Exploit Kit Hunting with Cuckoo Sandbox presented at FirstConferenceKualaLumpur 2018

by Jurriaan Bremer, Andres Elliku,

Summary : Cuckoo Sandbox is the leading open source automated malware analysis system, used by tens of thousands of users including hundreds of international CERT/SOC/IR teams.In this presentation we'll take a look at the highlights of our recent developments in Cuckoo Sandbox regarding the automated analysis of in-the-wild exploits & payloads used by Exploit Kits, our capabilities of performing an offline replay of such analyses (allowing one to re-run the analysis over and over again), and our work in progress on performing many URL analyses in parallel. Through this new functionality we aim to simplify obtaining relevant information and IOCs from Exploit Kits, something that up until now has been mostly a manual and complex job.This presentation will briefly highlight how organizations can use our new functionality in their own teams. We'll provide demo's based on which both novice and expert users can quickly grasp what's going on, how they could replicate a replay of various known/captured Exploit Kits on their own systems, and high-level information on analyzing tens or hundreds of thousands of URLs per day for the existence of Exploit Kits using Cuckoo Sandbox.With a growing team of researchers & developers, Cuckoo Sandbox is becoming more mature by the month. We're always looking to improve it further (feedback from our community helps a lot here!) and are working on a number of novel features that will surely be widely adopted in the CERT community throughout the next years.