OK, today’s first tool came from Blackhat Conference underway right now. Note that this isn’t a “blackhat” tool - it is a diagnostic tool for any investigator to determine exactly what a particular malware does - by tracking the following (from the Cuckoo Sandbox homepage):
This tool runs under a Linux system of some type (the installation manual recommends Ubuntu) and requires that you use a virtualization system with it (KVM, VirtualBox, etc). Will this entire system run as a VM guest? I’m not sure on that one yet and I haven’t set up my home lab to test a scenario like that as of yet.. It works fine running locally on my system and using VBox.
- Native functions and Windows API calls traces
- Copies of files created and deleted from the filesystem
- Dump of the memory of the selected process
- Screenshots of the desktop during the execution of the malware analysis
- Network dump generated by the machine used for the analysis