Cuckoo v1.0 was published some months ago but some time has passed since I've had time to install it with my friend cor3dump3d, who has saved me a lot of time...
I have seen some new valuables features in this release. Maybe I will write a post in the future about it but for now, I am going to show you how to avoid to Cuckoo being detected by malware.
It is a trend that the malware uses anti-virtualization techniques in order to avoid being analyzed by Sandboxes like Cuckoo. I've noticed a rise in the malware techniques which use this capability. The modern malware could change their behaviour if it detects that it is being executed in a virtual environment. If you already use Cuckoo to analyze your samples, you also can appreciate other techniques like the detection of debuggers and forensics tools.
We want to maintain our virtual machine hidden from the malware samples, for this reason, we will modify our Sandbox to achieve our goal.
Detecting Virutal Machines with Pafish
A year ago I read here: Hardening Cuckoo Sandbox against VM aware malware that Alberto Ortega had developed a new tool named Pafish. This tool can be executed in a Windows OS and it will detect if it is running in a virtual machine. Some months ago, it was published in the same blog that this tool had been used by some malware developers to add it to their malware in order to detect if the malicious program was running in a virtual environment to change its behaviour. In the link below you have a great post about it: How public tools are used by malware developers, the antivm tale
So we are going to use this free tool to check if our virtual machine could be detected by some anti-virtualization techniques. The tool is available in the link below.
After executing Pafish, we can see the picture below which shows us that Pafish detected that the hard drive has less than 50GB storage. It is just a recommendation that if you are able to give more storage to your virtual machine, just do it!!! Do you know someone who has a computer with less than 50gb? I don't and for this reason, the malware could suspect that it is being run in a virtual environment.
In the picture below you will see how Pafish has detected the Register Keys related with VirtualBox.
This tool creates a pafish.log which contain these lines.
[pafish] Start [pafish] Windows version: 5.1 build 2600 [pafish] Sandbox traced using mouse activity [pafish] Sandbox traced by checking disk size <= 50GB [pafish] Hooks traced using DeleteFileW method 1 [pafish] VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier" [pafish] VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion" [pafish] VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions [pafish] VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "VideoBiosVersion" [pafish] VirtualBox traced using file C:\WINDOWS\system32\drivers\VBoxMouse.sys [pafish] End
Hinding our Virtual Machine
I was reading some interesting blogs when I discovered this entry: Installing and hardening the latest Cuckoo Sandbox on Gentoo Linux which saved me a lot of time.
Hubert Kromer has created a modified cuckoomon.dll to avoid being detected by the malware and he shares it with us here.
You only need to replace the original one by the modified DLL in this path:
When this DLL is replaced (you don't need to restart Cuckoo) just send to Cuckoo Pafish.exe again. You can see the differences between using this DLL and using the other one.
We can see in the Pafish.log file that our Sandbox is still be traced but as you can see, we will be able to avoid detection in the majority of traces that we were detected before.
[pafish] Start [pafish] Windows version: 5.1 build 2600 [pafish] Sandbox traced using mouse activity [pafish] Sandbox traced by checking disk size <= 50GB [pafish] Hooks traced using DeleteFileW method 1 [pafish] End
Now, we need to figure out how we can avoid being detected by malware by not using the mouse in our automatic analysis. If you have some info about that, just let us know!!!