A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes: An end-user perspective-Reference-Cited by-同舟云学术

A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes: An end-user perspective

Published:2022 Issue:2 Volume:70 Page:372-392
ISSN:0042-8469
Container-title:Vojnotehnicki glasnik
language:en
Short-container-title:Vojnotehnički glasnik

Author:

Ilić Slaviša^ORCID,Gnjatović Milan^ORCID,Popović Brankica^ORCID,Maček Nemanja^ORCID

Abstract

Introduction/purpose: This paper reports on a pilot comparative analysis of the Cuckoo and Drakvuf sandboxes. These sandboxes are selected as the subjects of the analysis because of their popularity in the professional community and their complementary approaches to analyzing malware behavior. Methods: Both sandboxes were set up with basic configurations and confronted with the same set of malware samples. The evaluation was primarily conducted with respect to the question of to what extent a sandbox is helpful to the human analyst in malware analysis. Thus, only the information available in Web console reports was considered. Results: Drakvuf is expected to perform better when confronted with evasive malware and so-called "file-less" malware. Although still not mature in terms of integration, customization and tools, this sandbox is considered a second generation sandbox because of its agentless design. On the other hand, the Cuckoo sandbox creates a better overall experience: it is supported through good documentation and strong professional community, better integrated with various tools, support more virtualization, operating system and sample types, and generates more informative reports. Even with a smaller capacity to prevent evasive malware, its Python 2 agent script makes it more powerful than Drakvuf. Conclusion: To achieve the optimal open-source sandbox-based protection, it is recommended to apply both the Cuckoo and Drakvuf sandboxes. In circumstances of limited resources, applying the Cuckoo sandbox is preferable, especially if exposure to malware deploying evading techniques is not frequently expected.

Publisher

Centre for Evaluation in Education and Science (CEON/CEES)

Subject

General Engineering

Link

https://scindeks-clanci.ceon.rs/data/pdf/0042-8469/2022/0042-84692202372I.pdf

Reference22 articles.

1. Arntz, P. 2020. Sandbox in security: what is it, and how it relates to malware. Malwarebytes LABS blog, 24 September [online]. Available at: https://blog.malwarebytes.com/awareness/2020/09/sandbox-in-security [Accessed: 30 January 2022];

2. Ashby, C. 2015. Extending Cuckoo Framework. PenTest magazine, 12 March [online]. Available at: https://pentestmag.com/cuckoo. [Accessed: 30 January 2022];

3. CERT Polska. 2019. Strengthening our malware analysis capabilities. Official web site of CERT Polska (part of NASK), 21 February [online]. Available at: https://cert.pl/en/posts/2019/02/strengthening-our-malware-analysiscapabilities/ [Accessed: 30 January 2022];

4. CERT Polska. 2021. DRAKVUF Sandbox (v0.18.1). Official repository of the DRAKVUF Sandbox project, 28 October [online]. Available at: https://github.com/CERT-Polska/drakvuf-sandbox/releases/tag/v0.18.1 [Accessed: 30 January 2022];

5. CERT Polska. 2022. DRAKVUF Sandbox Documentation. DRAKVUF Sandbox documentation at Read the docs, 10 February [online]. Available at: https://drakvuf-sandbox.readthedocs.io/_/downloads/en/latest/pdf. [Accessed: 10 February 2022];

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Redefining Malware Sandboxing: Enhancing Analysis Through Sysmon and ELK Integration;IEEE Access;2024

2. Integration of Results from Static and Dynamic Code Analysis into an Ontological Model;2023 IEEE 12th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS);2023-09-07