Blog.

 
02-03-2020

Analyzing Metasploit Payloads

Using our own custom X86 emulator to decode metasploit payloads.

Read
01-24-2020

Short Guide: Submitting Zip Files to Triage

Powershell twirks and Emotet metadata stream.

Read
01-07-2020

Powershell Static Analysis & Emotet results

Powershell twirks and Emotet metadata stream.

Read
Series
12-18-2019
Understanding Ransomware

Detecting Sodin

Hatching's Understanding Ransomware blog series continues with a closer look at the Sodin ransomware and how to detect it during dynamic analysis.

Read
11-12-2019

Reversing Qakbot

A blog on reversing Qakbot/Qbot and getting the results with Hatching Triage.

Read
Series
10-30-2019
Understanding Ransomware

General Techniques

The first blog in our new series on ransomware discusses and showcase numerous ransomware detection techniques and what to look for in sandbox analyses.

Read
07-03-2019

Cuckoo Sandbox Setup for People in a Hurry

This blog is an installation guide for a straightforward Cuckoo Sandbox setup that leverages as much of the built-in automation as possible.

Read
Series
05-07-2019
Making the Call

Why We Want More Arbiters

Why are more Arbiters better? The final blog of the series on our PolySwarm arbitership talks about why we want to have more and diverse Arbiters, as well as how to become an Arbiter.

Read
03-13-2019

Cuckoo Sandbox Architecture

Taking a closer look at the analysis flow of Cuckoo Sandbox and all the components responsible for the automated malware analysis process.

Read
02-20-2019

Release of Cuckoo-compatible onemon Windows kernel driver

First release of our Cuckoo-compatible Windows kernel driver.

Read
Series
12-17-2018
Making the Call

The Tech Behind Our PolySwarm Arbiter

Find out how we cast our vote and settle bounties. Part two in our series on our PolySwarm arbitership takes a closer look at the technical side of it all.

Read
Series
11-27-2018
Making the Call

The First PolySwarm Arbiter

Hatching has integrated Cuckoo Sandbox as the first Arbiter of PolySwarms threat intelligence marketplace. This is the first in a series of three blog posts on our PolySwarm Arbitership.

Read
11-12-2018

LNK HTA Polyglot

A little while ago, we came across an interesting attack vector using a polyglot LNK/HTA delivery `mechanism`_ We were interested to see how it would fare under Cuckoo, so we built one and ran it through the analysis.

Read
10-29-2018

Analysis on Locky dropper mechanisms

This analysis aims to identify common code structures and methods typically used in various droppers associated with Locky ransomware. It is based on a sample set of 2631 JavaScript samples identified as dropper scrips delivering Locky. The results are illustrated through the analysis of three samples.

Read
10-15-2018

IQY malspam campaign

Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing a Dynamic Data Exchange query to achieve code execution through native Excel functionality.

Read
10-03-2018

Hooking VBScript execution in Cuckoo

Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.

Read
09-18-2018

Cuckoo Sandbox 2.0.6 pentest

Thanks to our friends at Polyswarm for sponsoring a pentest of Cuckoo 2.0.6 by Cure53. The report identified some issues (non of which critical) that have been addressed and released in the 2.0.7a1 alpha release. This blogpost discusses our fixes & mitigations.

Read