This analyzer extends the open-source Cuckoo Sandbox (legacy) with functionality for analyzing macOS malware in macOS guest VM(s).
See Mac-A-Mal for kernel monitor module on guest machine.
Installation
Host setup
-
Clone the cuckoo-legacy branch
-
Run the following command to install the requirements packages:
sudo pip install -r requirements.txt
-
Clone Mac-a-mal-cuckoo
-
Replace subfolders in cuckoo-legacy with mac-a-mal-cuckoo's subfolders.
-
Setting up VMWare/VirtualBox configuration in
conf/folder. -
Start cuckoo
python ./cuckoo.py -
Skip to guest setup and return to this step after you've done with Guest virtual machine installation. Submit samples with sample's path and optional options: runas username instead of root, gctimeout timeout for kernel-mode macamal monitor, and timeout for total analysis time.
python submit.py --platform darwin sample -o runas=admin,gctimeout=60 --timeout=600
Guest setup
macOS versions supported 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 10.12, and 10.13 (untested)
- Guest machine can be setup manually using VMWare or VirtualBox. (OSX 10.8 - password: summer) Documentation for setting up the environment.
- Download the Mac-a-mal for guest machine monitor, compile 2 binaries using Xcode: mac-a-mal.kext and grey-cuckoo. The agent in user-mode requires libevent for multithreading.
- Install dependencies:
sudo pip install pymongo
brew install libtiff libjpeg webp little-cms2
pip install Pillow
- Start the monitor and agent in super-user privilege is recommended.
sudo chown -R root:wheel mac-a-mal.kext &&
sudo kextload mac-a-mal.kext &&
cp grey-cuckoo /tmp/&&
sudo chown root:wheel /tmp/grey-cuckoo &&
sudo python ./agent.py
- Take the snapshot of the guest machine