A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes:  an end-user perspective

Slaviša Ž. Ilić; Milan J. Gnjatović; Brankica M. Popović; Nemanja D. Maček

doi:10.5937/vojtehg70-36196

Slaviša Ž. Ilić Ministry of Defense of the Republic of Serbia, Belgrade, Republic of Serbia https://orcid.org/0000-0003-3314-5794
Milan J. Gnjatović University of Criminal Investigation and Police Studies, Belgrade, Republic of Serbia https://orcid.org/0000-0002-0343-7596
Brankica M. Popović University of Criminal Investigation and Police Studies, Belgrade, Republic of Serbia https://orcid.org/0000-0002-8276-1481
Nemanja D. Maček School of Electrical and Computer Engineering, Academy of Technical and Art Applied Studies, Belgrade, Republic of Serbia https://orcid.org/0000-0002-3465-7524

DOI: https://doi.org/10.5937/vojtehg70-36196

Keywords: Sandbox, Cuckoo, Drakvuf, Malware behavior analysis

Abstract

Introduction/purpose: This paper reports on a pilot comparative analysis of the Cuckoo and Drakvuf sandboxes. These sandboxes are selected as the subjects of the analysis because of their popularity in the professional community and their complementary approaches to analyzing malware behavior.

Methods: Both sandboxes were set up with basic configurations and confronted with the same set of malware samples. The evaluation was primarily conducted with respect to the question of to what extent a sandbox is helpful to the human analyst in malware analysis. Thus, only the information available in Web console reports was considered.

Results: Drakvuf is expected to perform better when confronted with evasive malware and so-called “file-less” malware. Although still not mature in terms of integration, customization and tools, this sandbox is considered a second generation sandbox because of its agentless design. On the other hand, the Cuckoo sandbox creates a better overall experience: it is supported through good documentation and strong professional community, better integrated with various tools, support more virtualization, operating system and sample types, and generates more informative reports. Even with a smaller capacity to prevent evasive malware, its Python 2 agent script makes it more powerful than Drakvuf.

Conclusion: To achieve the optimal open-source sandbox-based protection, it is recommended to apply both the Cuckoo and Drakvuf sandboxes. In circumstances of limited resources, applying the Cuckoo sandbox is preferable, especially if exposure to malware deploying evading techniques is not frequently expected.

References

Arntz, P. 2020. Sandbox in security: what is it, and how it relates to malware. Malwarebytes LABS blog, 24 September [online]. Available at: https://blog.malwarebytes.com/awareness/2020/09/sandbox-in-security [Accessed: 30 January 2022].

Ashby, C. 2015. Extending Cuckoo Framework. PenTest magazine, 12 March [online]. Available at: https://pentestmag.com/cuckoo. [Accessed: 30 January 2022].

-CERT Polska. 2019. Strengthening our malware analysis capabilities. Official web site of CERT Polska (part of NASK), 21 February [online]. Available at: https://cert.pl/en/posts/2019/02/strengthening-our-malware-analysis-capabilities/ [Accessed: 30 January 2022].

-CERT Polska. 2021. DRAKVUF Sandbox (v0.18.1). Official repository of the DRAKVUF Sandbox project, 28 October [online]. Available at: https://github.com/CERT-Polska/drakvuf-sandbox/releases/tag/v0.18.1 [Accessed: 30 January 2022].

-CERT Polska. 2022. DRAKVUF Sandbox Documentation. DRAKVUF Sandbox documentation at Read the docs, 10 February [online]. Available at: https://drakvuf-sandbox.readthedocs.io/_/downloads/en/latest/pdf. [Accessed: 10 February 2022].

Chakkaravarthy, S.S., Sangeetha, D. & Vaidehi, V. 2019. A Survey on malware analysis and mitigation techniques. Computer Science Review, 32, pp.1-23. Available at: https://doi.org/10.1016/j.cosrev.2019.01.002

-Checkpoint Software Technologies LTD. 2015. CuckooDroid Book, Revision 13502746. CuckooDroid at Read the docs [online]. Available at: https://cuckoo-droid.readthedocs.io/en/latest [Accessed: 10 February 2022].

-Checkpoint Software Technologies LTD. 2019. Cuckoo SandBox on AWS. Checkpoint research, 11 March [online]. Available at: https://research.checkpoint.com/2019/cuckoo-system-on-aws/ [Accessed: 10 February 2022].

-Estonian Information System Authority (RIA). 2017. Annual Cyber Security Assessment 2017. Estonian Information System Authority (RIA) official website [online]. Available at: https://www.ria.ee/sites/default/files/content-editors/kuberturve/ria_csa_2017.pdf [Accessed: 30 January 2022].

Ferrand, O. 2015. How to detect the Cuckoo Sandbox and to Strengthen it? Journal of Computer Virology and Hacking Techniques, 11, pp.51-58. Available at: https://doi.org/10.1007/s11416-014-0224-9

-Hatching International B.V., 2022. We know cuckoo. Official web site of the Cuckoo developers [online]. Available at: https://hatching.io/cuckoo [Accessed: 30 January 2022].

-IBM Corporation. 2020. IBM Security, report: IBM Cost of a Data Breach Report. IBM official web site. July [online]. Available after registration at: https://www.ibm.com/security/digital-assets/cost-data-breach-report [Accessed: 30 January 2022].

Ilić, S. 2012. CLOUD COMPUTING - Information assurance aspects in government use. In: Proceedings of XVIII conference YU INFO, Kopaonk, Serbia, March 01-03.

Laing, B. 2017. First-generation sandbox solutions do not beat evasive malware. IDG Connect. 8 February [online]. Available at: https://www.idgconnect.com/article/3581202/first-generation-sandbox-solutions-do-not-beat-evasive-malware.html [Accessed: 10 February 2022].

Lengyel, T.K., Maresca, s., Payne, B.D., Webster, G.D., Vogl, S. & Kiayias, A. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference, New York, NY, USA, pp.386-395, December. Available at: https://doi.org/10.1145/2664243.2664252

Melvin, A.A.R. & Kathrine, G.J.W. 2020. Quest for Best: A Detailed Comparison between Drakvuf - VMI-Based and Cuckoo Sandbox-Based Technique for Dynamic Malware Analysis. In: Peter, J., Fernandes, S. & Alavi, A. (Eds.) Intelligence in Big Data Technologies - Beyond the Hype. Advances in Intelligent Systems and Computing, 1167. Springer, Singapore. Available at: https://doi.org/10.1007/978-981-15-5285-4_27

Mills, A. & Legg, P. 2021. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. Journal of Cybersecurity and Privacy, 1, pp.19-39. Available at: https://doi.org/10.20944/preprints202010.0305.v1

Richards, K. 2021. VMRay – The Hypervisor-Based Sandbox That Cannot be Detected (interview with Carsten Willems). VpnMentor [online]. Available at: https://www.vpnmentor.com/blog/vmray-hypervisor-based-sandbox-not-detected. [Accessed: 30 January 2022].

Sick, T. 2014. Cuckoo Sandbox vs. Reality. Avira official web site, 11 November [online]. Available at: https://www.avira.com/en/blog/cuckoo-sandbox-vs-reality-2 [Accessed: 10 February 2022].

Sood, G. 2021. Virustotal: R Client for the virustotal API. R package version 0.2.2. Virus total web portal [online]. Available at: https://www.virustotal.com [Accessed: 10 February 2022].

-Spiceworks. 2019. The 2020 State of Virtualization Technology, Survey on 539 organizations and companies in Europe and USA. Spiceworks [online]. Available at: https://www.spiceworks.com/marketing/reports/state-of-virtualization [Accessed: 30 January 2022].

Tot, I.A., Bajčetić, J.B., Jovanović, B.Ž., Trikoš, M.B., Bogićević, D.Lj. & Gajić, T.M. Biometric standards and methods. Vojnotehnički glasnik/Military Technical Courier, 69(4), pp.963-977. Available at: https://doi.org/10.5937/vojtehg69-32296

A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes: an end-user perspective

Abstract

References

Proposed Creative Commons Copyright Notices

Proposed Policy for Military Technical Courier (Journals That Offer Open Access)