Learn, hack!

URL

http://recon.cx/2013/slides/recon2013-Jurriaan%20Bremer-Haow%20do%20I%20sandbox.pdf

File name

recon2013-Jurriaan%20Bremer-Haow%20do%20I%20sandbox.pdf

File size

3.9 MB

MD5

50f9bd27a0159f3058090a22f37305ad

SHA1

ca1a7fca0f5578cdaf9808fcf11d14cee697f6bf

Cuckoo Sandbox is an open source automated malware analysis system that enables you to easily automate the process of analyzing your feeds of malware samples and start collecting actionable threat data. This is especially useful in todays world, where simply removing malware artifacts from a network is not enough. Instead, it's important for corporations, governments, and organizations of any sort to understand how they work and what they might do/have done on their network. Being for incident response, preemptive analysis, or just to collect intelligence. During this technical talk we'll first give a quick introduction of Cuckoo Sandbox for those of us unfamiliar with it. We will then dig into the design of the Cuckoo, followed by an in-depth technical walk-through of the various low-level techniques that have been employed into Cuckoo in order to analyze & defeat the most recent detection techniques. We will learn how Cuckoo keeps track of multiple processes (e.g., for banking malware which injects into other processes), the advanced hooking scheme for intercepting function calls, tricks we use to tweak huge log files, various anti-anti-debugging tricks, and finally, various advanced techniques we've given a spin but didn't work out in the end.