Skip to content

The current repository contains all the scripts needed to complement kernel-mode mac-a-mal malicious activity hooking on macOS to Cuckoo sandbox.

License

Notifications You must be signed in to change notification settings

phdphuc/mac-a-mal-cuckoo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This analyzer extends the open-source Cuckoo Sandbox (legacy) with functionality for analyzing macOS malware in macOS guest VM(s).

See Mac-A-Mal for kernel monitor module on guest machine.

Installation

Host setup

  1. Clone the cuckoo-legacy branch

  2. Run the following command to install the requirements packages:

sudo pip install -r requirements.txt

  1. Clone Mac-a-mal-cuckoo

  2. Replace subfolders in cuckoo-legacy with mac-a-mal-cuckoo's subfolders.

  3. Setting up VMWare/VirtualBox configuration in conf/ folder.

  4. Start cuckoo python ./cuckoo.py

  5. Skip to guest setup and return to this step after you've done with Guest virtual machine installation. Submit samples with sample's path and optional options: runas username instead of root, gctimeout timeout for kernel-mode macamal monitor, and timeout for total analysis time. python submit.py --platform darwin sample -o runas=admin,gctimeout=60 --timeout=600

Guest setup

macOS versions supported 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 10.12, and 10.13 (untested)

  1. Guest machine can be setup manually using VMWare or VirtualBox. (OSX 10.8 - password: summer) Documentation for setting up the environment.
  2. Download the Mac-a-mal for guest machine monitor, compile 2 binaries using Xcode: mac-a-mal.kext and grey-cuckoo. The agent in user-mode requires libevent for multithreading.
  3. Install dependencies:
sudo pip install pymongo
brew install libtiff libjpeg webp little-cms2
pip install Pillow
  1. Start the monitor and agent in super-user privilege is recommended.
 sudo chown -R root:wheel mac-a-mal.kext &&
 sudo kextload mac-a-mal.kext &&
 cp grey-cuckoo /tmp/&&
 sudo chown root:wheel /tmp/grey-cuckoo &&
 sudo python ./agent.py
  1. Take the snapshot of the guest machine

Credits

Sfylabs

About

The current repository contains all the scripts needed to complement kernel-mode mac-a-mal malicious activity hooking on macOS to Cuckoo sandbox.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published