{"id":986,"date":"2017-05-19T13:00:26","date_gmt":"2017-05-19T13:00:26","guid":{"rendered":"http:\/\/www.adlice.com\/?p=986\/"},"modified":"2022-12-21T10:35:06","modified_gmt":"2022-12-21T10:35:06","slug":"cuckoo-sandbox-customization-v2","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/cuckoo-sandbox-customization-v2\/","title":{"rendered":"Cuckoo Sandbox Customization (V2)"},"content":{"rendered":"\n<p><strong>Cuckoo Sandbox is a neat open source project <\/strong>used by many people around the world to <strong>test malware into a secure environment<\/strong>, to understand how they work and what they do. Cuckoo is <strong>written in a modular way<\/strong>, with python language. It&#8217;s really easy to customize, and this is what I&#8217;m going to show you here.<\/p>\n\n\n\n<p>This post is a <a href=\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization\/\">rewrite of the previous post<\/a>, that was about Cuckoo V1, updated for Cuckoo V2.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Cuckoo Sandbox<\/h4>\n\n\n\n<p>You can <a href=\"https:\/\/www.cuckoosandbox.org\/\"><strong>download and install Cuckoo Sandbox here<\/strong><\/a>, and here&#8217;s a <a href=\"http:\/\/docs.cuckoosandbox.org\/en\/latest\/\"><strong>tutorial on how to configure it<\/strong><\/a>. We will not cover the installation of cuckoo itself because the guide is really well done.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Customization, the idea<\/h4>\n\n\n\n<p><strong>Let&#8217;s study a real example<\/strong> that we&#8217;ve done for our own purpose, here at Adlice Labs. We wanted an easy way to <strong>test for malware removal<\/strong> <a href=\"https:\/\/www.adlice.com\/software\/roguekiller\/\"><strong>with our software, RogueKiller<\/strong><\/a>. The idea is to get a removal report for malware that we send to the sandbox, let&#8217;s take a look.<\/p>\n\n\n\n<p>The Cuckoo team <a href=\"http:\/\/docs.cuckoosandbox.org\/en\/latest\/customization\/\"><strong>made a guide for customization as well<\/strong><\/a>, this will be our reference.<br><strong>In our templates below, for consistency all our file modules will be named &#8220;custom.py&#8221;. Just adapt to your case.<\/strong><\/p>\n\n\n\n<p>In the below, I will reference 2 different folders by the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>$$CUCKOO: \/usr\/local\/lib\/python2.7\/dist-packages\/cuckoo\/<\/strong> (cuckoo installation path)<\/li>\n\n\n\n<li><strong>$$CWD:<\/strong> Cuckoo working directory, depends on you<\/li>\n<\/ul>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Auxiliary (guest) module<\/h4>\n\n\n\n<p>The auxiliary guest modules are located into <strong>$$CWD\/analyzer\/windows\/modules\/auxiliary.<\/strong><br>They are <strong>executed before the malware, on the guest machine<\/strong>. Therefore they can be useful to log some initial state machine information.<\/p>\n\n\n\n<p>They don&#8217;t need to be activated by a config section, once the file is here it gets executed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import logging\nimport json\n\nfrom common.abstracts import Auxiliary\nfrom common.results import NetlogFile\n\nlog = logging.getLogger(__name__)\n\nclass Custom(Auxiliary):\n    \"\"\"Gather custom data\"\"\"\n\n    def __init__(self, options={}, analyzer=None):\n        Auxiliary.__init__(self, options, analyzer)\n\n    def start(self):\n        log.info(\"Starting my Custom auxiliary module\")\n        nf = NetlogFile(\"logs\/initial.json\")\n        nf.send(json.dumps(&#91;'foo', {'bar': ('baz', None, 1.0, 2, False)}]))<\/code><\/pre>\n\n\n\n<p><br>As a result, an initial.json file is created into \/logs.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Package module<\/h4>\n\n\n\n<p>The package modules are located into <strong>$$CWD\/analyzer\/windows\/modules\/packages.<\/strong><br>They are responsible for <strong>executing and injecting the malware<\/strong> for analysis, they are <strong>executed on the guest<\/strong>.<br>You can <strong>define different execution routines, depending on the type<\/strong> of malware (exe, swf, pdf, &#8230;)<br>I have implemented the finish method to make some post execution actions, we will see later for a concrete example of this.<\/p>\n\n\n\n<p>They don&#8217;t need to be activated by a config section, once the file is here it gets executed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import os\nimport shlex\nimport json\nimport logging\n\nfrom common.abstracts import Package\nfrom common.results import NetlogFile\n\nlog = logging.getLogger(\"analyzer\")\n\nclass CustomExe(Package):\n    \"\"\"Custom analysis package.\"\"\"\n\n    def start(self, path):\n        args = self.options.get(\"arguments\", \"\")\n\n        name, ext = os.path.splitext(path)\n        if not ext:\n            new_path = name + \".exe\"\n            os.rename(path, new_path)\n            path = new_path\n\n        return self.execute(path, args=shlex.split(args))\n\n    # Post execution\n    def finish(self):\n        nf = NetlogFile(\"logs\/post.json\")\n        nf.send(json.dumps(&#91;'foo', {'bar': ('baz', None, 1.0, 2, False)}]))\n        return True<\/code><\/pre>\n\n\n\n<p><br>As a result, a post.json file is created into \/logs.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Processing module<\/h4>\n\n\n\n<p>The processing modules are located into <strong>$$CUCKOO\/processing.<\/strong><br>They are <strong>executed on the host<\/strong>, to append data generated by the modules above into <a href=\"http:\/\/docs.cuckoosandbox.org\/en\/latest\/customization\/processing\/#global-container\"><strong>the global container<\/strong><\/a>. That way, the data will be available by all the next modules for processing and reporting.<\/p>\n\n\n\n<p>To enable a new processing module, <strong>you need to add the section below into $$CWD\/conf\/processing.conf<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;custom]\nenabled = yes<\/code><\/pre>\n\n\n\n<p><br>You also need to <strong>add a field to the dictionary defined in $$CUCKOO\/common\/config.py<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"processing\": {\n            \"analysisinfo\": {\n                \"enabled\": Boolean(True),\n            },\n            \"apkinfo\": {\n                \"enabled\": Boolean(False),\n                \"decompilation_threshold\": Int(5000000),\n            },\n            \"baseline\": {\n                \"enabled\": Boolean(False),\n            },\n            \"behavior\": {\n                \"enabled\": Boolean(True),\n            },\n            \"custom\": {\n                \"enabled\": Boolean(True),\n            },\n            ...\n},<\/code><\/pre>\n\n\n\n<p><br>And finally add your module into <strong>$$CUCKOO\/processing.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import os\nimport json\n\nfrom cuckoo.common.abstracts import Processing\nfrom cuckoo.common.exceptions import CuckooProcessingError\n\nclass Custom(Processing):\n    \"\"\"Analysis custom information.\"\"\"\n\n    def run(self):\n        \"\"\"Run debug analysis.\n        @return: debug information dict.\n        \"\"\"\n        self.key = \"custom\"\n        data = {}\n        try:\n          #initial\n          custom_log = os.path.join(self.logs_path, \"initial.json\")\n          with open(custom_log) as json_file:          \n            data&#91;\"initial\"] = json.load(json_file)\n        except Exception, e:\n          raise CuckooProcessingError(str(e))\n\n        try:\n          #post\n          custom_log = os.path.join(self.logs_path, \"post.json\")\n          with open(custom_log) as json_file:          \n            data&#91;\"post\"] = json.load(json_file)\n        except Exception, e:\n          raise CuckooProcessingError(str(e))\n\n        return data<\/code><\/pre>\n\n\n\n<p><br>As a result, data from initial.json and post.json are appended into the global container. If the Json reporting module (builtin) is enabled, you will retrieve their content into it, under the &#8220;custom&#8221; key.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Reporting module<\/h4>\n\n\n\n<p>The reporting modules are located into <strong>$$CUCKOO\/reporting.<\/strong><br>They are <strong>executed on the host<\/strong>, to translate data from <a href=\"http:\/\/docs.cuckoosandbox.org\/en\/latest\/customization\/processing\/#global-container\"><strong>the global container<\/strong><\/a> into a different format. It could be a <strong>HTML page, json file, even a PDF<\/strong> or something else.<\/p>\n\n\n\n<p>To enable a new reporting module, <strong>you need to add the section below into $$CWD\/conf\/reporting.conf<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;custom]\nenabled = yes<\/code><\/pre>\n\n\n\n<p><br>You also need to <strong>add a field to the dictionary defined in $$CUCKOO\/common\/config.py<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> \"reporting\": {\n            \"feedback\": {\n                \"enabled\": Boolean(False),\n            },\n            \"jsondump\": {\n                \"enabled\": Boolean(True),\n                \"indent\": Int(4),\n                \"calls\": Boolean(True),\n            },\n            \"custom\": {\n                \"enabled\": Boolean(True),\n            },\n            ...\n},<\/code><\/pre>\n\n\n\n<p><br>And finally add your module into <strong>$$CUCKOO\/reporting.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import os\nimport json\nimport codecs\n\nfrom cuckoo.common.abstracts import Report\nfrom cuckoo.common.exceptions import CuckooReportError\n\nclass Custom(Report):\n    \"\"\"Saves custom results in JSON format.\"\"\"   \n    def run(self, results):\n        \"\"\"Writes report.\n        @param results: Cuckoo results dict.\n        @raise CuckooReportError: if fails to write report.\n        \"\"\"\n\n        try:\n            path = os.path.join(self.reports_path, \"custom.json\")\n\n            with codecs.open(path, \"w\", \"utf-8\") as report:\n                json.dump(results&#91;\"custom\"], report, sort_keys=False, indent=4)\n        except (UnicodeError, TypeError, IOError) as e:\n            raise CuckooReportError(\"Failed to generate JSON report: %s\" % e)\n\n\ufeff<\/code><\/pre>\n\n\n\n<p><br>As a result, data from initial.json and post.json that was stored in the global container is returning back to a single &#8220;custom.json&#8221; file. But we could have easily done a HTML, a PDF or something else.<\/p>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Add new section to HTML report<\/h4>\n\n\n\n<p>If you use the web server, it may be useful to <strong>get the information displayed for your new module<\/strong>. This can be achieved by defining new templates and adding routes.<\/p>\n\n\n\n<p>First create your template into <strong>$$CUCKOO\/web\/templates\/analysis\/pages\/custom\/index.html.<\/strong> This is the file that you will need to modify for your needs.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{% extends \"base.html\" %}\n{% load staticfiles %}\n{% load analysis_tags %}\n{% block content %}\n    \n    &lt;div class=\"flex-nav\"&gt;\n        {% include \"analysis\/pages\/nav-sidebar.html\" %}\n        &lt;section class=\"flex-nav__body cuckoo-analysis\" tabindex=\"0\"&gt;\n\n            &lt;header class=\"page-header cuckoo-analysis__header\"&gt;\n                &lt;h2&gt;&lt;i class=\"fa fa-eye\"&gt;&lt;\/i&gt; My Custom Data&lt;\/h2&gt;\n            &lt;\/header&gt;\n\n            &lt;div class=\"container-fluid\"&gt;\n                &lt;div class=\"row\"&gt;\n                    &lt;div class=\"col-md-12\"&gt;\n                        &lt;div class=\"tabbable tabs\"&gt;\n                            &lt;pre&gt;{{report.analysis.custom}}&lt;\/pre&gt;\n                        &lt;\/div&gt; \n                    &lt;\/div&gt;\n                &lt;\/div&gt;\n            &lt;\/div&gt;\n\n            &lt;!-- footer replacement to avoid double scrollbars --&gt;\n            &lt;footer class=\"flex-grid__footer center-left\"&gt;\n                &lt;p class=\"footnote\"&gt;\n                    &amp;copy;2010-2017 &lt;a href=\"http:\/\/www.cuckoosandbox.org\" target=\"_blank\"&gt;Cuckoo Sandbox&lt;\/a&gt;\n                &lt;\/p&gt;\n                &lt;div class=\"logo\"&gt;\n                    &lt;img src=\"{% static \"graphic\/cuckoo_inverse.png\" %}\" alt=\"Cuckoo Malware Analysis Sandbox\" \/&gt;\n                    &lt;a href=\"#\"&gt;Back to Top&lt;\/a&gt;\n                &lt;\/div&gt;\n            &lt;\/footer&gt;\n            \n        &lt;\/section&gt;\n    &lt;\/div&gt;\n\n{% endblock %}<\/code><\/pre>\n\n\n\n<p><br>Then you need to <strong>update the sidebars to add your section to the navigation<\/strong>. The 2 files to be modified are the following, and are quite similar:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>$$CUCKOO\/web\/templates\/analysis\/pages\/sidebar.html<\/strong><\/li>\n\n\n\n<li><strong>$$CUCKOO\/web\/templates\/analysis\/pages\/nav-sidebar.html<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>{% if report.analysis.custom %}\n&lt;li&gt;\n\t&lt;a href=\"{% url \"analysis\" report.analysis.info.id \"custom\" %}\"\n\t{% if env.view_kwargs.page == 'custom' %} class=\"active\" {% endif %}&gt;\n\t\t&lt;i class=\"fa fa-eye\"&gt;&lt;\/i&gt; \n\t\t&lt;span&gt;My Custom Data&lt;\/span&gt;\n\t&lt;\/a&gt;\n&lt;\/li&gt;\n{% endif %}\n\n...\n\n{% if report.analysis.custom %}\n&lt;li&gt;\n\t&lt;a href=\"{% url \"analysis\" report.analysis.info.id \"custom\" %}\"&gt;\n\t\t&lt;i class=\"glyphicon glyphicon-eye\"&gt;&lt;\/i&gt;My Custom Data\n\t&lt;\/a&gt;\n&lt;\/li&gt;\n{% endif %}<\/code><\/pre>\n\n\n\n<p><br>To finish, you need to <strong>add the route for your section in $$CUCKOO\/web\/controllers\/analysis\/routes.py<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pages = {\n\t\"summary\": \"summary\/index\",\n\t\"static\": \"static\/index\",\n\t\"behavior\": \"behavior\/index\",\n\t\"network\": \"network\/index\",\n\t\"custom\": \"custom\/index\",\n\t...\n}<\/code><\/pre>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Concrete use case: Removal report<\/h4>\n\n\n\n<p>The idea is to <strong>get a removal report <\/strong>for a malware with a given <a href=\"https:\/\/www.adlice.com\/roguekiller\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>anti-malware scanner, RogueKiller<\/strong><\/a>.<br>To do so, we will use a new auxiliary module, for which <strong>we will write a finish routine that runs and injects our antimalware<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/usr\/bin\/env python\nimport logging\nimport os\nimport shlex\nimport json\nimport logging\nimport urllib2\nimport tempfile\n\nfrom common.abstracts import Auxiliary\nfrom common.results import NetlogFile\nfrom common.results import upload_to_host\nfrom api.process import Process\nfrom common.defines import KERNEL32\n\nlog = logging.getLogger(__name__)\n\nclass RogueKiller(Auxiliary):\n    \"\"\"Gather custom data\"\"\"\n\n    def __init__(self, options={}, analyzer=None):\n        Auxiliary.__init__(self, options, analyzer)\n        \n    def start(self):\n        pass\n\n    def finish(self):        \n        # removal scanner\n        log.info(\"RogueKiller: Starting removal\")\n        try: \n          #download\n          response = urllib2.urlopen(\"http:\/\/link_to_roguekillercmd.exe\")\n          f = tempfile.NamedTemporaryFile(delete=False)           \n          data = response.read()   \n          f.write(data)\n           \n          #rename\n          path = f.name + \".exe\"          \n          f.close()\n          os.rename(f.name, path)\n          log.info(\"Downloaded remover program to %s\", path)        \n          \n\n          #execute (without injection, too many problems)\n          args = \"-scan \\\"-pupismalware -pumismalware -autodelete -portable-license C:\\\\rk_config.ini -reportpath C:\\\\rkcmd.log -reportformat txt\\\" -dont_ask\"\n          #pid  = self.execute(path, args=shlex.split(args))\n          p = Process()\n          \n          # we need to lock the analyzer while we start and exclude our remover process\n          self.analyzer.process_lock.acquire()\n          \n          if not p.execute(path=path, args=shlex.split(args), free=True):\n            raise CuckooPackageError(\"Unable to execute the initial process, \"\"analysis aborted.\")\n          pid = p.pid  \n          \n          # add to monitored list, so that it will never tried to be injected\n          self.analyzer.process_list.add_pid(pid)\n          \n          # unlock\n          self.analyzer.process_lock.release()\n          \n          log.info(\"Executing remover program with args: %s\", args)\n\n          #wait for end\n          while Process(pid=pid).is_alive():\n              KERNEL32.Sleep(1000)\n          \n          #get report\n          upload_to_host(\"C:\\\\rkcmd.log\", \"logs\/removal.log\")\n          log.info(\"Executed remover program with args: %s\", args)\n\n        except Exception, e:\n          log.exception(\"Error while loading the remover program\")<\/code><\/pre>\n\n\n\n<p><br>After the analysis is done, finish() is called. In this method <strong>we download in a temporary file our anti-malware<\/strong> (in CLI version), then we <strong>run it outside of cuckoo injection, to be faster and not put junk into the report<\/strong>.<\/p>\n\n\n\n<p>Once the report is generated we upload it back to the host to attach it to our analysis. Then the cuckoo report is generated and <strong>we can compare what the malware did, and what the anti-malware was able to catch and remove<\/strong>. Simple as that!<\/p>\n\n\n\n<p>In our example below, the malware was a fake putty binary, notice the <a href=\"https:\/\/www.adlice.com\/roguekillercmd\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RogueKillerCMD scanner<\/strong><\/a> running.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/cuckoo1.png\"><img decoding=\"async\" width=\"1307\" height=\"736\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/cuckoo1.png\" alt=\"cuckoo1\" class=\"wp-image-421\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/cuckoo1.png 1307w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/cuckoo1-300x169.png 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/cuckoo1-1024x577.png 1024w\" sizes=\"(max-width: 1307px) 100vw, 1307px\" \/><\/a><\/figure>\n\n\n\n<p>We then <strong>define a processing module<\/strong>, that will put the generated data into the global container:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import os\nimport json\nimport io\n\nfrom cuckoo.common.abstracts import Processing\nfrom cuckoo.common.exceptions import CuckooProcessingError\n\nclass RogueKiller(Processing):\n    \"\"\"Analysis custom information.\"\"\"\n\n    def run(self):\n        \"\"\"Run debug analysis.\n        @return: debug information dict.\n        \"\"\"\n        self.key = \"roguekiller\"\n        try:\n          custom_log = os.path.join(self.logs_path, \"removal.log\")\n          with io.open(custom_log, 'r', encoding='utf-16-le') as report_file:          \n            #data = json.load(report_file)\n            data = report_file.read()\n        except Exception, e:\n          raise CuckooProcessingError(str(e))\n\n        return data<\/code><\/pre>\n\n\n\n<p><br>To finish, we have <strong>added our section in the HTML templates<\/strong> (as described above). This is the result:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a class=\"dt-single-image\" href=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\"><img decoding=\"async\" width=\"1359\" height=\"746\" src=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\" alt=\"\" class=\"wp-image-987\" srcset=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg 1359w, https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo-300x165.jpg 300w, https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo-1024x562.jpg 1024w\" sizes=\"(max-width: 1359px) 100vw, 1359px\" \/><\/a><\/figure>\n\n\n\n<h4 class=\"has-accent-color has-text-color wp-block-heading\"><br>Links<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/docs.cuckoosandbox.org\/en\/latest\/customization\/\">http:\/\/docs.cuckoosandbox.org\/en\/latest\/customization\/<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/stackoverflow.com\/questions\/27816127\/add-module-inside-cuckoo-sandbox\">http:\/\/stackoverflow.com\/questions\/27816127\/add-module-inside-cuckoo-sandbox<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/892\">https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/892<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/888\">https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/888<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/1580\">https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/1580<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/1579\">https:\/\/github.com\/cuckoosandbox\/cuckoo\/issues\/1579<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules.<\/p>\n","protected":false},"author":1,"featured_media":987,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84],"tags":[7,332,368,8,369],"class_list":["post-986","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial","tag-analysis","tag-cuckoo","tag-customization","tag-malware","tag-sandbox","category-84","description-off"],"views":5175,"yoast_score":65,"yoast_readable":60,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2017-05-19T13:00:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:35:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1359\" \/>\n\t<meta property=\"og:image:height\" content=\"746\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"Cuckoo Sandbox Customization (V2)\",\"datePublished\":\"2017-05-19T13:00:26+00:00\",\"dateModified\":\"2022-12-21T10:35:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\"},\"wordCount\":980,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\",\"keywords\":[\"analysis\",\"cuckoo\",\"customization\",\"malware\",\"sandbox\"],\"articleSection\":[\"Tutorial\"],\"inLanguage\":\"es\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\",\"url\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\",\"name\":\"Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\",\"datePublished\":\"2017-05-19T13:00:26+00:00\",\"dateModified\":\"2022-12-21T10:35:06+00:00\",\"description\":\"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg\",\"width\":1359,\"height\":746},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/es\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cuckoo Sandbox Customization (V2)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/es\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software","description":"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/","og_locale":"es_ES","og_type":"article","og_title":"Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software","og_description":"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2","og_url":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2017-05-19T13:00:26+00:00","article_modified_time":"2022-12-21T10:35:06+00:00","og_image":[{"width":1359,"height":746,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","type":"image\/jpeg"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Escrito por":"tigzy","Tiempo de lectura":"8 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"Cuckoo Sandbox Customization (V2)","datePublished":"2017-05-19T13:00:26+00:00","dateModified":"2022-12-21T10:35:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/"},"wordCount":980,"commentCount":0,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","keywords":["analysis","cuckoo","customization","malware","sandbox"],"articleSection":["Tutorial"],"inLanguage":"es"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/","url":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/","name":"Cuckoo Sandbox Customization (V2) | Create Module \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","datePublished":"2017-05-19T13:00:26+00:00","dateModified":"2022-12-21T10:35:06+00:00","description":"Get an anti-malware removal report with a very simple cuckoo sandbox customization. Learn how Cuckoo works and how to add custom modules. Version 2","breadcrumb":{"@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/"]}]},{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/rk_cuckoo.jpg","width":1359,"height":746},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/cuckoo-sandbox-customization-v2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/es\/"},{"@type":"ListItem","position":2,"name":"Cuckoo Sandbox Customization (V2)"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/comments?post=986"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/986\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media\/987"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media?parent=986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/categories?post=986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/tags?post=986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}