A kind of Malware Dynamic Analysis Platform enhanced Cuckoo Sandbox 2.0-rc1 written in Python2.
the deep customized sandbox system for CSIRT.
- Customized dynamic agent for malwares to behave more active in our workplace environment.
- Analyze C&C servers automatically in terms of capability of Block.
- you can install AntiVirus software to GuestVM.
Operation Check :
Guest VM : Windows7 x86
Host OS: OSX 10
The background and details was presented in FIRST TC Amusterdam 2017
https://www.first.org/events/colloquia/amsterdam2017/program#precruit-csirt
this demo is captured by develop environment not except normal traffic filter.
So these IP addresses are just samples for demo.
(realtimeDemo is damaged partially, I recommend showing it via GoogleChrome if Demo doesn't work well.)
Launch Demo
Real-time View Demo
Odoriba's Difference
- Real-time Visualization the analyzed behavior on Web UI.
- 100MB over Huge File Submittion
- Collect malwares Malwr(does't work now) or FireEye AX and auto submit
Modified Script Files from Cuckoo Sandbox default
- ./agents/agent.py
- ./lib/cuckoo/core/guest.py
- ./modules/auxiliary/sniffer.py
- ./web/analysis/urls.py
- ./web/analysis/views.py
- ./web/web/local_settings.py
and Configuration Files ./conf/
Created Script Files by Recruit-CSIRT
Created For Realtime View
- Cuckoo sandbox requirements is necessary.
In Addition, python modules - requests, selenium webdriver, BeautifulSoup, InsecureRequestWarning
change network signitures in several python codes : your IP, user-agent etc, modify "Write your own" values.
In your UNIX Host machine (ex. OSX),
$ cd ~
$ git clone https://github.com/Recruit-CSIRT/odoriba.git
set your Guest Machine configuration in ./conf/ set your Guest IP in ./internet_control.py (this modules support VirtualBox and VMware)
<python 2.7.x>
$ python odoriba.py [vmware or virtualbox] [add or init or none] [malwr or ax or none]
// sys.argv[1] = GUEST VM environment , odoriba support vmware or virtualbox
// sys.argv[2] = Setting options
init = cuckoo have't launched yet.
add = cuckoo launched and add malware seeds via sys.argv[3]
none = cuckoo launched and skip add seeds
//sys.argv[3] = Where malware download from
malwr = malwr's recent analysis samples Malwr implemented Google reCAPTCHA, this option doesn't work now.
ax = your FireEye AX
none = skip download and you can submit manually
if you batch collect malware seeds, set cron this procedure.
$ python odoriba.py [vmware or virtualbox] add [malwr or ax]
After Cuckoo Sandbox start working, you can submit files and urls to cuckoo's submit page.
Install Example
OR
Install Cuckoo Sandbox and replace the above [Modified and Created Files] in the cuckoo folder.
If you find some errors , please handle by yourself at first.
Some error may happen because your working directory name still cuckoo ,
please change to odoriba or modify odoriba's source code by yourself.
Recruit-CSIRT does not assume any responsibility about using odoriba.
you can take advantage on Self-responsibility