Strengthening our malware analysis capabilities

Date of publication: 21/02/2019, piotrb

During last year we have collaborated with Hatching.io on improving the open source Cuckoo Sandbox. The main works were focused on porting advanced mechanisms for memory analysis which were developed internally by our team in the previous years. The public release of the onemon marks the last stage of this collaboration. We are proud that results of this work are now available to the security community.

Onemon, a successor of the zer0m0n, provides means for process memory dumping when encountering defined Yara rules in particular situations. These include, for example, creation of new process, resuming of a thread through NtResumeThread (used in process hollowing) or termination of a process.

Additionally Cuckoo Sandbox was extended with means for malware static configuration extraction. These mechanisms help to retrieve such information as C&C server addresses, communication keys or DGA seeds.

To further help with malware analysis, Roach library was introduced to be compatible with Cuckoo Sandbox. It is a wrapper for many common operations performed during analysis of process memory dumps, including decompression, decryption, hashing, string serialization, PE parsing etc.

A sandbox system is a crucial part of our automated malware processing platform and we are already preparing to deploy the new version of Cuckoo. External researchers can get access to the analysis results of the system through mwdb platform, which is a repository for storing malware samples and information acquired during their analysis. More information on mwdb can be found in our previous blog post.

The described work is a part of our project SOASP (Strengthening operational aspects of cyber-security capacities in Poland) and is co-financed by the Connecting Europe Facility of the European Union, action no: 2016-PL-IA-0127.