What`s new in Cuckoo Sanbox 1.0

After almost four years of development, Version 1.0 was finally released. This release has serious improvements that make cuckoo box a fully fledged sandbox platform.  In the main screen we can already see some newly added features, like the ability to control on which machine the analysis will be performed (Letting you have Virtual Machines of different Windows versions, for example XP and 7 32/64-bit), and whether you want to capture memory or not (which will make the processing time longer). Also Cuckoo has now the ability to process RTF,VBS and CPL files, and the performance boost has made a really great difference.MainScreen

 

 

The wait queue is also pretty nice and has pagination to display practically unlimited rows of links to reports.

WaitQueue

 

On the static part of the analysis, resources are now shown too, and the virus total results are displayed in a more comfortable way, with a permalink to the scan results

Res

 

VirusTotal

There are new options to download the report in HTML format and to download the network capture in PCAP format (which is now is filtered, and does not show private network traffic).

But the main new feature is the integration of the amazing volatility framework (Which deserves a whole post by itself. There will be one soon, I promise). The virtual machine is paused to achieve a memory dump, on which volatility commands are executed. Exactly like the private networks are filtered in the PCAP capture, Hooks and processes related to cuckoo itself can be filtered too. (Requires messing a bit with the configuration files)

VolatilityMain VolaPSLIST VolaDlllist VOLApsxview

 

Version 1.0 of Cuckoo is a really great improvement, and i recommend the upgrade of your personal Malware analysis environments to this version.