | if self.task["category"] == "file": 22 | if not os.path.exists(self.file_path): 23 | raise CuckooProcessingError("Sample file doesn't exist: \"%s\"" % self.file_path) 24 | 25 | try: 26 | data = open(self.file_path, "r").read() 27 | except (IOError, OSError) as e: 28 | raise CuckooProcessingError("Error opening file %s" % e) 29 | strings = re.findall("[\x1f-\x7e]{6,}", data) 30 | strings += [str(ws.decode("utf-16le")) for ws in re.findall("(?:[\x1f-\x7e][\x00]){6,}", data)] 31 | 32 | return strings 33 | -------------------------------------------------------------------------------- /lib/cuckoo/common/colors.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import sys 7 | 8 | def color(text, color_code): 9 | """Colorize text. 10 | @param text: text. 11 | @param color_code: color. 12 | @return: colorized text. 13 | """ 14 | # $TERM under Windows: 15 | # cmd.exe -> "" (what would you expect..?) 16 | # cygwin -> "cygwin" (should support colors, but doesn't work somehow) 17 | # mintty -> "xterm" (supports colors) 18 | if sys.platform == "win32" and os.getenv("TERM") != "xterm": 19 | return text 20 | return "\x1b[%dm%s\x1b[0m" % (color_code, text) 21 | 22 | def black(text): 23 | return color(text, 30) 24 | 25 | def red(text): 26 | return color(text, 31) 27 | 28 | def green(text): 29 | return color(text, 32) 30 | 31 | def yellow(text): 32 | return color(text, 33) 33 | 34 | def blue(text): 35 | return color(text, 34) 36 | 37 | def magenta(text): 38 | return color(text, 35) 39 | 40 | def cyan(text): 41 | return color(text, 36) 42 | 43 | def white(text): 44 | return color(text, 37) 45 | 46 | def bold(text): 47 | return color(text, 1) 48 | -------------------------------------------------------------------------------- /modules/processing/targetinfo.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os.path 6 | 7 | from lib.cuckoo.common.abstracts import Processing 8 | from lib.cuckoo.common.objects import File 9 | 10 | class TargetInfo(Processing): 11 | """General information about a file.""" 12 | 13 | def run(self): 14 | """Run file information gathering. 15 | @return: information dict. 16 | """ 17 | self.key = "target" 18 | 19 | target_info = {"category": self.task["category"]} 20 | 21 | # We have to deal with file or URL targets. 22 | if self.task["category"] == "file": 23 | target_info["file"] = {} 24 | 25 | # et's try to get as much information as possible, i.e., the 26 | # filename if the file is not available anymore. 27 | if os.path.exists(self.file_path): 28 | target_info["file"] = File(self.file_path).get_all() 29 | 30 | target_info["file"]["name"] = File(self.task["target"]).get_name() 31 | elif self.task["category"] == "url": 32 | target_info["url"] = self.task["target"] 33 | 34 | return target_info -------------------------------------------------------------------------------- /tests/database_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import tempfile 6 | 7 | from sqlalchemy.exc import OperationalError 8 | from nose.tools import assert_equal, raises 9 | 10 | from lib.cuckoo.core.database import Database, Sample, Task 11 | 12 | 13 | class TestDropDatabase: 14 | """Tests database creation, adding a couple of tasks and dropping the db.""" 15 | 16 | def setUp(self): 17 | self.d = Database(dsn="sqlite://") 18 | 19 | # When dropping a db, any other query raises a (OperationalError) no such table. 20 | @raises(OperationalError) 21 | def test_drop(self): 22 | # Add task. 23 | sample_path = tempfile.mkstemp()[1] 24 | self.d.add_path(sample_path) 25 | session = self.d.Session() 26 | assert_equal(session.query(Sample).count(), 1) 27 | assert_equal(session.query(Task).count(), 1) 28 | # Add url. 29 | self.d.add_url("http://foo.bar") 30 | assert_equal(session.query(Sample).count(), 1) 31 | assert_equal(session.query(Task).count(), 2) 32 | # Drop. 33 | self.d.drop() 34 | assert_equal(session.query(Task).count(), 0) -------------------------------------------------------------------------------- /analyzer/windows/lib/jsh/extract_chrome_log.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | log_numbers = [] 4 | 5 | # This will parse chrome log, if something is changed than 6 | # function will have to be changed as well 7 | # this is looking for something like this "CONSOLE().*()" 8 | def parse_chrome_list_by_log_number(log_number): 9 | if log_number in log_numbers: 10 | return 11 | 12 | results = re.findall('CONSOLE\(' + log_number + '\)\].*\(' + log_number + '\)', data, re.IGNORECASE | re.DOTALL) 13 | results = results[0].split("[") 14 | #print str(results) + "\r\n-------------------------------------------------\r\n" 15 | results = re.search("\".*\"", results[0], re.IGNORECASE | re.DOTALL).group(0)[1:-1] 16 | print results 17 | 18 | # in order for this to work we have to run Chrome with --enable-logging --v=1 cmd params 19 | file_path = r'C:\Users\lab\AppData\Local\Google\Chrome\User Data\chrome_debug.log' 20 | with open(file_path, 'r') as f: 21 | data = f.read() 22 | 23 | match = re.findall('CONSOLE\(\d+\)\]', data, re.IGNORECASE) 24 | for m in match: 25 | si = m.index("(") 26 | ei = m.index(")", si + 1) 27 | log_number = m[si+1:ei] 28 | parse_chrome_list_by_log_number(log_number) 29 | log_numbers.append(log_number) -------------------------------------------------------------------------------- /analyzer/windows/modules/auxiliary/disguise.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import logging 6 | from _winreg import OpenKey, SetValueEx 7 | from _winreg import HKEY_LOCAL_MACHINE, KEY_SET_VALUE, REG_SZ 8 | 9 | from lib.common.abstracts import Auxiliary 10 | from lib.common.rand import random_integer 11 | 12 | log = logging.getLogger(__name__) 13 | 14 | class Disguise(Auxiliary): 15 | """Disguise the analysis environment.""" 16 | 17 | def change_productid(self): 18 | """Randomizes Windows ProductId. 19 | The Windows ProductId is occasionally used by malware 20 | to detect public setups of Cuckoo, e.g., Malwr.com. 21 | """ 22 | key = OpenKey(HKEY_LOCAL_MACHINE, 23 | "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 24 | 0, KEY_SET_VALUE) 25 | 26 | value = "{0}-{1}-{2}-{3}".format(random_integer(5), random_integer(3), 27 | random_integer(7), random_integer(5)) 28 | 29 | SetValueEx(key, "ProductId", 0, REG_SZ, value) 30 | 31 | def start(self): 32 | self.change_productid() 33 | return True 34 | -------------------------------------------------------------------------------- /utils/db_migration/alembic.ini: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | # A generic, single database configuration. 6 | 7 | [alembic] 8 | # path to migration scripts 9 | script_location = . 10 | 11 | # template used to generate migration files 12 | file_template = %%(slug)s 13 | 14 | # max length of characters to apply to the 15 | # "slug" field 16 | #truncate_slug_length = 40 17 | 18 | # set to 'true' to run the environment during 19 | # the 'revision' command, regardless of autogenerate 20 | # revision_environment = false 21 | 22 | # Logging configuration 23 | [loggers] 24 | keys = root,sqlalchemy,alembic 25 | 26 | [handlers] 27 | keys = console 28 | 29 | [formatters] 30 | keys = generic 31 | 32 | [logger_root] 33 | level = WARN 34 | handlers = console 35 | qualname = 36 | 37 | [logger_sqlalchemy] 38 | level = WARN 39 | handlers = 40 | qualname = sqlalchemy.engine 41 | 42 | [logger_alembic] 43 | level = INFO 44 | handlers = 45 | qualname = alembic 46 | 47 | [handler_console] 48 | class = StreamHandler 49 | args = (sys.stderr,) 50 | level = NOTSET 51 | formatter = generic 52 | 53 | [formatter_generic] 54 | format = %(levelname)-5.5s [%(name)s] %(message)s 55 | datefmt = %H:%M:%S 56 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/html.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import shutil 6 | import logging 7 | 8 | from lib.common.abstracts import Package 9 | 10 | log = logging.getLogger(__name__) 11 | 12 | class HTML(Package): 13 | """HTML file analysis package.""" 14 | PATHS = [ 15 | ("ProgramFiles", "Internet Explorer", "iexplore.exe"), 16 | ] 17 | 18 | def start(self, path): 19 | iexplore = self.get_path("browser") 20 | 21 | # Travelling inside malware universe you should bring a towel with you. 22 | # If a file detected as HTML is submitted without a proper extension, 23 | # or without an extension at all (are you used to name samples with hash?), 24 | # IE is going to open it as a text file, so your precious sample will not 25 | # be executed. 26 | # We help you sample to execute renaming it with a proper extension. 27 | if not path.endswith((".htm", ".html")): 28 | shutil.copy(path, path + ".html") 29 | path += ".html" 30 | log.info("Submitted file is missing extension, adding .html") 31 | 32 | return self.execute(iexplore, "\"%s\"" % path) 33 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_udp.html: -------------------------------------------------------------------------------- 1 | 2 |
      3 |

      UDP

      4 | {% if analysis.network.udp %} 5 |
      6 |
      7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | {% for p in analysis.network.udp %} 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 |
      SourceSource PortDestinationDestination Port
      {{p.src}}{{p.sport}}{{p.dst}} {{ iplookups|get_item:p.dst }}{{p.dport}}
      24 |
      25 |
      26 |
      27 | {% else %} 28 |

      No UDP connections recorded.

      29 | {% endif %} 30 |
      -------------------------------------------------------------------------------- /modules/signatures/DetectStackPivot.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from lib.cuckoo.common.abstracts import Signature 4 | from subprocess import Popen, PIPE 5 | 6 | class DetectStackPivot(Signature): 7 | name = "detect_stack_pivot" 8 | description = "Detects a stack pivot" 9 | severity = 3 10 | categories = ["exploit", "rop"] 11 | authors = ["Ilana Marcus"] 12 | minimum = "1.2" 13 | evented = True 14 | enabled = True 15 | def __init__(self, caller): 16 | Signature.__init__(self, caller) 17 | filter_categories = set(["process"]) 18 | self.has_stack_pivot = False 19 | self.api_call_functions = set() 20 | 21 | def on_call(self, call, pid): 22 | if call["api"] in ["NtCreateFile", "NtAllocateVirtualMemory", "WriteProcessMemory", "NtProtectVirtualMemory", "VirtualProtectEx", "NtWriteVirtualMemory", "memcpy", "CreateProcessInternalW", "URLDownloadToFileW", "CreateFileMappingW", "CreateFileMappingA"]: 23 | if self.get_argument(call, "StackPivoted") in ["1", 1]: 24 | self.has_stack_pivot = True 25 | self.api_call_functions.add(call["api"]) 26 | 27 | 28 | def on_complete(self): 29 | if self.has_stack_pivot: 30 | self.description += ": {0}".format(self.api_call_functions) 31 | return True 32 | return False 33 | -------------------------------------------------------------------------------- /modules/processing/debug.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import codecs 7 | 8 | from lib.cuckoo.common.abstracts import Processing 9 | from lib.cuckoo.common.exceptions import CuckooProcessingError 10 | from lib.cuckoo.core.database import Database 11 | 12 | class Debug(Processing): 13 | """Analysis debug information.""" 14 | 15 | def run(self): 16 | """Run debug analysis. 17 | @return: debug information dict. 18 | """ 19 | self.key = "debug" 20 | debug = {"log": "", "errors": []} 21 | 22 | if os.path.exists(self.log_path): 23 | try: 24 | debug["log"] = codecs.open(self.log_path, "rb", "utf-8").read() 25 | except ValueError as e: 26 | raise CuckooProcessingError("Error decoding %s: %s" % 27 | (self.log_path, e)) 28 | except (IOError, OSError) as e: 29 | raise CuckooProcessingError("Error opening %s: %s" % 30 | (self.log_path, e)) 31 | 32 | for error in Database().view_errors(int(self.task["id"])): 33 | debug["errors"].append(error.message) 34 | 35 | return debug 36 | -------------------------------------------------------------------------------- /web/web/wsgi.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """ 6 | WSGI config for web project. 7 | 8 | This module contains the WSGI application used by Django's development server 9 | and any production WSGI deployments. It should expose a module-level variable 10 | named ``application``. Django's ``runserver`` and ``runfcgi`` commands discover 11 | this application via the ``WSGI_APPLICATION`` setting. 12 | 13 | Usually you will have the standard Django WSGI application here, but it also 14 | might make sense to replace the whole Django WSGI application with a custom one 15 | that later delegates to the Django one. For example, you could introduce WSGI 16 | middleware here, or combine a Django application with an application of another 17 | framework. 18 | 19 | """ 20 | import os 21 | 22 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings") 23 | 24 | # This application object is used by any WSGI server configured to use this 25 | # file. This includes Django's development server, if the WSGI_APPLICATION 26 | # setting points here. 27 | from django.core.wsgi import get_wsgi_application 28 | application = get_wsgi_application() 29 | 30 | # Apply WSGI middleware here. 31 | # from helloworld.wsgi import HelloWorldApplication 32 | # application = HelloWorldApplication(application) 33 | -------------------------------------------------------------------------------- /lib/cuckoo/common/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | class CuckooCriticalError(Exception): 6 | """Cuckoo struggle in a critical error.""" 7 | pass 8 | 9 | class CuckooStartupError(CuckooCriticalError): 10 | """Error starting up Cuckoo.""" 11 | pass 12 | 13 | class CuckooDatabaseError(CuckooCriticalError): 14 | """Cuckoo database error.""" 15 | pass 16 | 17 | class CuckooDependencyError(CuckooCriticalError): 18 | """Missing dependency error.""" 19 | pass 20 | 21 | class CuckooOperationalError(Exception): 22 | """Cuckoo operation error.""" 23 | pass 24 | 25 | class CuckooMachineError(CuckooOperationalError): 26 | """Error managing analysis machine.""" 27 | pass 28 | 29 | class CuckooAnalysisError(CuckooOperationalError): 30 | """Error during analysis.""" 31 | pass 32 | 33 | class CuckooProcessingError(CuckooOperationalError): 34 | """Error in processor module.""" 35 | pass 36 | 37 | class CuckooReportError(CuckooOperationalError): 38 | """Error in reporting module.""" 39 | pass 40 | 41 | class CuckooGuestError(CuckooOperationalError): 42 | """Cuckoo guest agent error.""" 43 | pass 44 | 45 | class CuckooResultError(CuckooOperationalError): 46 | """Cuckoo result server error.""" 47 | pass 48 | -------------------------------------------------------------------------------- /web/web/local_settings.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | LOCAL_SETTINGS = True 6 | from settings import * 7 | 8 | # If you want to customize your cuckoo path set it here. 9 | # CUCKOO_PATH = "/where/cuckoo/is/placed/" 10 | 11 | # Maximum upload size. 12 | MAX_UPLOAD_SIZE = 26214400 13 | 14 | # Override default secret key stored in secret_key.py 15 | # Make this unique, and don't share it with anybody. 16 | # SECRET_KEY = "YOUR_RANDOM_KEY" 17 | 18 | # Language code for this installation. All choices can be found here: 19 | # http://www.i18nguy.com/unicode/language-identifiers.html 20 | LANGUAGE_CODE = "en-us" 21 | 22 | ADMINS = ( 23 | # ("Your Name", "your_email@example.com"), 24 | ) 25 | 26 | MANAGERS = ADMINS 27 | 28 | # Allow verbose debug error message in case of application fault. 29 | # It's strongly suggested to set it to False if you are serving the 30 | # web application from a web server front-end (i.e. Apache). 31 | DEBUG = True 32 | 33 | # A list of strings representing the host/domain names that this Django site 34 | # can serve. 35 | # Values in this list can be fully qualified names (e.g. 'www.example.com'). 36 | # When DEBUG is True or when running tests, host validation is disabled; any 37 | # host will be accepted. Thus it's usually only necessary to set it in production. 38 | ALLOWED_HOSTS = ["*"] -------------------------------------------------------------------------------- /web/templates/dashboard/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

      4 | 5 |
      6 | Estimating ~{{report.estimate_hour}} analysis per hour, {{report.estimate_day}} per day. 7 |
      8 | 9 |
      10 |
      11 |
      12 |

      {{report.total_tasks}}

      13 | Total tasks 14 |
      15 |
      16 |
      17 |
      18 |

      {{report.total_samples}}

      19 | Total samples 20 |
      21 |
      22 |
      23 | 24 |
      25 |
      26 |

      States

      27 |
      28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | {% for state, count in report.states_count.items %} 37 | 38 | 39 | 40 | 41 | {% endfor %} 42 | 43 |
      StateCount
      {{state}}{{count}}
      44 |
      45 | {% endblock %} 46 | -------------------------------------------------------------------------------- /web/templates/analysis/static/_antivirus.html: -------------------------------------------------------------------------------- 1 |
      2 | {% if analysis.virustotal and analysis.virustotal.response_code %} 3 | 4 | 5 | 6 | {% if analysis.info.category == "file" %} 7 | 8 | {% else %} 9 | 10 | {% endif %} 11 | 12 | {% for av, values in analysis.virustotal.scans.items %} 13 | 14 | 15 | 32 | 33 | {% endfor %} 34 |
      AntivirusSignatureResult
      {{av}} 16 | {% if analysis.info.category == "file" %} 17 | {% if not values.result %} 18 | Clean 19 | {% else %} 20 | {{values.result}} 21 | {% endif %} 22 | {% else %} 23 | {% if not values.detected %} 24 | 25 | {% else %} 26 | 27 | {% endif %} 28 | {{ values.result|title }} 29 | 30 | {% endif %} 31 |
      35 | {% else %} 36 | No antivirus signatures available. 37 | {% endif %} 38 |
      39 | -------------------------------------------------------------------------------- /modules/processing/captipper.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import re 3 | import os 4 | 5 | from lib.cuckoo.common.abstracts import Processing 6 | import logging 7 | log = logging.getLogger(__name__) 8 | 9 | class captipper(Processing): 10 | """Runs CapTipper on pcap""" 11 | 12 | def run(self): 13 | """Run CapTipper 14 | @return: CapTipper Struct 15 | """ 16 | self.key = "captipper" 17 | strings = [] 18 | PCAP_MAGIC = "\xd4\xc3\xb2\xa1" 19 | CAPTIPPER = "/home/tools/captipper/CapTipper.py" 20 | # If the analyzed file is a PCAP, run CapTipper on it, else run it on the dump.pcap file 21 | PCAPFILE = self.file_path if open(self.file_path, 'rb').read(4) == PCAP_MAGIC else self.pcap_path#/home/webmu/cuckoo/storage/analyses/latest/dump.pcap" 22 | log.info(PCAPFILE) 23 | REG_STR = "Magic: (.*)\)" 24 | 25 | #newpath = r'/home/webmu/cuckoo/storage/analyses/latest/files/captipper/' 26 | #newpath = r'/tmp/captipper/' 27 | newpath = self.dropped_path + '/captipper/' 28 | if not os.path.exists(newpath): 29 | os.makedirs(newpath) 30 | 31 | regex = re.compile(REG_STR) 32 | CTout = subprocess.check_output(["sudo", "python", CAPTIPPER, PCAPFILE,'-d',newpath]) 33 | types = regex.findall(CTout) 34 | 35 | exe_magic = False 36 | if "EXE" in types: 37 | exe_magic = True 38 | 39 | return dict( 40 | exe_exists=exe_magic 41 | ) 42 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/dll.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import shutil 7 | 8 | from lib.common.abstracts import Package 9 | 10 | class Dll(Package): 11 | """DLL analysis package.""" 12 | PATHS = [ 13 | ("SystemRoot", "system32", "rundll32.exe"), 14 | ] 15 | 16 | def start(self, path): 17 | rundll32 = self.get_path("rundll32.exe") 18 | function = self.options.get("function", "DllMain") 19 | arguments = self.options.get("arguments") 20 | loader_name = self.options.get("loader") 21 | 22 | # Check file extension. 23 | ext = os.path.splitext(path)[-1].lower() 24 | # If the file doesn't have the proper .dll extension force it 25 | # and rename it. This is needed for rundll32 to execute correctly. 26 | # See ticket #354 for details. 27 | if ext != ".dll": 28 | new_path = path + ".dll" 29 | os.rename(path, new_path) 30 | path = new_path 31 | 32 | args = "{0},{1}".format(path, function) 33 | if arguments: 34 | args += " {0}".format(arguments) 35 | 36 | if loader_name: 37 | loader = os.path.join(os.path.dirname(rundll32), loader_name) 38 | shutil.copy(rundll32, loader) 39 | rundll32 = loader 40 | 41 | return self.execute(rundll32, args) 42 | -------------------------------------------------------------------------------- /web/templates/compare/left.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

      4 | 5 | 16 | 17 |
      18 |
      19 |

      Analysis 1

      20 | 21 | {% include "compare/_info.html" with record=left %} 22 |
      23 |
      24 |

      Analysis 2

      25 | 26 |

      You need to select the second analysis.

      27 | {% if records.count > 0 %} 28 |

      Following are all the other analyses of the same file:

      29 | {% include "compare/_summary_table.html" %} 30 | {% else %} 31 |

      There is no other analysis for the same file.

      32 | {% endif %} 33 | 34 |

      If you want to compare the analysis to a different file, please provide the MD5 hash:

      35 |
      36 | 37 |
      38 |
      39 |
      40 | {% endblock %} 41 | -------------------------------------------------------------------------------- /data/yara/binaries/embedded.yar: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2010-2014 Cuckoo Foundation. 2 | // This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | // See the file 'docs/LICENSE' for copying permission. 4 | 5 | rule embedded_macho 6 | { 7 | meta: 8 | author = "nex" 9 | description = "Contains an embedded Mach-O file" 10 | 11 | strings: 12 | $magic1 = { ca fe ba be } 13 | $magic2 = { ce fa ed fe } 14 | $magic3 = { fe ed fa ce } 15 | condition: 16 | any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0) 17 | } 18 | 19 | rule embedded_pe 20 | { 21 | meta: 22 | author = "nex" 23 | description = "Contains an embedded PE32 file" 24 | 25 | strings: 26 | $a = "PE32" 27 | $b = "This program" 28 | $mz = { 4d 5a } 29 | condition: 30 | ($a or $b) and not ($mz at 0) 31 | } 32 | 33 | rule embedded_win_api 34 | { 35 | meta: 36 | author = "nex" 37 | description = "A non-Windows executable contains win32 API functions names" 38 | 39 | strings: 40 | $mz = { 4d 5a } 41 | $api1 = "CreateFileA" 42 | $api2 = "GetProcAddress" 43 | $api3 = "LoadLibraryA" 44 | $api4 = "WinExec" 45 | $api5 = "GetSystemDirectoryA" 46 | $api6 = "WriteFile" 47 | $api7 = "ShellExecute" 48 | $api8 = "GetWindowsDirectory" 49 | $api9 = "URLDownloadToFile" 50 | $api10 = "IsBadReadPtr" 51 | $api11 = "IsBadWritePtr" 52 | $api12 = "SetFilePointer" 53 | $api13 = "GetTempPath" 54 | $api14 = "GetWindowsDirectory" 55 | condition: 56 | not ($mz at 0) and any of ($api*) 57 | } 58 | -------------------------------------------------------------------------------- /tests/abstracts_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import tempfile 7 | from nose.tools import assert_equals, raises 8 | 9 | import lib.cuckoo.common.abstracts as abstracts 10 | from lib.cuckoo.common.config import Config 11 | 12 | 13 | class TestProcessing: 14 | def setUp(self): 15 | self.p = abstracts.Processing() 16 | 17 | @raises(NotImplementedError) 18 | def test_not_implemented_run(self): 19 | self.p.run() 20 | 21 | class TestSignature(object): 22 | def setUp(self): 23 | self.s = abstracts.Signature() 24 | 25 | @raises(NotImplementedError) 26 | def test_not_implemented_run(self): 27 | self.s.run() 28 | 29 | def test_missing_key_domain(self): 30 | """Test with domain key missing.""" 31 | self.s.results = {"network": {}} 32 | assert_equals(None, self.s.check_domain("*")) 33 | 34 | class TestReport: 35 | def setUp(self): 36 | self.r = abstracts.Report() 37 | 38 | def test_set_path(self): 39 | dir = tempfile.mkdtemp() 40 | rep_dir = os.path.join(dir, "reports") 41 | self.r.set_path(dir) 42 | assert os.path.exists(rep_dir) 43 | os.rmdir(rep_dir) 44 | 45 | def test_options_none(self): 46 | assert_equals(None, self.r.options) 47 | 48 | def test_set_options_assignment(self): 49 | foo = {1: 2} 50 | self.r.set_options(foo) 51 | assert_equals(foo, self.r.options) 52 | 53 | @raises(NotImplementedError) 54 | def test_not_implemented_run(self): 55 | self.r.run() 56 | -------------------------------------------------------------------------------- /data/html/sections/info.html: -------------------------------------------------------------------------------- 1 |
      2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |
      CategoryStarted OnCompleted OnDurationCuckoo Version
      {{results.info.category|upper}}{{results.info.started}}{{results.info.ended}}{{results.info.duration}} seconds{{results.info.version}}
      22 |
      23 | 24 | {% if results.info.machine and results.info.machine.name %} 25 |
      26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 |
      MachineLabelManagerStarted OnShutdown On
      {{results.info.machine.name}}{{results.info.machine.label}}{{results.info.machine.manager}}{{results.info.machine.started_on}}{{results.info.machine.shutdown_on}}
      46 |
      47 | {% endif %} -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_api_call.html: -------------------------------------------------------------------------------- 1 | {{call.timestamp}} 2 | {{call.api}} 3 | 4 | {% for argument in call.arguments %} 5 | {{argument.name}}: 6 | 7 | {% if argument.name == "Registry" and call.category == "registry" %} 8 | {% if argument.value == "0x80000000" %} 9 | HKEY_CLASSES_ROOT 10 | {% elif argument.value == "0x80000001" %} 11 | HKEY_CURRENT_USER 12 | {% elif argument.value == "0x80000002" %} 13 | HKEY_LOCAL_MACHINE 14 | {% elif argument.value == "0x80000003" %} 15 | HKEY_USERS 16 | {% elif argument.value == "0x80000004" %} 17 | HKEY_PERFORMANCE_DATA 18 | {% elif argument.value == "0x80000005" %} 19 | HKEY_CURRENT_CONFIG 20 | {% elif argument.value == "0x80000006" %} 21 | HKEY_DYN_DATA 22 | {% else %} 23 | {{argument.value}} 24 | {% endif %} 25 | {% else %} 26 | {{argument.value}} 27 | {% endif %} 28 |
      29 | {% endfor %} 30 | 31 | 32 | {% if call.status %} 33 | success 34 | {% else %} 35 | failed 36 | {% endif %} 37 | 38 | {{call.return}} 39 | 40 | {% if call.repeated > 0 %} 41 | {{call.repeated}} 42 | {% if call.repeated > 1 %} 43 | times 44 | {% else %} 45 | time 46 | {% endif %} 47 | {% endif %} 48 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_summary.html: -------------------------------------------------------------------------------- 1 |
      2 |

      Summary

      3 |
      4 | 9 |
      10 |
      11 |
      12 | {% if analysis.behavior.summary.files %} 13 | {% for file in analysis.behavior.summary.files %} 14 | {{file}}
      15 | {% endfor %} 16 | {% endif %} 17 |
      18 |
      19 |
      20 |
      21 | {% if analysis.behavior.summary.keys %} 22 | {% for key in analysis.behavior.summary.keys %} 23 | {{key}}
      24 | {% endfor %} 25 | {% endif %} 26 |
      27 |
      28 |
      29 |
      30 | {% if analysis.behavior.summary.mutexes %} 31 | {% for mutex in analysis.behavior.summary.mutexes %} 32 | {{mutex}}
      33 | {% endfor %} 34 | {% endif %} 35 |
      36 |
      37 |
      38 |
      39 |
      40 | -------------------------------------------------------------------------------- /tests/config_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import tempfile 6 | from nose.tools import assert_equals, raises 7 | 8 | from lib.cuckoo.common.config import Config 9 | from lib.cuckoo.common.exceptions import CuckooOperationalError 10 | 11 | 12 | class TestConfig: 13 | CONF_EXAMPLE = """ 14 | [cuckoo] 15 | debug = off 16 | analysis_timeout = 120 17 | critical_timeout = 600 18 | delete_original = off 19 | machine_manager = kvm 20 | use_sniffer = no 21 | tcpdump = /usr/sbin/tcpdump 22 | interface = vboxnet0 23 | """ 24 | 25 | def setUp(self): 26 | self.path = tempfile.mkstemp()[1] 27 | self._load_conf(self.CONF_EXAMPLE) 28 | self.c = Config(cfg=self.path) 29 | 30 | def _load_conf(self, conf): 31 | """Loads a configuration from a string. 32 | @param conf: configuration string. 33 | """ 34 | f = open(self.path, "w") 35 | f.write(conf) 36 | f.close() 37 | 38 | def test_get_option_exist(self): 39 | """Fetch an option of each type from default config file.""" 40 | assert_equals(self.c.get("cuckoo")["debug"], False) 41 | assert_equals(self.c.get("cuckoo")["tcpdump"], "/usr/sbin/tcpdump") 42 | assert_equals(self.c.get("cuckoo")["critical_timeout"], 600) 43 | 44 | def test_config_file_not_found(self): 45 | assert Config("foo") 46 | 47 | @raises(CuckooOperationalError) 48 | def test_get_option_not_found(self): 49 | self.c.get("foo") 50 | 51 | @raises(CuckooOperationalError) 52 | def test_get_option_not_found_in_file_not_found(self): 53 | self.c = Config("bar") 54 | self.c.get("foo") 55 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest/requirements.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | Requirements 3 | ============ 4 | 5 | In order to make Cuckoo run properly in your virtualized Windows system, you 6 | will have to install some required software and libraries. 7 | 8 | Install Python 9 | ============== 10 | 11 | Python is a strict requirement for the Cuckoo guest component (*analyzer*) in 12 | order to run properly. 13 | 14 | You can download the proper Windows installer from the `official website`_. 15 | Also in this case Python 2.7 is preferred. 16 | 17 | Some Python libraries are optional and provide some additional features to 18 | Cuckoo guest component. They include: 19 | 20 | * `Python Image Library`_: it's used for taking screenshots of the Windows desktop during the analysis. 21 | 22 | They are not strictly required by Cuckoo to work properly, but you are encouraged 23 | to install them if you want to have access to all available features. Make sure 24 | to download and install the proper packages according to your Python version. 25 | 26 | .. _`official website`: http://www.python.org/getit/ 27 | .. _`Python Image Library`: http://www.pythonware.com/products/pil/ 28 | 29 | Additional Software 30 | =================== 31 | 32 | At this point you should have installed everything needed by Cuckoo to run 33 | properly. 34 | 35 | Depending on what kind of files you want to analyze and what kind of sandboxed 36 | Windows environment you want to run the malware samples in, you might want to install 37 | additional software such as browsers, PDF readers, office suites etc. 38 | Remember to disable the "auto update" or "check for updates" feature of 39 | any additional software. 40 | 41 | This is completely up to you and to what your needs are. You can get some hints 42 | by reading the :doc:`../../introduction/sandboxing` chapter. 43 | 44 | -------------------------------------------------------------------------------- /modules/signatures/DetectWerProcess.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from lib.cuckoo.common.abstracts import Signature 4 | from subprocess import Popen, PIPE 5 | import re 6 | 7 | class DetectWerProcess(Signature): 8 | name = "detect_WerFault" 9 | description = "Detected a crash" 10 | severity = 2 11 | categories = ["exploit", "rop"] 12 | authors = ["Ilana Marcus"] 13 | minimum = "1.2" 14 | enabled = True 15 | def __init__(self, caller): 16 | Signature.__init__(self, caller) 17 | filter_categories = set(["process"]) 18 | 19 | def on_complete(self): 20 | for proc in self.get_results("behavior", {})["processes"]: 21 | if proc["process_name"].lower() == "werfault.exe": 22 | return True 23 | for proc in self.get_results("running_processes", []): 24 | if proc["Caption"] == "WerFault.exe": 25 | pattern = re.compile("C:\\\\Windows\\\\system32\\\\WerFault.exe\s-u\s-p\s(\d+)\s-s\s\d+") 26 | 27 | command_line = proc["CommandLine"] #eg, C:\Windows\system32\WerFault.exe -u -p 3796 -s 612 28 | matches = pattern.match(command_line) 29 | 30 | if (matches): 31 | if matches.group(1): 32 | crashed_process_pid = matches.group(1) 33 | crashed_process = self.get_process_by_pid(crashed_process_pid) 34 | if crashed_process: 35 | self.description += " in process {0} with pid {1}".format(crashed_process["Caption"], crashed_process["ProcessId"]) 36 | return True 37 | return None 38 | 39 | def get_process_by_pid(self, pid): 40 | for proc in self.get_results("running_processes", []): 41 | if proc["ProcessId"] == pid: 42 | return proc 43 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_search_results.html: -------------------------------------------------------------------------------- 1 | 2 | 8 |
      9 |

      Results

      10 |

      11 | network 12 | filesystem 13 | registry 14 | process 15 | services 16 | synchronization 17 |

      18 | {% if results %} 19 | 20 | 21 | {% for match in results %} 22 | 23 | {% for sign in match.signs %} 24 | 25 | {% include "analysis/behavior/_api_call.html" with call=sign %} 26 | 31 | 32 | {% endfor %} 33 | {% endfor %} 34 | 35 |
      Process: {{match.process.process_name}} ({{match.process.process_id}})
      27 | 28 | 29 | 30 |
      36 | {% else %} 37 |

      No results

      38 | {% endif %} 39 |
      -------------------------------------------------------------------------------- /analyzer/windows/lib/jsh/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | Save this file as server.py 5 | >>> python server.py 0.0.0.0 8001 6 | serving on 0.0.0.0:8001 7 | 8 | or simply 9 | 10 | >>> python server.py 11 | Serving on localhost:8000 12 | 13 | You can use this to test GET and POST methods. 14 | 15 | """ 16 | 17 | import SimpleHTTPServer 18 | import SocketServer 19 | import logging 20 | import cgi 21 | 22 | import sys 23 | 24 | 25 | if len(sys.argv) > 2: 26 | PORT = int(sys.argv[2]) 27 | I = sys.argv[1] 28 | elif len(sys.argv) > 1: 29 | PORT = int(sys.argv[1]) 30 | I = "" 31 | else: 32 | PORT = 8000 33 | I = "" 34 | 35 | 36 | class ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): 37 | 38 | def do_GET(self): 39 | logging.warning("======= GET STARTED =======") 40 | logging.warning(self.headers) 41 | SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self) 42 | 43 | def do_POST(self): 44 | logging.warning("======= POST STARTED =======") 45 | logging.warning(self.headers) 46 | form = cgi.FieldStorage( 47 | fp=self.rfile, 48 | headers=self.headers, 49 | environ={'REQUEST_METHOD':'POST', 50 | 'CONTENT_TYPE':self.headers['Content-Type'], 51 | }) 52 | logging.warning("======= POST VALUES =======") 53 | for item in form.list: 54 | logging.warning(item) 55 | logging.warning("\n") 56 | SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self) 57 | 58 | Handler = ServerHandler 59 | 60 | httpd = SocketServer.TCPServer(("", PORT), Handler) 61 | 62 | print "@rochacbruno Python http server version 0.1 (for testing purposes only)" 63 | print "Serving at: http://%(interface)s:%(port)s" % dict(interface=I or "localhost", port=PORT) 64 | httpd.serve_forever() 65 | -------------------------------------------------------------------------------- /web/templates/analysis/network/index.html: -------------------------------------------------------------------------------- 1 | {% if analysis.network.pcap_id %} 2 |
      Download PCAP
      3 | {% endif %} 4 |
      5 | 14 |
      15 |
      {% include "analysis/network/_hosts.html" %}
      16 |
      {% include "analysis/network/_dns.html" %}
      17 |
      {% include "analysis/network/_tcp.html" %}
      18 |
      {% include "analysis/network/_udp.html" %}
      19 |
      {% include "analysis/network/_http.html" %}
      20 |
      {% include "analysis/network/_icmp.html" %}
      21 |
      {% include "analysis/network/_irc.html" %}
      22 |
      23 |
      24 | -------------------------------------------------------------------------------- /analyzer/windows/lib/core/packages.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | def choose_package(file_type, file_name): 6 | """Choose analysis package due to file type and file extension. 7 | @param file_type: file type. 8 | @param file_name: file name. 9 | @return: package name or None. 10 | """ 11 | if not file_type: 12 | return None 13 | 14 | file_name = file_name.lower() 15 | 16 | if "DLL" in file_type: 17 | if file_name.endswith(".cpl"): 18 | return "cpl" 19 | else: 20 | return "dll" 21 | elif "PE32" in file_type or "MS-DOS" in file_type: 22 | return "exe" 23 | elif "PDF" in file_type or file_name.endswith(".pdf"): 24 | return "pdf" 25 | elif "Rich Text Format" in file_type or \ 26 | "Microsoft Word" in file_type or \ 27 | "Microsoft Office Word" in file_type or \ 28 | file_name.endswith((".doc", ".docx", ".rtf")): 29 | return "doc" 30 | elif "Microsoft Office Excel" in file_type or \ 31 | "Microsoft Excel" in file_type or \ 32 | file_name.endswith((".xls", ".xlsx")): 33 | return "xls" 34 | elif "Microsoft PowerPoint" in file_type or \ 35 | file_name.endswith((".ppt", ".pptx", ".pps", ".ppsx", ".pptm", ".potm", ".potx", ".ppsm")): 36 | return "ppt" 37 | elif "HTML" in file_type or file_name.endswith((".htm", ".html")): 38 | return "html" 39 | elif file_name.endswith(".jar"): 40 | return "jar" 41 | elif "Zip" in file_type: 42 | return "zip" 43 | elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type: 44 | return "python" 45 | elif file_name.endswith(".vbs"): 46 | return "vbs" 47 | elif file_name.endswith(".msi"): 48 | return "msi" 49 | else: 50 | return "generic" 51 | -------------------------------------------------------------------------------- /web/templates/analysis/pending.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |

      4 | 5 |
      6 |
      7 |

      Pending Tasks

      8 |
      9 | {% if tasks %} 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% for task in tasks %} 21 | 22 | 29 | 30 | 31 | 44 | 45 | {% endfor %} 46 | 47 |
      TimestampCategoryTargetStatus
      23 | {% if task.status == "reported" %} 24 | {{task.completed_on}} 25 | {% else %} 26 | {{task.added_on}} (added on) 27 | {% endif %} 28 | {{task.category}}{{task.target}} 32 | {% if task.status == "pending" %} 33 | pending 34 | {% elif task.status == "running" %} 35 | running 36 | {% elif task.status == "completed" %} 37 | completed 38 | {% elif task.status == "reported" %} 39 | reported 40 | {% else %} 41 | {{task.status}} 42 | {% endif %} 43 |
      48 | {% else %} 49 |
      No pending tasks.
      50 | {% endif %} 51 |
      52 | {% endblock %} 53 | -------------------------------------------------------------------------------- /web/templates/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Cuckoo Sandbox 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 |
      18 | 37 |
      38 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ie_jsh.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2014 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | import subprocess 7 | import os 8 | import time 9 | from libmproxy import proxy 10 | from libmproxy.proxy.server import ProxyServer 11 | import thread 12 | import sys 13 | sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "lib", "jsh")) 14 | import InjectionProxy 15 | from lib.common.results import NetlogFile 16 | import logging 17 | 18 | log = logging.getLogger(__name__) 19 | 20 | class ie_jsh(Package): 21 | """Internet Explorer analysis package.""" 22 | PATHS = [ 23 | ("ProgramFiles", "Internet Explorer", "iexplore.exe"), 24 | ] 25 | 26 | working_path = "" 27 | 28 | def start(self, url): 29 | log.info("before proxy") 30 | config = proxy.ProxyConfig(port=8888) 31 | server = ProxyServer(config) 32 | self.m = InjectionProxy.InjectionProxy(server) 33 | log.info("before thread") 34 | thread.start_new_thread(self.m.run,()) 35 | 36 | #self.working_path = os.path.dirname(os.path.realpath(__file__)) 37 | #self.working_path = os.path.join(self.working_path, "..", "..", "lib", "jsh") 38 | #subprocess.Popen("python " + os.path.join(self.working_path, "InjectionProxy.py")) 39 | time.sleep(2) # waits for proxy to go up 40 | iexplore = self.get_path("Internet Explorer") 41 | log.info("after thread, before execute") 42 | return self.execute(iexplore, args="%s" % url) 43 | 44 | #def check(self): 45 | #data = self.m.get_logs() 46 | #nc = NetlogFile("files/proxyLog.log") 47 | #nc.send(data, retry=True) 48 | #return True 49 | 50 | def finish(self): 51 | data = self.m.get_logs() 52 | nc = NetlogFile("files/proxyLog.log") 53 | nc.send(data, retry=True) 54 | return True 55 | -------------------------------------------------------------------------------- /docs/book/src/development/development_notes.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | Development Notes 3 | ================= 4 | 5 | Git branches 6 | ============ 7 | 8 | Cuckoo Sandbox source code is available in our `official git repository`_. 9 | 10 | .. _`official git repository`: https://github.com/cuckoobox/cuckoo 11 | 12 | Up until version 1.0 we used to coordinate all ongoing development in a 13 | dedicated "development" branch and we've been exclusively merging pull requests 14 | in such branch. 15 | Since version 1.1 we moved development to the traditional "master" branch and we 16 | make use of GitHub's tags and release system to reference development milestones 17 | in time. 18 | 19 | Release Versioning 20 | ================== 21 | 22 | Cuckoo releases are named using three numbers separated by dots, such as 1.2.3, 23 | where the first number is the release, the second number is the major version, 24 | the third number is the bugfix version. 25 | The testing stage from git ends with "-beta" and development stage with "-dev". 26 | 27 | .. warning:: 28 | 29 | If you are using a "beta" or "dev" stage, please consider that it's not 30 | meant to be an official release, therefore we don't guarantee its functioning 31 | and we don't generally provide support. 32 | If you think you encountered a bug there, make sure that the nature of the 33 | problem is not related to your own misconfiguration and collect all the details 34 | to be notified to our developers. Make sure to specify which exact version you 35 | are using, eventually with your current git commit id. 36 | 37 | Ticketing system 38 | ================ 39 | 40 | To submit bug reports or feature requests, please use GitHub's `Issue`_ tracking 41 | system. 42 | 43 | .. _`Issue`: https://github.com/cuckoobox/cuckoo/issues 44 | 45 | Contribute 46 | ========== 47 | 48 | To submit your patch just create a Pull Request from your GitHub fork. 49 | If you don't now how to create a Pull Request take a look to `GitHub help`_. 50 | 51 | .. _`GitHub help`: https://help.github.com/articles/using-pull-requests/ 52 | -------------------------------------------------------------------------------- /docs/book/src/usage/start.rst: -------------------------------------------------------------------------------- 1 | =============== 2 | Starting Cuckoo 3 | =============== 4 | 5 | To start Cuckoo use the command:: 6 | 7 | $ python cuckoo.py 8 | 9 | Make sure to run it inside Cuckoo's root directory. 10 | 11 | You will get an output similar to this:: 12 | 13 | eeee e e eeee e e eeeee eeeee 14 | 8 8 8 8 8 8 8 8 8 88 8 88 15 | 8e 8e 8 8e 8eee8e 8 8 8 8 16 | 88 88 8 88 88 8 8 8 8 8 17 | 88e8 88ee8 88e8 88 8 8eee8 8eee8 18 | 19 | Cuckoo Sandbox 1.2 20 | www.cuckoosandbox.org 21 | Copyright (c) 2010-2015 22 | 23 | Checking for updates... 24 | Good! You have the latest version available. 25 | 26 | 2013-04-07 15:57:17,459 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager 27 | 2013-04-07 15:57:17,861 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s 28 | 2013-04-07 15:57:17,862 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks... 29 | 30 | Note that Cuckoo checks for updates on a remote API located at *api.cuckoosandbox.org*. 31 | You can avoid this by disabling the ``version_check`` option in the configuration file. 32 | 33 | Now Cuckoo is ready to run and it's waiting for submissions. 34 | 35 | ``cuckoo.py`` accepts some command line options as shown by the help:: 36 | 37 | usage: cuckoo.py [-h] [-q] [-d] [-v] [-a] [-t] [-m MAX_ANALYSIS_COUNT] 38 | [--clean] 39 | 40 | optional arguments: 41 | -h, --help show this help message and exit 42 | -q, --quiet Display only error messages 43 | -d, --debug Display debug messages 44 | -v, --version show program's version number and exit 45 | -a, --artwork Show artwork 46 | -t, --test Test startup 47 | -m MAX_ANALYSIS_COUNT, --max-analysis-count MAX_ANALYSIS_COUNT 48 | Maximum number of analyses 49 | --clean Remove all tasks and samples and their associated data 50 | 51 | 52 | Most importantly ``--debug`` and ``--quiet`` respectively increase and decrease the logging 53 | verbosity. 54 | -------------------------------------------------------------------------------- /modules/processing/analysisinfo.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import time 6 | import json 7 | import logging 8 | from datetime import datetime 9 | 10 | from lib.cuckoo.core.database import Database 11 | from lib.cuckoo.common.abstracts import Processing 12 | from lib.cuckoo.common.constants import CUCKOO_VERSION 13 | 14 | log = logging.getLogger(__name__) 15 | 16 | class AnalysisInfo(Processing): 17 | """General information about analysis session.""" 18 | 19 | def run(self): 20 | """Run information gathering. 21 | @return: information dict. 22 | """ 23 | self.key = "info" 24 | 25 | try: 26 | started = time.strptime(self.task["started_on"], "%Y-%m-%d %H:%M:%S") 27 | started = datetime.fromtimestamp(time.mktime(started)) 28 | ended = time.strptime(self.task["completed_on"], "%Y-%m-%d %H:%M:%S") 29 | ended = datetime.fromtimestamp(time.mktime(ended)) 30 | except: 31 | log.critical("Failed to get start/end time from Task.") 32 | duration = -1 33 | else: 34 | duration = (ended - started).seconds 35 | 36 | db = Database() 37 | 38 | # Fetch sqlalchemy object. 39 | task = db.view_task(self.task["id"], details=True) 40 | 41 | if task and task.guest: 42 | # Get machine description ad json. 43 | machine = task.guest.to_dict() 44 | # Remove useless task_id. 45 | del(machine["task_id"]) 46 | # Save. 47 | self.task["machine"] = machine 48 | 49 | return dict( 50 | version=CUCKOO_VERSION, 51 | started=self.task["started_on"], 52 | ended=self.task.get("completed_on", "none"), 53 | duration=duration, 54 | id=int(self.task["id"]), 55 | category=self.task["category"], 56 | custom=self.task["custom"], 57 | machine=self.task["machine"], 58 | package=self.task["package"] 59 | ) 60 | -------------------------------------------------------------------------------- /modules/signatures/generic_metrics.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common.abstracts import Signature 6 | 7 | class SystemMetrics(Signature): 8 | name = "generic_metrics" 9 | description = "Uses GetSystemMetrics" 10 | severity = 2 11 | categories = ["generic"] 12 | authors = ["Cuckoo Developers"] 13 | minimum = "1.0" 14 | 15 | # Evented signatures need to implement the "on_call" method 16 | evented = True 17 | 18 | # Evented signatures can specify filters that reduce the amount of 19 | # API calls that are streamed in. One can filter Process name, API 20 | # name/identifier and category. These should be sets for faster lookup. 21 | filter_processnames = set() 22 | filter_apinames = set(["GetSystemMetrics"]) 23 | filter_categories = set() 24 | 25 | # This is a signature template. It should be used as a skeleton for 26 | # creating custom signatures, therefore is disabled by default. 27 | # The on_call function is used in "evented" signatures. 28 | # These use a more efficient way of processing logged API calls. 29 | enabled = False 30 | 31 | def stop(self): 32 | # In the stop method one can implement any cleanup code and 33 | # decide one last time if this signature matches or not. 34 | # Return True in case it matches. 35 | return False 36 | 37 | # This method will be called for every logged API call by the loop 38 | # in the RunSignatures plugin. The return value determines the "state" 39 | # of this signature. True means the signature matched and False means 40 | # it can't match anymore. Both of which stop streaming in API calls. 41 | # Returning None keeps the signature active and will continue. 42 | def on_call(self, call, process): 43 | # This check would in reality not be needed as we already make use 44 | # of filter_apinames above. 45 | if call["api"] == "GetSystemMetrics": 46 | # Signature matched, return True. 47 | return True 48 | 49 | # continue 50 | return None 51 | -------------------------------------------------------------------------------- /modules/machinery/esx.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # Copyright (C) 2013 Christopher Schmitt 3 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 4 | # See the file 'docs/LICENSE' for copying permission. 5 | 6 | import logging 7 | import libvirt 8 | 9 | from lib.cuckoo.common.abstracts import LibVirtMachinery 10 | from lib.cuckoo.common.exceptions import CuckooCriticalError 11 | from lib.cuckoo.common.exceptions import CuckooMachineError 12 | 13 | class ESX(LibVirtMachinery): 14 | """Virtualization layer for ESXi/ESX based on python-libvirt.""" 15 | def _initialize_check(self): 16 | """Runs all checks when a machine manager is initialized. 17 | @raise CuckooMachineError: if configuration is invalid 18 | """ 19 | if not self.options.esx.dsn: 20 | raise CuckooMachineError("ESX(i) DSN is missing, please add it to the config file") 21 | if not self.options.esx.username: 22 | raise CuckooMachineError("ESX(i) username is missing, please add it to the config file") 23 | if not self.options.esx.password: 24 | raise CuckooMachineError("ESX(i) password is missing, please add it to the config file") 25 | 26 | self.dsn = self.options.esx.dsn 27 | 28 | super(ESX, self)._initialize_check() 29 | 30 | def _auth_callback(self, credentials, user_data): 31 | for credential in credentials: 32 | if credential[0] == libvirt.VIR_CRED_AUTHNAME: 33 | credential[4] = self.options.esx.username 34 | elif credential[0] == libvirt.VIR_CRED_NOECHOPROMPT: 35 | credential[4] = self.options.esx.password 36 | else: 37 | raise CuckooCriticalError("ESX machinery did not recieve an object to inject a username or password into") 38 | 39 | return 0 40 | 41 | def _connect(self): 42 | try: 43 | self.auth = [[libvirt.VIR_CRED_AUTHNAME, libvirt.VIR_CRED_NOECHOPROMPT], self._auth_callback, None] 44 | return libvirt.openAuth(self.dsn, self.auth, 0) 45 | except libvirt.libvirtError as libvex: 46 | raise CuckooCriticalError("libvirt returned an exception on connection: %s" % libvex) 47 | -------------------------------------------------------------------------------- /utils/db_migration/env.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from __future__ import with_statement 6 | 7 | import os.path 8 | import sys 9 | 10 | from alembic import context 11 | from sqlalchemy import create_engine, pool 12 | from logging.config import fileConfig 13 | 14 | # This is the Alembic Config object, which provides access to the values within 15 | # the .ini file in use. 16 | config = context.config 17 | 18 | # Interpret the config file for Python logging. 19 | # This line sets up loggers basically. 20 | fileConfig(config.config_file_name) 21 | 22 | # Get cuckoo root path. 23 | curdir = os.path.abspath(os.path.dirname(__file__)) 24 | sys.path.append(os.path.join(curdir, "..", "..")) 25 | 26 | from lib.cuckoo.core.database import Base, Database 27 | 28 | # Get database connection string from cuckoo configuration. 29 | url = Database(schema_check=False).engine.url.__to_string__(hide_password=False) 30 | target_metadata = Base.metadata 31 | 32 | def run_migrations_offline(): 33 | """Run migrations in 'offline' mode. 34 | This configures the context with just a URL 35 | and not an Engine, though an Engine is acceptable 36 | here as well. By skipping the Engine creation 37 | we don't even need a DBAPI to be available. 38 | Calls to context.execute() here emit the given string to the 39 | script output. 40 | """ 41 | context.configure(url=url) 42 | 43 | with context.begin_transaction(): 44 | context.run_migrations() 45 | 46 | def run_migrations_online(): 47 | """Run migrations in 'online' mode. 48 | In this scenario we need to create an Engine 49 | and associate a connection with the context. 50 | """ 51 | engine = create_engine(url, poolclass=pool.NullPool) 52 | 53 | connection = engine.connect() 54 | context.configure(connection=connection, target_metadata=target_metadata) 55 | 56 | try: 57 | with context.begin_transaction(): 58 | context.run_migrations() 59 | finally: 60 | connection.close() 61 | 62 | if context.is_offline_mode(): 63 | run_migrations_offline() 64 | else: 65 | run_migrations_online() 66 | -------------------------------------------------------------------------------- /modules/signatures/DetectBufferShellcode.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from lib.cuckoo.common.abstracts import Signature 4 | from subprocess import Popen, PIPE 5 | 6 | 7 | class DetectBufferShellcode(Signature): 8 | name = "detect_buffer_shellcode" 9 | description = "Found shellcode in a buffer." 10 | severity = 1 11 | categories = ["exploit", "rop"] 12 | authors = ["Ilana Marcus"] 13 | minimum = "1.2" 14 | evented = True 15 | enabled = True 16 | def __init__(self, caller): 17 | Signature.__init__(self, caller) 18 | self.buffers = [] 19 | filter_categories = set(["process"]) 20 | #filter_apinames = set(["LdrGetDllHandle", "WriteProcessMemory", "NtWriteVirtualMemory"]) 21 | 22 | def decode_buffer(self, s): 23 | out = '' 24 | i = 0 25 | while i < len(s): 26 | try: 27 | if i 0: 49 | with open("WPM_buffer_output.txt", 'wb') as output: 50 | for b in self.buffers: 51 | try: 52 | output.write(b.decode("string_escape")) 53 | except: 54 | output.write(self.decode_buffer(b)) 55 | p = Popen(['/home/tools/scd/engine_cli', "WPM_buffer_output.txt"], stdout=PIPE, stderr=subprocess.STDOUT) 56 | engine_cli_output, err = p.communicate() 57 | if "SUPER-GREEN" in engine_cli_output: 58 | return True 59 | return False 60 | 61 | 62 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_file.html: -------------------------------------------------------------------------------- 1 |
      2 |

      File Details

      3 |
      4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 54 | 55 | 56 | 57 | 58 | 59 |
      File Name{{analysis.target.file.name}}
      File Size{{analysis.target.file.size}} bytes
      File Type{{analysis.target.file.type}}
      MD5{{analysis.target.file.md5}}
      SHA1{{analysis.target.file.sha1}}
      SHA256{{analysis.target.file.sha256}}
      SHA512{{analysis.target.file.sha512}}
      CRC32{{analysis.target.file.crc32}}
      Ssdeep{{analysis.target.file.ssdeep}}
      Yara 44 | {% if analysis.target.file.yara %} 45 |
        46 | {% for sign in analysis.target.file.yara %} 47 |
      • {{sign.name}} - {{sign.meta.description}}
        • 48 | {% endfor %} 49 |
      50 | {% else %} 51 | None matched 52 | {% endif %} 53 |
      Download
      60 |
      61 |
      -------------------------------------------------------------------------------- /analyzer/windows/lib/core/config.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import ConfigParser 6 | 7 | class Config: 8 | def __init__(self, cfg): 9 | """@param cfg: configuration file.""" 10 | config = ConfigParser.ConfigParser(allow_no_value=True) 11 | config.read(cfg) 12 | 13 | for section in config.sections(): 14 | for name, raw_value in config.items(section): 15 | if name == "file_name": 16 | value = config.get(section, name) 17 | else: 18 | try: 19 | value = config.getboolean(section, name) 20 | except ValueError: 21 | try: 22 | value = config.getint(section, name) 23 | except ValueError: 24 | value = config.get(section, name) 25 | setattr(self, name, value) 26 | 27 | def get_options(self): 28 | """Get analysis options. 29 | @return: options dict. 30 | """ 31 | # The analysis package can be provided with some options in the 32 | # following format: 33 | # option1=value1,option2=value2,option3=value3 34 | # 35 | # Here we parse such options and provide a dictionary that will be made 36 | # accessible to the analysis package. 37 | options = {} 38 | if hasattr(self, "options"): 39 | try: 40 | # Split the options by comma. 41 | fields = self.options.split(",") 42 | except ValueError as e: 43 | pass 44 | else: 45 | for field in fields: 46 | # Split the name and the value of the option. 47 | try: 48 | key, value = field.split("=", 1) 49 | except ValueError as e: 50 | pass 51 | else: 52 | # If the parsing went good, we add the option to the 53 | # dictionary. 54 | options[key.strip()] = value.strip() 55 | 56 | return options 57 | -------------------------------------------------------------------------------- /lib/cuckoo/common/config.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import ConfigParser 7 | 8 | from lib.cuckoo.common.constants import CUCKOO_ROOT 9 | from lib.cuckoo.common.exceptions import CuckooOperationalError 10 | from lib.cuckoo.common.objects import Dictionary 11 | 12 | class Config: 13 | """Configuration file parser.""" 14 | 15 | def __init__(self, file_name="cuckoo", cfg=None): 16 | """ 17 | @param file_name: file name without extension. 18 | @param cfg: configuration file path. 19 | """ 20 | config = ConfigParser.ConfigParser() 21 | 22 | if cfg: 23 | config.read(cfg) 24 | else: 25 | config.read(os.path.join(CUCKOO_ROOT, "conf", "%s.conf" % file_name)) 26 | 27 | for section in config.sections(): 28 | setattr(self, section, Dictionary()) 29 | for name, raw_value in config.items(section): 30 | try: 31 | # Ugly fix to avoid '0' and '1' to be parsed as a 32 | # boolean value. 33 | # We raise an exception to goto fail^w parse it 34 | # as integer. 35 | if config.get(section, name) in ["0", "1"]: 36 | raise ValueError 37 | 38 | value = config.getboolean(section, name) 39 | except ValueError: 40 | try: 41 | value = config.getint(section, name) 42 | except ValueError: 43 | value = config.get(section, name) 44 | 45 | setattr(getattr(self, section), name, value) 46 | 47 | def get(self, section): 48 | """Get option. 49 | @param section: section to fetch. 50 | @raise CuckooOperationalError: if section not found. 51 | @return: option value. 52 | """ 53 | try: 54 | return getattr(self, section) 55 | except AttributeError as e: 56 | raise CuckooOperationalError("Option %s is not found in " 57 | "configuration, error: %s" % 58 | (section, e)) 59 | -------------------------------------------------------------------------------- /analyzer/windows/modules/auxiliary/screenshots.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import time 6 | import logging 7 | import StringIO 8 | from threading import Thread 9 | 10 | from lib.common.abstracts import Auxiliary 11 | from lib.common.results import NetlogFile 12 | from lib.api.screenshot import Screenshot 13 | 14 | log = logging.getLogger(__name__) 15 | SHOT_DELAY = 1 16 | # Skip the following area when comparing screen shots. 17 | # Example for 800x600 screen resolution. 18 | # SKIP_AREA = ((735, 575), (790, 595)) 19 | SKIP_AREA = None 20 | 21 | class Screenshots(Auxiliary, Thread): 22 | """Take screenshots.""" 23 | 24 | def __init__(self): 25 | Thread.__init__(self) 26 | self.do_run = True 27 | 28 | def stop(self): 29 | """Stop screenshotting.""" 30 | self.do_run = False 31 | 32 | def run(self): 33 | """Run screenshotting. 34 | @return: operation status. 35 | """ 36 | if not Screenshot().have_pil(): 37 | log.warning("Python Image Library is not installed, " 38 | "screenshots are disabled") 39 | return False 40 | 41 | img_counter = 0 42 | img_last = None 43 | 44 | while self.do_run: 45 | time.sleep(SHOT_DELAY) 46 | 47 | try: 48 | img_current = Screenshot().take() 49 | except IOError as e: 50 | log.error("Cannot take screenshot: %s", e) 51 | continue 52 | 53 | if img_last: 54 | if Screenshot().equal(img_last, img_current, SKIP_AREA): 55 | continue 56 | 57 | img_counter += 1 58 | 59 | # workaround as PIL can't write to the socket file object :( 60 | tmpio = StringIO.StringIO() 61 | img_current.save(tmpio, format="JPEG") 62 | tmpio.seek(0) 63 | 64 | # now upload to host from the StringIO 65 | nf = NetlogFile("shots/%s.jpg" % str(img_counter).rjust(4, "0")) 66 | 67 | for chunk in tmpio: 68 | nf.sock.sendall(chunk) 69 | 70 | nf.close() 71 | 72 | img_last = img_current 73 | 74 | return True 75 | -------------------------------------------------------------------------------- /web/templates/analysis/report.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |
      4 |

      5 |
      Compare this analysis to...
      6 |
      7 | 17 |
      18 |
      19 | {% include "analysis/overview/index.html" %} 20 |
      21 |
      22 | {% include "analysis/static/index.html" %} 23 |
      24 | {% if analysis.behavior.processes %} 25 |
      26 | {% include "analysis/behavior/index.html" %} 27 |
      28 | {% endif %} 29 |
      30 | {% include "analysis/network/index.html" %} 31 |
      32 |
      33 | {% include "analysis/dropped/index.html" %} 34 |
      35 | {% if analysis.procmemory %} 36 |
      37 | {% include "analysis/procmemory/index.html" %} 38 |
      39 | {% endif %} 40 | {% if analysis.memory %} 41 |
      42 | {% include "analysis/memory/index.html" %} 43 |
      44 | {% endif %} 45 |
      46 | {% include "analysis/admin/index.html" %} 47 |
      48 |
      49 | {% endblock %} 50 | -------------------------------------------------------------------------------- /docs/book/src/usage/results.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | Analysis Results 3 | ================ 4 | 5 | Once an analysis is completed, several files are stored in a dedicated directory. 6 | All the analyses are stored under the directory *storage/analyses/* inside a 7 | subdirectory named after the incremental numerical ID that represents the analysis 8 | task in the database. 9 | 10 | Following is an example of an analysis directory structure:: 11 | 12 | . 13 | |-- analysis.conf 14 | |-- analysis.log 15 | |-- binary 16 | |-- dump.pcap 17 | |-- memory.dmp 18 | |-- files 19 | | |-- 1234567890 20 | | `-- dropped.exe 21 | |-- logs 22 | | |-- 1232.raw 23 | | |-- 1540.raw 24 | | `-- 1118.raw 25 | |-- reports 26 | | |-- report.html 27 | | |-- report.json 28 | | |-- report.maec-4.0.1.xml 29 | | `-- report.metadata.xml 30 | `-- shots 31 | |-- 0001.jpg 32 | |-- 0002.jpg 33 | |-- 0003.jpg 34 | `-- 0004.jpg 35 | 36 | analysis.conf 37 | ============= 38 | 39 | This is a configuration file automatically generated by Cuckoo to give 40 | its analyzer some details about the current analysis. It's generally of no 41 | interest to the end-user, as it's used internally by the sandbox. 42 | 43 | analysis.log 44 | ============ 45 | 46 | This is a log file generated by the analyzer and that contains a trace of 47 | the analysis execution inside the guest environment. It will report the 48 | creation of processes, files and eventual errors occurred during the 49 | execution. 50 | 51 | dump.pcap 52 | ========= 53 | 54 | This is the network dump generated by tcpdump or any other corresponding 55 | network sniffer. 56 | 57 | memory.dmp 58 | ========== 59 | 60 | In case you enabled it, this file contains the full memory dump of the analysis 61 | machine. 62 | 63 | files/ 64 | ====== 65 | 66 | This directory contains all the files the malware operated on and that Cuckoo 67 | was able to dump. 68 | 69 | logs/ 70 | ===== 71 | 72 | This directory contains all the raw logs generated by Cuckoo's process monitoring. 73 | 74 | reports/ 75 | ======== 76 | 77 | This directory contains all the reports generated by Cuckoo as explained in the 78 | :doc:`../installation/host/configuration` chapter. 79 | 80 | shots/ 81 | ====== 82 | 83 | This directory contains all the screenshots of the guest's desktop taken during 84 | the malware execution. 85 | -------------------------------------------------------------------------------- /utils/stats.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2010-2015 Cuckoo Foundation. 3 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 4 | # See the file 'docs/LICENSE' for copying permission. 5 | 6 | import os.path 7 | import sys 8 | import time 9 | 10 | sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__)), "..")) 11 | 12 | from lib.cuckoo.core.database import Database, TASK_PENDING, TASK_RUNNING 13 | from lib.cuckoo.core.database import TASK_COMPLETED, TASK_RECOVERED, TASK_REPORTED 14 | from lib.cuckoo.core.database import TASK_FAILED_ANALYSIS, TASK_FAILED_PROCESSING, TASK_FAILED_REPORTING 15 | 16 | def timestamp(dt): 17 | """Returns the timestamp of a datetime object.""" 18 | return time.mktime(dt.timetuple()) 19 | 20 | def main(): 21 | db = Database() 22 | 23 | print("%d samples in db" % db.count_samples()) 24 | print("%d tasks in db" % db.count_tasks()) 25 | 26 | states = ( 27 | TASK_PENDING, TASK_RUNNING, 28 | TASK_COMPLETED, TASK_RECOVERED, TASK_REPORTED, 29 | TASK_FAILED_ANALYSIS, TASK_FAILED_PROCESSING, TASK_FAILED_REPORTING 30 | ) 31 | 32 | for state in states: 33 | print("%s %d tasks" % (state, db.count_tasks(state))) 34 | 35 | # Later on we might be interested in only calculating stats for all 36 | # tasks starting at a certain offset, because the Cuckoo daemon may 37 | # have been restarted at some point in time. 38 | offset = None 39 | 40 | # For the following stats we're only interested in completed tasks. 41 | tasks = db.list_tasks(offset=offset, status=TASK_COMPLETED) 42 | tasks += db.list_tasks(offset=offset, status=TASK_REPORTED) 43 | 44 | if tasks: 45 | # Get the time when the first task started. 46 | started = min(timestamp(task.started_on) for task in tasks) 47 | 48 | # Get the time when the last task completed. 49 | stamps = [] 50 | for task in tasks: 51 | try: 52 | stamps.append(timestamp(task.completed_on)) 53 | except AttributeError: 54 | pass 55 | 56 | completed = max(stamps) 57 | 58 | # Get the amount of tasks that actually completed. 59 | finished = len(tasks) 60 | 61 | hourly = 60 * 60 * finished / (completed - started) 62 | 63 | print("roughly %d tasks an hour" % int(hourly)) 64 | print("roughly %d tasks a day" % int(24 * hourly)) 65 | 66 | if __name__ == "__main__": 67 | main() 68 | -------------------------------------------------------------------------------- /modules/signatures/DetectDEPInHeap.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import logging 3 | import json 4 | from lib.cuckoo.common.abstracts import Signature 5 | from subprocess import Popen, PIPE 6 | log = logging.getLogger(__name__) 7 | 8 | 9 | class DetectDEPInHeap(Signature): 10 | name = "Detect DEP bypass in the heap, probably by ROP" 11 | description = "Detects DEP bypass in the heap" 12 | severity = 2 13 | categories = ["exploit", "rop"] 14 | authors = ["Ilana Marcus"] 15 | minimum = "1.2" 16 | evented = True 17 | enabled = True 18 | MEM_PRIVATE = 0x20000 19 | READ_WRITE_EXECUTE = 0x40 20 | 21 | def __init__(self, caller): 22 | Signature.__init__(self, caller) 23 | filter_categories = set(["process"]) 24 | self.has_dep_bypass = False 25 | self.api_call_functions = set() 26 | self.hits = [] 27 | 28 | def on_call(self, call, pid): 29 | if call["api"] in ["NtProtectVirtualMemory", "VirtualProtectEx", "VirtualAllocEx"]: 30 | if int(self.get_argument(call, "VirtQueryType")) == self.MEM_PRIVATE and \ 31 | int(self.get_argument(call, "protection").replace("0x", ""), 16) == self.READ_WRITE_EXECUTE: 32 | 33 | self.has_dep_bypass = True 34 | self.api_call_functions.add(call["api"]) 35 | 36 | address = self.get_argument(call, "BaseAddress") 37 | 38 | old_protection = int(self.get_argument(call, "old_protection").replace("0x", ""), 16) 39 | formatted_old_protection = format(old_protection, '02x') 40 | 41 | new_protection = int(self.get_argument(call, "protection").replace("0x", ""), 16) 42 | formatted_new_protection = format(new_protection, '02x') 43 | 44 | match_data = {"address": address, "old_protection": formatted_old_protection, "new_protection":formatted_new_protection} 45 | 46 | #self.add_match(None, "api", match_data) 47 | self.hits.append(match_data) 48 | 49 | def on_complete(self): 50 | if self.has_dep_bypass: 51 | self.description += ": {0}".format(self.api_call_functions) 52 | for hit in self.hits: 53 | self.description += " [address: {0}, old protection: {1}, new protection {2}] ".format(hit["address"], hit["old_protection"], hit["new_protection"]) 54 | return True 55 | return False 56 | -------------------------------------------------------------------------------- /data/html/sections/url.html: -------------------------------------------------------------------------------- 1 |
      2 |
      3 |

      URL Details

      4 |
      5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 48 | 49 |
      URL{{results.target.url}}
      VirusTotal 17 | {% if results.virustotal %} 18 | {% if results.virustotal.response_code == 1 %} 19 | Permalink
      20 | VirusTotal Scan Date: {{results.virustotal.scan_date}}
      21 | Detection Rate: {{results.virustotal.positives}}/{{results.virustotal.total}} (Expand) 22 | 41 | {% else %} 42 | Domain not found on VirusTotal 43 | {% endif %} 44 | {% else %} 45 | VirusTotal lookup disabled, add your API key to the module 46 | {% endif %} 47 |
      50 |
      51 | -------------------------------------------------------------------------------- /docs/AUTHORS: -------------------------------------------------------------------------------- 1 | AUTHORS 2 | 3 | Cuckoo is the result of the work and efforts of many people. Some main developers 4 | and some friends and users who kindly provided us with feedback and new features. 5 | You'll find contributions to the code mentioned in the specific source files. 6 | 7 | DEVELOPERS: 8 | Claudio "nex" Guarnieri Lead Developer @botherder 9 | Alessandro "jekil" Tanasi Developer @jekil 10 | Jurriaan "skier" Bremer Developer @skier_t 11 | Mark "rep" Schloesser Developer @repmovsb 12 | 13 | CONTRIBUTORS: 14 | $ git shortlog -s -n 15 | 1058 Nex 16 | 960 jekil 17 | 286 Jurriaan Bremer 18 | 242 rep 19 | 185 nex 20 | 72 Ivan Kirillov 21 | 70 Thorsten Sick 22 | 35 Alessandro Tanasi 23 | 24 Mark Schloesser 24 | 24 Pietro Delsante 25 | 22 David Maciejak 26 | 15 Adam Meily 27 | 14 Justin Roberts 28 | 13 Greg Back 29 | 11 r3comp1le 30 | 9 Christopher Schmitt 31 | 9 Script Kiddie 32 | 7 Hugh Pearse 33 | 7 SpoonBoy 34 | 6 Tal Jerome 35 | 6 init99 36 | 5 David Francos 37 | 5 jamu 38 | 5 lehmz 39 | 4 Adam Pridgen 40 | 4 Ben Small 41 | 3 Allen Swackhamer 42 | 3 Espen Fjellvær Olsen 43 | 3 Jerome Marty 44 | 3 KillerInstinct 45 | 3 Nagy Ferenc László 46 | 3 Stephen DiCato 47 | 3 mak 48 | 3 robertsjw 49 | 3 wzr 50 | 3 z0mbiehunt3r 51 | 2 Claudio Guarnieri 52 | 2 Gael Muller 53 | 2 Mario Vilas 54 | 2 Max Taube 55 | 2 Neriberto C.Prado 56 | 2 Richard Harman 57 | 2 Roberto Abdelkader Martínez Pérez 58 | 2 SecTecRes 59 | 2 Thomas Penteker 60 | 2 Will Metcalf 61 | 2 bcyrill 62 | 2 kholbrook1303 63 | 2 mcpacosy 64 | 2 mt00at 65 | 2 upsidedwn 66 | 1 = 67 | 1 Aitor Gómez 68 | 1 Alexander J 69 | 1 Andrea De Pasquale 70 | 1 Ben Lyon 71 | 1 Benjamin Vanheuverzwijn 72 | 1 Crashman1983 73 | 1 Henrique Menezes 74 | 1 John Davison 75 | 1 Mark Woan 76 | 1 Micha Lenk 77 | 1 Nitzan Carmel 78 | 1 Ryan Peck 79 | 1 SnakeByte Lab 80 | 1 Valter Santos 81 | 1 bladeswords 82 | 1 chimerhapsody 83 | 1 chort 84 | 1 chrestme 85 | 1 jvoisin 86 | 1 sabri 87 | 1 shendo 88 | 1 vacmf 89 | 90 | Thanks to the whole community and mailing list members who submitted bug 91 | reports and suggested new features. 92 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest_physical/requirements.rst: -------------------------------------------------------------------------------- 1 | ============ 2 | Requirements 3 | ============ 4 | 5 | In order to make Cuckoo run properly in your physical Windows system, you 6 | will have to install some required software and libraries. 7 | 8 | Install Python 9 | ============== 10 | 11 | Python is a strict requirement for the Cuckoo guest component (*analyzer*) in 12 | order to run properly. 13 | 14 | You can download the proper Windows installer from the `official website`_. 15 | Also in this case Python 2.7 is preferred. 16 | 17 | Some Python libraries are optional and provide some additional features to 18 | Cuckoo guest component. They include: 19 | 20 | * `Python Image Library`_: it's used for taking screenshots of the Windows desktop during the analysis. 21 | 22 | They are not strictly required by Cuckoo to work properly, but you are encouraged 23 | to install them if you want to have access to all available features. Make sure 24 | to download and install the proper packages according to your Python version. 25 | 26 | .. _`official website`: http://www.python.org/getit/ 27 | .. _`Python Image Library`: http://www.pythonware.com/products/pil/ 28 | 29 | Additional Software 30 | =================== 31 | 32 | At this point you should have installed everything needed by Cuckoo to run 33 | properly. 34 | 35 | Depending on what kind of files you want to analyze and what kind of sandboxed 36 | Windows environment you want to run the malware samples in, you might want to install 37 | additional software such as browsers, PDF readers, office suites etc. 38 | Remember to disable the "auto update" or "check for updates" feature of 39 | any additional software. 40 | 41 | This is completely up to you and to what your needs are. You can get some hints 42 | by reading the :doc:`../../introduction/sandboxing` chapter. 43 | 44 | 45 | Additional Host Requirements 46 | ============================ 47 | The physical machine manager uses RPC requests to reboot physical machines. 48 | The `net` command is required for this to be accomplished, and is available 49 | from the samba-common-bin package. 50 | 51 | On Debian/Ubuntu: 52 | 53 | $ sudo apt-get install samba-common-bin 54 | 55 | In order for the physical machine manager to work, you must have a way 56 | for physical machines to be returned to a clean state. In development/testing 57 | Fog (`http://www.fogproject.org/`_) was used as a platform to handle re-imaging 58 | the physical machines. However, any re-imaging platform can be used 59 | (Clonezilla, Deepfreeze, etc) to accomplish this. 60 | 61 | .. _`http://www.fogproject.org/`: http://www.fogproject.org/ -------------------------------------------------------------------------------- /web/dashboard/views.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import sys 6 | import time 7 | 8 | from django.conf import settings 9 | from django.template import RequestContext 10 | from django.http import HttpResponse 11 | from django.shortcuts import render_to_response 12 | from django.views.decorators.http import require_safe 13 | 14 | sys.path.append(settings.CUCKOO_PATH) 15 | 16 | from lib.cuckoo.core.database import Database, TASK_PENDING, TASK_RUNNING 17 | from lib.cuckoo.core.database import TASK_COMPLETED, TASK_RECOVERED, TASK_REPORTED 18 | from lib.cuckoo.core.database import TASK_FAILED_ANALYSIS, TASK_FAILED_PROCESSING, TASK_FAILED_REPORTING 19 | 20 | def timestamp(dt): 21 | """Returns the timestamp of a datetime object.""" 22 | if not dt: return None 23 | return time.mktime(dt.timetuple()) 24 | 25 | @require_safe 26 | def index(request): 27 | db = Database() 28 | 29 | report = dict( 30 | total_samples=db.count_samples(), 31 | total_tasks=db.count_tasks(), 32 | states_count={}, 33 | estimate_hour=None, 34 | estimate_day=None 35 | ) 36 | 37 | states = ( 38 | TASK_PENDING, 39 | TASK_RUNNING, 40 | TASK_COMPLETED, 41 | TASK_RECOVERED, 42 | TASK_REPORTED, 43 | TASK_FAILED_ANALYSIS, 44 | TASK_FAILED_PROCESSING, 45 | TASK_FAILED_REPORTING 46 | ) 47 | 48 | for state in states: 49 | report["states_count"][state] = db.count_tasks(state) 50 | 51 | offset = None 52 | 53 | # For the following stats we're only interested in completed tasks. 54 | tasks = db.list_tasks(offset=offset, status=TASK_COMPLETED) 55 | tasks += db.list_tasks(offset=offset, status=TASK_REPORTED) 56 | 57 | if tasks: 58 | # Get the time when the first task started. 59 | started = min(timestamp(task.started_on) for task in tasks) 60 | 61 | # Get the time when the last task completed. 62 | completed = max(timestamp(task.completed_on) for task in tasks) 63 | 64 | # Get the amount of tasks that actually completed. 65 | finished = len(tasks) 66 | 67 | hourly = 60 * 60 * finished / (completed - started) 68 | 69 | report["estimate_hour"] = int(hourly) 70 | report["estimate_day"] = int(24 * hourly) 71 | 72 | return render_to_response("dashboard/index.html", 73 | {"report" : report}, 74 | context_instance=RequestContext(request)) 75 | --------------------------------------------------------------------------------