forked from cuckoosandbox/cuckoo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG
419 lines (387 loc) · 18.7 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
CHANGELOG
Cuckoo Sandbox 2.0-rc2 (2016-xx-xx)
===================================
* Import and Export analysis for improved debugging of user issues
* Added Elasticsearch support and rely on it for global search
* Fixed pythonw.exe execution for the new Agent
* Added initial MISP integration
* Added initial IRMA integration
* Added reboot analysis
* Added Process Monitor (procmon) support to aid debugging
* Added .docm documents to the Word document analysis package
* Added .wsf analysis package
* Added dynamic VBA analysis for Office 2007 products
* Added dynamic Javascript analysis for Adobe PDF Reader 9
* Added PE files reconstruction from memory dumps
* Added dump_delete option to delete process memory dumps after analysis
* Added sniffer.debug option to create a debug network capture
* Added PID tracking for dropped files
* Added per-task Cuckoo logging
* Added trigger support to the Cuckoo Monitor to reduce behavioral calls noise
* Added static analysis for Office and PDF samples
* Added screenshots auxiliary module for Mac OS X analysis
* Added IP address pinning for the new Cuckoo Agent
* Introduce the Gatherer (collect VM-specific information)
* Greatly improved the stability of the Cuckoo Monitor
* Fixed setting the clock in the Guest for non-English users
* Fixed support for Ubuntu 16.04
* Fixed Moloch-related web interface bugs
* Fixed title issue with the generic package
* Included Git hashes for debugging purposes in Cuckoo reports
* Improved tcpdump output and error filtering
* Enable special monitoring modes by default for malicious documents
* Use custom pefile2 package to avoid pefile issues
* Automatically start PowerPoint documents in slide show mode
* Use the Linux routing table for properly routing analysis traffic
* Document known 2.0-rc1 issues and fixes in our FAQ
* Prettify HTML and Javascript content
* Make Cuckoo Agent interaction less error prone on the Host
* Updated monitor to include various improvements and fixes
* Upgraded to the latest httpreplay version
* Improve dead host identification
* Custom DNS serve utility
* Added clicking through of French buttons
* Resolve names for CLSID identifiers
* Added meta information to our reports
* Experimental alpha version of VPN check cronjob script
* Many Web Interface UI & backend tweaks
* Many, many bug fixes and code tweaks
Cuckoo Sandbox 2.0-rc1 (2016-01-21)
===================================
* Added Suricata processing module
* Added screenshots processing module with OCR support
* Added mitmproxy support to intercept SSL/TLS traffic
* Added new Flask based distributed utility
* Added Javascript analyzer package
* Added Mozilla FireFox analyzer package
* Added auxiliary module to install a custom certificate in analysis' machine
* Added auxiliary module to dump TLS master secrets as used by Windows libraries
* Added analyzer for Linux
* Added Qemu machinery module
* Added PDB path extraction
* Added public / private keys extraction
* Added processing module for dropped buffers
* Added option to drop privileges to a specified user
* Added SMTP sinkhole utility
* Added Javascript execution with jsbeautifier
* Added "service" VM to optionally boot a second VM with honeyd support
* Added noagent machine option for not engaging with cuckoo agent
* Added nictrace machine option to have virtualbox dump network traffic
* Added per-machine options (it allows to set extra per-machine options)
* Added near realtime detection and reflection of changes to guest status
* Added TLS & SSLv3 Master Secrets dump
* Added httpreplay dissector to show HTTP and HTTPS traffic
* Added option to skip calls from JSON report
* Added option to load the entire process memory dump into IDA Pro
* Added some process memory dump analysis improvements
* Added URLs parsing from memory dump and URLs whitelist
* Added tracking and reporting dead IP address/port combinations
* Added maliciousness scoring system
* Added option to web interface to submit dropped files for analysis
* Added some performance improvements to signature engine
* Added Volatility support for netscan and sockscan
* Added re-submit button to web interface
* Added baseline processing and representation
* Added traffic routing options
* Added moloch processing module
* Added Snort processing module
* By default HTML report is disabled now
* By default Virtualbox is starting in headless mode now
* Improved physical machine support
* Improved reported data from Virustotal
* Upgraded HTML analyzer package to Internet Explorer with proper setup phase
* Upgraded to MAEC 4.1
* Removed web.py interface
* Removed option to store analysis data in legacy CSV format
Cuckoo Sandbox 1.2 (2015-03-04)
===============================
* Added support for baremetal analysis (physical machinery module)
* Added XenServer machinery module
* Added process memory processing module
* Added support for Volatility 2.4 and additional modules
* Added more memory analysis information to web interface
* Added memory dump to VMWare workstation module
* Added machine information in reports
* Added skeleton for comparative analysis of two reports
* Added TCP and UDP streams hexdump view
* Added possibility to delete analysis from web interface
* Added search by string to web interface
* Added dynamic search of API call logs to web interface
* Added display of PE compilation time to web interface
* Added memory dump download to web interface
* Refactored analysis packages and simplified syntax
* Added analysis package for Microsoft PowerPoint
* Added analysis package for MSI (Windows installer package)
* Added analysis package for Python scripts
* Added loader option to DLL analysis package (fake parent process)
* Added additional signatures helper functions
* Added terminate_processes option to terminate processes before virtual machine shutdown
* Added option to skip an area when comparing screenshots, avoiding duplicates
* Added automatic generation of Yara rules indexes
* Added support for Pillow (PIL fork)
* Added machine utility to automatically update machinery configuration
* Added utility to distribute analysis across Cuckoo instances
* Added un-hook detection (if malware removes Cuckoo's hooks)
* Added Microsoft Crypto API hooks
* Added optional aggressive sleep skipping mode
* Allow Auxiliary modules to run a callback at the very end of an analysis
* Replaced ./utils/clean.sh with ./cuckoo.py --clean
* Replaced diStorm3 disassembler with Capstone disassembler
* Fixed process.py to use delete_original and delete_bin_copy when used in auto mode
* Fixed analysis of HTML pages without a proper extension
* Fixed logic bug in mouse activity emulator
* Fixed bug in the sleep skipping mechanism
* Fixed memory leak if using a old version of python-magic
* Fixed out of memory exceptions when calculating hash of big files
* Fixed BPF filter to skip agent traffic from PCAP
* Fixed a variety of bugs in Windows analyzer
* Fixed a number of anti-sandbox tricks
* Fixed locking issues with SQLite database
* Removed hpfeeds reporting module
Cuckoo Sandbox 1.1.1 (2014-10-07)
=================================
* Fixed path sanitization vulnerability in resultserver.
Cuckoo Sandbox 1.1 (2014-04-07)
===============================
* Added imphash to static PE analysis
* Added search for URLs in the web interface
* Added search for PE Imphash in the web interface
* Added possibility in web interface to queue to all machines
* Added filtering by behavior category in Django web interface
* Added analyzer log to Django web interface
* Added REST API to retrieve screenshots associated with a task
* Added REST API to retrieve the PCAP associated with a task
* Added database migration utility
* Added remote submission to submit.py utility
* Added small stats utility (utils/stats.py)
* Added analysis package for PowerShell scripts
* Added overlay configuration for signatures (data/signatures_overlay.json)
* Fixed bug in MAEC report
* Fixed package selection for Office documents and CPL scripts
* Fixed issue with tcpdump filters
* Fixed unhandled exception when uploading files to the analysis machines
* Fixed issues in CuckooMon that resulted in Internet Explorer crashes
* Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
* Fixed bug in behavior processing module that resulted in a trailing backslash in summary's registry keys
* Multiple minor bug fixes
Cuckoo Sandbox 1.0 (2014-01-09)
===============================
* Introduced Auxiliary modules
* Added option to set sniffing interface for each virtual machine
* Added option to set snapshot for each virtual machine
* Added pagination to API
* Added option to REST API to return compressed archives of files ("all" and "dropped")
* Added option to set Result Server IP and port for each virtual machine
* Added processing module for volatility to analyze memory dumps, disabled by default
* Added new "reported" status for analysis tasks
* Added automated rescheduling of locked tasks at startup
* Added tags to machines
* Added reduced behavioral events
* Added new Django/Mongo-powered web interface
* Added Windows analyzer auxiliary module to disguise the analysis environment
* Added VBS, CPL and RTF analysis package
* Added generic analysis package to execute samples via cmd.exe
* Added MAEC 4.0.1 reporting module
* Added filter for private networks in Network Analysis processing module
* Added max_analysis_count to cuckoo.conf to automatically shutdown Cuckoo
* Added check for available disk space
* Added support for BSON logging format
* Added option to specify a custom DLL to the analyzer and the analysis packages
* Added ICMP protocol dissection
* Added ESX Virtual Machine Manager
* Slightly improved CuckooMon's stealthiness and stability
* Refactored processing to improve performances
* Refactored signature engine, introducing event-based signatures to improve performances
* Refactored generation of process tree
* Transitioned network sniffer to auxiliary module
* Renamed MachineManagers to Machinery modules
* Renamed Metadata to MMDef reporting module
* Fixed virtual machine clock, now is updated to current time or specified by user via --clock option
* Fixed bug in Human auxiliary module, now moving cursor to absolute positions
* Fixed issue in Human auxiliary module, using SetCursorPos instead of mouse_event
* Fixed issues with resolving relative filenames in CuckooMon
* Removed support for GrayLog2
* Removed pickle reporting module
* Removed MAEC 1.1 reporting module
Cuckoo Sandbox 0.6 (2013-04-15)
===============================
* Added procmemdump option to all analysis packages
* Added randomization of folders and pipes in the analysis machines
* Added checks to block injection of Cuckoo's agent and analyzer
* Added configuration file for processing modules
* Added result server to collect logs, files, screenshots and all results in real-time
* Added option for enabling/disabling generation of CSV logs
* Added REST API function to delete analysis task
* Added matching of Yara signatures against dropped files
* Added default fail-over on "exe" package if can't automatically identify the correct one
* Added password option to zip package
* Improved human auxiliary module
* Improved Sleep() bypass
* Improved dump of dropped files by tracking writing operations
* Improved creation of screenshots by calculating a diff threshold
* Fixed memory error issues
* Fixed bugs in analysis procedure logic and in deletion of original files
* Fixed bugs in MongoDB reporting module
* Fixed bugs in HTML reporting module
* Fixed bugs in VirusTotal processing module
* Fixed bug in handling GetLastError() result
* Fixed bug in network traffic capture
* Fixed bug in submission and creation of tasks in the database
* Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues
Cuckoo Sandbox 0.5 (2012-12-20)
===============================
* Added native support for URL analysis
* Added full memory dump of the virtual machine
* Added base class for libvirt machine managers
* Added auxiliary modules for Windows analyzer
* Added Jar analysis package
* Added Java Applet analysis package
* Added Zip analysis package
* Added option to enforce full timeout execution
* Added support for Graylog2 logging
* Transitioned internal database to SQLAlchemy
* Added logging of analysis errors into the database
* Added logging of guest executions into the database
* Added logging of active analysis machines into the database
* Added logging of details of submitted samples into the database
* Added functionality for automatic version lookup to get notified of available updates
* Added possibility to order processing and reporting modules
* Added extraction of strings from analyzed binaries
* Added Yara signature with indicators of possible virtualization-aware samples
* Added dissection of intercepted SMTP traffic
* Added a REST API server to interact with Cuckoo
* Added user interaction emulation (clicking dialogs buttons and mouse movements)
* Added support for Windows 7 execution
* Added support for dumping queried and modified registry data
* Added more functions to be hooked and logged
* Added simple functionality to omit injection into Cuckoo processes
* Added support for dumping files with relative paths
* Added shared VirusTotal API key
* Introduced fairly smart way of skipping Sleep calls
* Unified utility for results processing and reports generation
* Improved analysis process logic
* Improved automatic analysis package selection
* Improved process injection and process following
* Improved dumping of modified files
* Improved logging to reduce the amount of useless entries
* Improved unicode support
* Improved management of analysis machines parallel execution
* Improved internal management of plugins and modules
* Improved dissection of intercepted DNS traffic
* Fixed bugs in connection with the agent
* Fixed some issues in dumping dropped files
* Fixed bug in termination of tcpdump processes
* Fixed bugs in MongoDB reporting module
* Fixed issues with internal DNS resolution
Cuckoo Sandbox 0.4.2 (2012-09-08)
=================================
* Added support for VMWare Workstation
* Added VirtualBox status change monitor and option "timeout" to virtualbox.conf
* Added log file processing size limit and option "analysis_size_limit" to cuckoo.conf
* Added directory submission to submit.py utility
* Added community.py utility to sync custom modules from the community repository
* Fixed missing critical_timeout implementation
* Fixed delete_original race condition
* Fixed some bugs in virtual machine management
* Fixed submission with relative path
* Fixed UTF-8 chars handling in analysis.log
* Fixed race conditions in Windows analyzer
* Some minor fixes
Cuckoo Sandbox 0.4.1 (2012-08-09)
=================================
* Added Yara signatures to HTML report
* Replaced pyssdeep with pydeep
* Added support for signatures' version requirements
* Added unit tests
* Fixed delete_original race condition
* Fixed reconstruction of registry keys
* Fixed logging in cuckoomon
* Improved exception handling
Cuckoo Sandbox 0.4 (2012-07-24)
===============================
* Completely re-engineered the code base
* Replaced hooking mechanism and DLL with new, more solid code
* Removed dependency from VirtualBox
* Added support for KVM
* Introduced XMLRPC-based agent that handles the data exchange between host and guests
* Refactored the project structure
* Removed processor.py script
* Introduced support for multiple platforms and multiple analyzers
* Introduced support for custom virtualization modules
* Introduced support for custom post-analysis processing modules
* Introduced support for custom behavioral signatures
* Added VirusTotal support
* Added Yara support
* Added MongoDB reporting module
* Added HPFeeds reporting module
* Refactored Windows analyzer
* Refactored the analysis packages structure
* Introduced support for analysis packages' options
* Refactored Windows analyzer's API functions
* Introduced process memory dump support
* Introduced support for QueueUserAPC injection
Cuckoo Sandbox 0.3.2 (2012-02-04)
=================================
* Introduced MAEC analysis report.
* Introduced MAEC metadata report.
* Introduced Python pickled report.
* Added base64 encoded screenshots to CuckooDict.
* Added screenshots to HTML report.
* Added static analysis Python modules.
* Added static analysis to HTML report.
* Added list of unique involved hosts to HTML report.
* Added forced restore of snapshot at startup before checking if a virtual machine is in a valid state.
* Added forced restore of snapshots at Cuckoo's termination.
* Improved logging capabilities.
* Added invocation of processor.py also at analysis failures.
* Added IPv6 support to PCAP processing.
* Added option to delete original files after submission.
* Added folder for additional files and data to drop.
* Added API category and parent ID to raw behavioral logs entries.
* Removed distorm3.dll as a system dependency.
* Fixed issue with dumped files' names.
* Fixed bug in web server's search functionality.
* Fixed generation of analysis duration time and timestamps.
* Fixed bug in acquisition of a user-specified virtual machine.
* Fixed PHP analysis package.
* Fixed processing of screenshots and refactored their file names to a 3 digit format.
* Fixed bugs on encoding special characters in analysis data and network packets.
* Decreased default analysis timeout.
* Removed instructions trace functionalities and analysis package.
Cuckoo Sandbox 0.3.1 (2011-12-28)
=================================
* Reintroduced an older version of cmonitor, in order to address troubles encountered in 0.3 release.
* Fixed a bug in files dump caused by invalid/not regular files such as named pipes.
* Disabled suspended mode in browsers' packages.
Cuckoo Sandbox 0.3 (2011-12-27)
===============================
* Introduced minimal web server with web interface to browse through the analysis reports.
* Added a reporting engine, configurable via reporting.conf, which supports reporting modules.
* Added HTML report.
* Added TXT report.
* Added JSON data export.
* Introduced support to URL submission.
* Added possibility to specify on which virtual machine run the analysis.
* Added database interaction functions to search analysis by MD5.
* Introduced DLL analysis package.
* Introduced assembly instructions trace analysis package.
* Added MD5 filtering of dropped files.
* Added libmagic bindings to identify file types.
* Added pydoc comments to all sources.
* Added CRC32 hash.
* Added ssdeep hash.
* Added process tree generation class.
* Added UDP connections extraction.
* Distorm3 built-in into cmonitor
* Fixed cmonitor.
* Fixed chook.
* Migrated Cuckoo to Python's logging library.
* Improved Cuckoo User Guide.
* Added changelog file.
* Some minor fixes.
Cuckoo Sandbox 0.2 (2011-11-02)
===============================
First stable release, completely refactored.
Cuckoo Sandbox 0.1 beta (2011-02-05)
====================================
First public beta release.