jsonsandboxmalwaremalware-detectioncuckoo

understanding cuckoo sandbox json report


I have setup cuckoo sandbox and already analyzing some malware

the problem is im having a difficult time trying to understand the json report . could anyone please help me understand the following : UDP, procmemory, dns_servers , http , icmp, domains ,apistats ,processtree just a brief of what they are please attached sample picture of the json report thank you in advance

enter image description here


Solution

  • Well I think the output is pretty much clear if you just run one sample but anyway, if you want to better understand the output, you can check this paper.

    As far as I know, "domains", "DNS", "UDP", "TCP",... show the communications of the sample using these protocols. For example, if a malware tries to connect to a URL, then you will have a DNS query in "DNS" section, an HTTP query in "HTTP" section, a domain name in "domains" section and a "UDP" communication in the "UDP" section (since DNS queries are usually over UDP protocol) all related to that one URL the malware tries to connect.

    "apistats" shows the statistics about the API that are called by the sample file.

    "procmemory" shows the details about different region of the memory with their size, protection level, start and end address.

    I hope it helps.