Anthropic-Cybersecurity-Skills analyzing-malware-behavior-with-cuckoo-sandbox

'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system

install

source · Clone the upstream repo

git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/analyzing-malware-behavior-with-cuckoo-sandbox" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-analyzing-malware-behavior-with-cuckoo-s && rm -rf "$T"

manifest: skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md

source content

Analyzing Malware Behavior with Cuckoo Sandbox

When to Use

A suspicious sample passed static analysis triage and requires behavioral observation in a controlled environment
You need to capture network traffic, file drops, registry modifications, and API calls from a malware execution
Determining the full infection chain including second-stage payload downloads and persistence mechanisms
Generating behavioral signatures and YARA rules based on observed runtime activity
Automated analysis of bulk malware samples requiring consistent reporting

Do not use when the sample is a known ransomware variant that may spread via network shares in a misconfigured sandbox; verify network isolation first.

Prerequisites

Cuckoo Sandbox 3.x installed on a dedicated analysis server (Ubuntu 22.04 recommended)
Guest VMs configured with Windows 10/11 snapshots (Cuckoo agent installed, snapshots taken at clean state)
VirtualBox, KVM, or VMware configured as the Cuckoo virtualization backend
Isolated network with InetSim or FakeNet-NG for simulating internet services
Suricata or Snort integrated for network-level signature matching during analysis
Sufficient disk space for PCAP captures and memory dumps (minimum 500 GB recommended)

Workflow

Step 1: Submit Sample to Cuckoo

Submit the malware sample for automated analysis:

# Submit via command line
cuckoo submit /path/to/suspect.exe

# Submit with specific analysis timeout (300 seconds)
cuckoo submit --timeout 300 /path/to/suspect.exe

# Submit with specific VM and analysis package
cuckoo submit --machine win10_x64 --package exe --timeout 300 /path/to/suspect.exe

# Submit via REST API
curl -F "file=@suspect.exe" -F "timeout=300" -F "machine=win10_x64" \
  http://localhost:8090/tasks/create/file

# Submit URL for analysis
curl -F "url=http://malicious-site.com/payload" -F "timeout=300" \
  http://localhost:8090/tasks/create/url

# Check task status
curl http://localhost:8090/tasks/view/1 | jq '.task.status'

Step 2: Monitor Execution in Real-Time

Track the analysis progress and observe live behavior:

# Watch Cuckoo analysis log
tail -f /opt/cuckoo/log/cuckoo.log

# Monitor analysis task status
cuckoo status

# Access Cuckoo web interface for live screenshots and process tree
# Navigate to http://localhost:8080/analysis/<task_id>/

Key behavioral events to watch during execution:

Process creation chain (parent-child relationships)
Network connection attempts to external IPs
File drops in temporary directories or system folders
Registry modifications to Run keys or service entries
API calls related to encryption (CryptEncrypt), injection (WriteProcessMemory), or evasion

Step 3: Analyze Process Activity

Review the process tree and API call trace from the Cuckoo report:

# Parse Cuckoo JSON report programmatically
import json

with open("/opt/cuckoo/storage/analyses/1/reports/report.json") as f:
    report = json.load(f)

# Process tree analysis
for process in report["behavior"]["processes"]:
    pid = process["pid"]
    ppid = process["ppid"]
    name = process["process_name"]
    print(f"PID: {pid} PPID: {ppid} Name: {name}")

    # Extract suspicious API calls
    for call in process["calls"]:
        api = call["api"]
        if api in ["CreateRemoteThread", "VirtualAllocEx", "WriteProcessMemory",
                    "NtCreateThreadEx", "RegSetValueExA", "URLDownloadToFileA"]:
            args = {arg["name"]: arg["value"] for arg in call["arguments"]}
            print(f"  [!] {api}({args})")

Step 4: Review Network Activity

Examine network connections, DNS queries, and HTTP requests:

# Network analysis from Cuckoo report
network = report["network"]

# DNS resolutions
print("DNS Queries:")
for dns in network.get("dns", []):
    print(f"  {dns['request']} -> {dns.get('answers', [])}")

# HTTP requests
print("\nHTTP Requests:")
for http in network.get("http", []):
    print(f"  {http['method']} {http['uri']} (Host: {http['host']})")
    if http.get("body"):
        print(f"    Body: {http['body'][:200]}")

# TCP connections
print("\nTCP Connections:")
for tcp in network.get("tcp", []):
    print(f"  {tcp['src']}:{tcp['sport']} -> {tcp['dst']}:{tcp['dport']}")

# Extract PCAP for deeper Wireshark analysis
# PCAP location: /opt/cuckoo/storage/analyses/1/dump.pcap

Step 5: Examine File System and Registry Changes

Document persistence mechanisms and dropped files:

# File operations
print("Files Created/Modified:")
for f in report["behavior"].get("summary", {}).get("files", []):
    print(f"  {f}")

# Dropped files with hashes
print("\nDropped Files:")
for dropped in report.get("dropped", []):
    print(f"  Path: {dropped['filepath']}")
    print(f"  SHA-256: {dropped['sha256']}")
    print(f"  Size: {dropped['size']} bytes")
    print(f"  Type: {dropped['type']}")

# Registry modifications
print("\nRegistry Keys Modified:")
for key in report["behavior"].get("summary", {}).get("keys", []):
    print(f"  {key}")

Step 6: Review Signatures and Scoring

Check Cuckoo's behavioral signatures and threat scoring:

# Behavioral signatures triggered
print("Triggered Signatures:")
for sig in report.get("signatures", []):
    severity = sig["severity"]
    name = sig["name"]
    description = sig["description"]
    marker = "[!]" if severity >= 3 else "[*]"
    print(f"  {marker} [{severity}/5] {name}: {description}")
    for mark in sig.get("marks", []):
        if mark.get("call"):
            print(f"      API: {mark['call']['api']}")
        if mark.get("ioc"):
            print(f"      IOC: {mark['ioc']}")

# Overall score
score = report.get("info", {}).get("score", 0)
print(f"\nOverall Threat Score: {score}/10")

Step 7: Extract Memory Dump Artifacts

Analyze the full memory dump captured during execution:

# Memory dump is saved at:
# /opt/cuckoo/storage/analyses/1/memory.dmp

# Use Volatility to analyze the memory dump
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.pslist
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.malfind
vol3 -f /opt/cuckoo/storage/analyses/1/memory.dmp windows.netscan

Key Concepts

Term	Definition
Dynamic Analysis	Executing malware in a controlled environment to observe runtime behavior including system calls, network activity, and file operations
Sandbox Evasion	Techniques malware uses to detect virtual/sandbox environments and alter behavior to avoid analysis (sleep timers, VM checks, user interaction checks)
API Hooking	Cuckoo's method of intercepting Windows API calls made by the malware to log function names, parameters, and return values
InetSim	Internet services simulation tool that responds to malware network requests (HTTP, DNS, SMTP) within the isolated analysis network
Process Injection	Malware technique of injecting code into legitimate processes; detected by monitoring VirtualAllocEx and WriteProcessMemory API sequences
Behavioral Signature	Rule-based detection matching specific sequences of API calls, file operations, or network activity to known malware behaviors
Analysis Package	Cuckoo module defining how to execute a specific file type (exe, dll, pdf, doc) within the guest VM for proper behavioral capture

Tools & Systems

Cuckoo Sandbox: Open-source automated malware analysis system providing behavioral reports, network captures, and memory dumps
InetSim: Internet services simulation suite providing fake HTTP, DNS, SMTP, and other services for isolated malware analysis networks
FakeNet-NG: FLARE team's network simulation tool that intercepts and redirects all network traffic for analysis
Suricata: Network IDS/IPS integrated with Cuckoo for real-time signature-based detection of malicious network traffic
Volatility: Memory forensics framework used to analyze memory dumps captured during Cuckoo analysis

Common Scenarios

Scenario: Analyzing a Multi-Stage Dropper

Context: Static analysis reveals a packed executable with minimal imports and high entropy. The sample needs sandbox execution to observe unpacking, payload delivery, and C2 establishment.

Approach:

Submit sample to Cuckoo with extended timeout (600 seconds) to capture slow-acting behavior
Review process tree for child process creation (dropper spawning payload processes)
Identify dropped files in %TEMP%, %APPDATA%, or system directories
Extract dropped files and compute hashes for separate analysis
Map network connections to identify C2 infrastructure contacted after initial execution
Check for persistence mechanisms (Run keys, scheduled tasks, services) in registry modifications
Compare behavioral signatures against known malware families

Pitfalls:

Using insufficient analysis timeout causing the sandbox to terminate before second-stage payload executes
Not configuring InetSim to respond to DNS and HTTP requests, preventing the malware from progressing past C2 check-in
Ignoring sandbox evasion detections; if the sample exits immediately, it may be detecting the virtual environment
Not analyzing dropped files separately; the initial dropper may be less interesting than the final payload

Output Format

DYNAMIC ANALYSIS REPORT - CUCKOO SANDBOX
==========================================
Task ID:          1547
Sample:           suspect.exe (SHA-256: e3b0c44298fc1c149afbf4c8996fb924...)
Analysis Time:    300 seconds
VM:               win10_x64 (Windows 10 21H2)
Score:            8.5/10

PROCESS TREE
suspect.exe (PID: 2184)
  └── cmd.exe (PID: 3456)
      └── powershell.exe (PID: 4012)
          └── svchost_fake.exe (PID: 4568)

FILE SYSTEM ACTIVITY
[CREATED]  C:\Users\Admin\AppData\Local\Temp\payload.dll
[CREATED]  C:\Windows\System32\svchost_fake.exe
[MODIFIED] C:\Windows\System32\drivers\etc\hosts

REGISTRY MODIFICATIONS
[SET] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\Windows\System32\svchost_fake.exe"
[SET] HKLM\SYSTEM\CurrentControlSet\Services\FakeService\ImagePath = "C:\Windows\System32\svchost_fake.exe"

NETWORK ACTIVITY
DNS:    update.malicious[.]com -> 185.220.101.42
HTTP:   POST hxxps://185.220.101[.]42/gate.php (beacon)
TCP:    10.0.2.15:49152 -> 185.220.101.42:443 (237 connections)

BEHAVIORAL SIGNATURES
[!] [4/5] injection_createremotethread: Injects code into remote process
[!] [4/5] persistence_autorun: Modifies Run registry key for persistence
[!] [3/5] network_cnc_http: Performs HTTP C2 communication
[*] [2/5] antiav_detectfile: Checks for antivirus product files

DROPPED FILES
payload.dll    SHA-256: abc123... Size: 98304  Type: PE32 DLL
svchost_fake.exe SHA-256: def456... Size: 184320 Type: PE32 EXE