How it works...

At a conceptual level, obtaining dynamic analysis results consists of running samples in environments that allow the analyst to collect runtime information. Cuckoo Sandbox is a flexible framework with prebuilt modules to do just that. We began our recipe for using Cuckoo Sandbox by opening up the web portal (Step 1). A command-line interface (CLI) exists as well. We proceeded to submit a sample and select the type of analysis we wished to perform (Steps 2 and 3). These steps, too, can be performed through the Cuckoo CLI. We proceeded to examine the analysis report (Step 4). You can see at this stage how the many modules of Cuckoo Sandbox reflect in the final analysis output. For instance, if a module for capturing traffic is installed and used, then the report will contain the data captured in the network tab. We proceeded to focus our view of the analysis to behavioral analysis (Step 5), and in particular to observe the sequence of API calls. API calls are basically operations performed by the OS. This sequence makes up a fantastic feature set that we will utilize to detect malware in future recipes. Finally, note that in a production environment, it may make sense to create a custom-made sandbox with custom modules for data collection, as well as equip it with anti-VM detection software to facilitate successful analysis.