Have a taste for tearing apart malware? Then you have probable played with Cuckoo Sandbox. If not, it is really time to take a poke at it. This is an open source malware analysis toolset. You can drop a suspicious file (or even one that is somewhat shifty in nature) into it and it will run tests. In no time at all it will spit out a report as to the nature of the file and what it tried to do all from the relative safety of a virtualized environment.
Last month the developers posted the latest iteration of their application, version 1.1. To get an idea of the changes that have been introduced in this iteration have a look at the change log.
Following is the CHANGELOG for this version:
- Added imphash to static PE analysis - Added search for URLs in the web interface - Added search for PE Imphash in the web interface - Added possibility in web interface to queue to all machines - Added filtering by behavior category in Django web interface - Added analyzer log to Django web interface - Added REST API to retrieve screenshots associated with a task - Added REST API to retrieve the PCAP associated with a task - Added database migration utility - Added remote submission to submit.py utility - Added small stats utility (utils/stats.py) - Added analysis package for PowerShell scripts - Added overlay configuration for signatures (data/signatures_overlay.json) - Fixed bug in MAEC report - Fixed package selection for Office documents and CPL scripts - Fixed issue with tcpdump filters - Fixed unhandled exception when uploading files to the analysis machines - Fixed issues in CuckooMon that resulted in Internet Explorer crashes - Fixed bug in CuckooMon that caused mutexes to be resolved as file paths - Fixed bug in behavior processing module that resulted in a trailing backslash in summary's registry keys - Multiple minor bug fixes
Not only is this a wonderful tool it is also the underlying software that drives the malware analysis website Malwr.com.
If you have any interest in malware analysis at all, these are a couple of tools that you should absolutely try out.
(Image used under CC from .hj barraza)