Automate Advanced Dynamic Malware Analysis with Cuckoo Sandbox and DFLabs

Back to all articles

Dynamic Malware Analysis

Malware has become increasingly complex and difficult to examine. The rate at which new malware is released, combined with the detection evasion techniques employed by modern malware means that traditional anti-malware solutions and scanning techniques after sometimes ineffective. In cases where other detection and analysis tools are ineffective, or more detailed information about the malware is required, a more in-depth analysis solution is needed.

Today security analysts and incident responders need to find ways to easily and effectively analysis malware and contain and remediate it as soon as possible should it pose a threat, and before it becomes a potential security incident affecting the organization. Potential problems and questions security teams are faced with on a daily basis include:

  1. How can I perform advanced analysis of unknown files?
  2. How can I determine the potential capabilities of malicious files?
  3. How can I quickly extract indicators from a malicious file?

In this blog post we will discuss how to overcome these common pain points by utilizing Cuckoo Sandbox in conjunction with DFLabs’ Security Orchestration, Automation and Response (SOAR) solution, IncMan SOAR, with an example use case.

About Cuckoo

Cuckoo Sandbox is the leading open source automated malware analysis system. You can throw any suspicious file at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization. In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they operate in order to understand the context, the motivations, and the goals of a breach.

Cuckoo Sandbox is free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

The DFLabs and Cuckoo Solution

DFLabs IncMan SOAR’s integration with Cuckoo Sandbox allows users to automate the dynamic analysis of malicious and unknown files, providing critical information during the incident response process.

Using Cuckoo Sandbox’s open source and highly customizable dynamic malware analysis capabilities, organizations can automate the advanced analysis of malicious and unknown files as part of the automated and orchestrated response to a potential security incident. Cuckoo Sandbox provides critical insights in to the capabilities of a file, providing the basis for additional automated and manual decisions on the appropriate response to an incident.

Use Case

The following IncMan SOAR Rapid Response Runbook (R3 Runbook) could have many potential applications, from examining a suspicious email attachment to an unknown executable found on a host. The runbook begins by submitting the file to Cuckoo for analysis. IncMan allows the user to select the virtual machine which will be used to execute the file, which can be set as a default or chosen by the user at runtime.

Following the Cuckoo execution, the runbook retrieves the analysis from Cuckoo. As part of the analysis, Cuckoo extracts and documents many artifacts which can be further enriched, including network connection attempts, embedded URLs, dropped files and files gathered from process memory. The runbook continues by submitting these artifacts through the appropriate reputation services.

Following these reputation queries, a search of the organization’s SIEM or EDR solution is performed for any artifacts which were deemed potentially malicious. If the organization’s SIEM or EDR solution returns any results, indicating that the potentially malicious artifact has been observed in the organization’s environment, a notification is sent to the appropriate parties to initiate further investigation.


A complete understanding of the capabilities of a malicious file can be critical in determining the full scope of the potential risk to an organization. Cuckoo simplifies this often complex process by automating dynamic malware analysis and providing analysts with critical information, including possible indicators of compromise. Still, it remains the job of analysts to research each of these potential IOCs to determine which, if any, may be malicious, then search for them across the enterprise.

Using IncMan SOAR, organizations can extract these indicators using Cuckoo, then automatically enrich them using their internal and external threat intelligence sources of choice. Based on the associated threat intelligence, organizations can automatically block any of these indicators, containing the threat while further investigation occurs to stop the immediate risk to the organization. IncMan even allows organizations to automatically search across the enterprise using their SIEM, EDR or other technology to check for any other occurrences of the IOCs, quickly determining if the incident has spread beyond the initially defined scope.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo