Over the last few months I have been playing with Cuckoo, and reworking its function to suit my own requirements. Part of this has involved the separation of components within Cuckoo into functional units.
This particular component relates to extracting the RAM from a VirtualBox machine for analysis after ceasing the VM.
Sometimes there is a need to analyze files in a live environment where their composition and providence may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?
This is where the Cuckoo sandbox can help in analysing files rapidly, and potentially be used to feed into other threat reporting and case work systems. In this article I will show some of the functions which can be performed with Cuckoo and a Windows 10 Virtual Machine Guest correctly configured to handle most payloads.