Automated Malware Analysis

TL;DR

This guide shows you how to set up a basic automated malware analysis system using freely available tools. It focuses on running samples in a safe environment and getting initial reports without needing deep cybersecurity expertise.

Setting Up Automated Malware Analysis

1. Choose a Virtualisation Platform: You need a way to run the malware safely. VirtualBox is free and easy to use. Install it on your main computer.
   • Download from the link above.
   • Follow the installation instructions for your operating system (Windows, macOS, Linux).
2. Create a Virtual Machine: This is where the malware will run.
   1. Open VirtualBox.
   2. Click “New”.
   3. Give your VM a name (e.g., “Malware Analysis VM”).
   4. Choose a suitable operating system. Windows 10 or 11 is common, but older versions can also be useful for analysing older malware. You’ll need an ISO file of the OS.

      # Example: Download Windows 10 ISO from Microsoft

   5. Allocate enough RAM (at least 2GB) and disk space (at least 20GB).
   6. Finish creating the VM.
3. Install Cuckoo Sandbox: Cuckoo Sandbox is a popular automated analysis system.
   • It requires Python and other dependencies. The official documentation has detailed installation instructions for various operating systems.
   • On Linux (e.g., Ubuntu), you can use the following commands:

     sudo apt update
     sudo apt install python3 python3-pip git
     git clone https://github.com/cuckoosandbox/cuckoo.git
     cd cuckoo
     python3 -m venv .venv
     source .venv/bin/activate
     pip install -r requirements.txt
     cuckoo init

4. Configure Cuckoo Sandbox: You need to tell Cuckoo where the VM is and how to run samples.
   • Edit the cuckoo.conf file (usually located in the Cuckoo directory).
   • Important settings:
     • vm_name: Set this to the name of your VirtualBox VM.
     • samples_dir: The directory where you’ll put malware samples.
     • results_dir: The directory where Cuckoo will store analysis reports.
5. Run a Sample: Copy the malware file to the samples_dir you configured.
   1. From the command line, run:

      cuckoo submit /path/to/your/malware.exe

   2. Cuckoo will automatically start the VM, execute the sample, and collect data.
6. View Results: Once analysis is complete, Cuckoo stores a report in the results_dir.
   • The reports are usually HTML files that you can open in your web browser. They contain information about:
     • Files created/modified
     • Registry changes
     • Network activity
     • Dropped files

Additional Tools

• VirusTotal: A free online service that scans files with multiple antivirus engines. You can integrate it with Cuckoo for more comprehensive analysis.
• Hybrid Analysis: Another popular online malware analysis platform.