As of 4/26/2017 I'm handing this repo off to others to fork and continue if they wish. Thanks to doomedraven, KillerInstinct, kevross33, SeanKim77, jgajek, keithjjones, pashashocky, Shane-Carr, seanthegeek, garanews, and all the other contributors I forgot to mention.
This fork aims to continue the work of the heavily modified version of Cuckoo Sandbox provided under the GPL by Optiv, Inc.
It offers a number of advantages over the upstream Cuckoo:
- Fully-normalized file and registry names
- 64-bit analysis
- Handling of WoW64 filesystem redirection
- Many additional API hooks
- Service monitoring
- Correlates API calls to malware call chains
- Ability to follow APC injection and stealth explorer injection
- Pretty-printed API flags
- Per-analysis Tor support
- Over 150 new signature modules (over 75 developed solely by Optiv)
- Anti-anti-sandbox and anti-anti-VM techniques built-in
- More stable hooking
- Ability to restore removed hooks
- Greatly improved behavioral analysis and signature module API
- Ability to post comments about analyses
- Deep hooks in IE's JavaScript and DOM engines usable for Exploit Kit identification
- Automatic extraction and submission of interesting files from ZIPs, RARs, RFC 2822 emails (.eml), and Outlook .msg files
- Direct submission of AV quarantine files (Forefront, McAfee, Trend Micro, Kaspersky, MalwareBytes, MSE/SCEP, and SEP12 formats currently supported)
- Automatic malware classification by Malheur
- Significant contributions from Jeremy Hedges, William Metcalf, and Kevin Ross
- Hundreds of other bugfixes
For more information on the initial set of changes, see: https://www.optiv.com/blog/improving-reliability-of-sandbox-results
If you want to contribute to development, feel free to submit a pull request.