cuckoo

With the release of new Cuckoo, i wanted to check the features provided by Cuckoo.
Just releasing the details i have collected.

For those who don’t know much about Cuckoo, it is a malware analysis framework. Cuckoo can be used to analysis a document/exe/dll. It uses VM technology to do the analysis.
It runs the malware inside the VM and collects various information about its execution and then it will do some analysis to produce the final report. It uses usermode hooking technique for collecting information.

Cuckoo is now used by VirusTotal too.

List of features provided by Cuckoo:
    Can take snapshot
    Randomize the injected DLL.
    VM Supported:
        vbox
        kvm
    YARA support.
    Network data capture.

List of hooked functions:

ntdll.dll:
    NtResumeThread
    LdrLoadDll
    NtCreateFile
    NtOpenFile
    NtReadFile
    NtWriteFile
    NtCreateMutant
    NtOpenMutant
    NtCreateProcess
    NtCreateProcessEx
    NtDelayExecution
    LdrLoadDll
    LdrGetDllHandle
    LdrGetProcedureAddress
    NtClose
   
advapi32.dll:
    RegOpenKeyExA
    RegOpenKeyExW
    RegCreateKeyExA
    RegCreateKeyExW
    RegDeleteKeyA
    RegDeleteKeyW
    RegEnumKeyW
    RegEnumKeyExA
    RegEnumKeyExW
    RegEnumValueA
    RegEnumValueW
    RegSetValueExA
    RegSetValueExW
    RegQueryValueExA
    RegQueryValueExW
    RegDeleteValueA
    RegDeleteValueW
    RegCloseKey
    OpenSCManagerA
    OpenSCManagerW
    CreateServiceA
    CreateServiceW
    OpenServiceA
    OpenServiceW
    StartServiceA
    StartServiceW
    ControlService
    DeleteService
    LookupPrivilegeValueW

user32.dll:
    FindWindowA
    FindWindowW
    FindWindowExA
    FindWindowExW
    SetWindowsHookExA
    SetWindowsHookExW
    ExitWindowsEx

shell32.dll:
    ShellExecuteExW

kernel32.dll:
    ReadProcessMemory
    WriteProcessMemory
    VirtualAllocEx
    VirtualProtectEx
    VirtualFreeEx
    OpenThread
    CreateThread
    CreateRemoteThread
    TerminateThread
    ExitThread
    GetThreadContext
    SetThreadContext
    SuspendThread
    ResumeThread
    CreateProcessInternalW
    OpenProcess
    TerminateProcess
    ExitProcess
    MoveFileWithProgressW
    DeleteFileW
    CreateDirectoryW
    CreateDirectoryExW
    DeviceIoControl
    IsDebuggerPresent

urlmon.dll:
    URLDownloadToFileW

wininet.dll:
    InternetOpenUrlA
    InternetOpenUrlW
    HttpOpenRequestA
    HttpOpenRequestW
    HttpSendRequestA
    HttpSendRequestW

dnsapi.dll:
    DnsQuery_A
    DnsQuery_UTF8
    DnsQuery_W

ws2_32.dll:
    getaddrinfo
    GetAddrInfoW

Advertisements
This entry was posted in Internals, Malware, Malware Analyzer, Tools, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s