Cuckoo Sandbox Book

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

This guide will explain how to set up Cuckoo, use it and customize it.

Having troubles?

If you’re having troubles you might want to check out the FAQ as it may already have the answers to your questions.

• FAQ
  • General Questions
    • Can I analyze URLs with Cuckoo?
    • Can I use Volatility with Cuckoo?
  • Troubleshooting
    • After upgrade Cuckoo stops to work
    • Cuckoo stumbles and produces some error I don’t understand
    • Check and restore current snapshot with KVM
    • Check and restore current snapshot with VirtualBox
    • Unable to bind result server error

Otherwise you can ask the developers and/or other Cuckoo users, see Join the discussion.

Contents

• Introduction
  • Sandboxing
    • Using a Sandbox
  • What is Cuckoo?
    • Some History
    • Use Cases
    • Architecture
    • Obtaining Cuckoo
  • License
  • Disclaimer
  • Cuckoo Foundation
• Installation
  • Preparing the Host
    • Requirements
      • Installing Python libraries
      • Virtualization Software
      • Installing Tcpdump
      • Installing Volatility
    • Installing Cuckoo
      • Create a user
      • Install Cuckoo
    • Configuration
      • cuckoo.conf
      • auxiliary.conf
      • <machinery>.conf
      • memory.conf
      • processing.conf
      • reporting.conf
  • Preparing the Guest
    • Creation of the Virtual Machine
    • Requirements
      • Install Python
      • Additional Software
    • Network Configuration
      • Windows Settings
      • Virtual Networking
    • Installing the Agent
    • Saving the Virtual Machine
      • VirtualBox
      • KVM
      • VMware Workstation
    • Cloning the Virtual Machine
  • Upgrade from a previous release
    • Upgrade starting from scratch
    • Migrate your Cuckoo
• Usage
  • Starting Cuckoo
  • Submit an Analysis
    • Submission Utility
    • web.py
    • API
    • Python Functions
  • Web interface
    • Configuration
    • Usage
  • REST API
    • Starting the API server
    • Resources
      • /tasks/create/file
      • /tasks/create/url
      • /tasks/list
      • /tasks/view
      • /tasks/delete
      • /tasks/report
      • /tasks/screenshots
      • /files/view
      • /files/get
      • /pcap/get
      • /machines/list
      • /machines/view
      • /cuckoo/status
  • Analysis Packages
  • Analysis Results
    • analysis.conf
    • analysis.log
    • dump.pcap
    • memory.dmp
    • files/
    • logs/
    • reports/
    • shots/
  • Utilities
    • Cleanup utility
    • Submission Utility
    • Web Utility
    • Processing Utility
    • Community Download Utility
    • Database migration utility
• Customization
  • Auxiliary Modules
  • Machinery Modules
    • Configuration
    • LibVirt
  • Analysis Packages
    • Getting started
      • start()
      • check()
      • finish()
    • Options
    • Process API
      • Methods
  • Processing Modules
    • Global Container
    • Getting started
  • Signatures
    • Getting started
    • Creating your new signature
    • Evented Signatures
    • Helpers
  • Reporting Modules
    • Getting Started
• Development
  • Development Notes
    • Git branches
    • Release Versioning
    • Ticketing system
    • Contribute
  • Coding Style
    • Formatting
      • Copyright header
      • Indentation
      • Maximum Line Length
      • Blank Lines
      • Imports
      • Strings
      • Printing and Logging
      • Checking for keys in data structures
    • Exceptions
      • Naming
      • Exception handling
    • Documentation
    • Automated testing
• Final Remarks
  • Links
  • Join the discussion
  • Support Us
  • People
    • Active Developers
    • Contributors
  • Supporters