The current repository contains all the scripts needed to complement kernel-mode mac-a-mal malicious activity hooking on macOS to Cuckoo sandbox.
This analyzer extends the open-source Cuckoo Sandbox (legacy) with functionality for analyzing macOS malware in macOS guest VM(s).
See Mac-A-Mal for kernel monitor module on guest machine.
Clone the cuckoo-legacy branch
Run the following command to install the requirements packages:
sudo pip install -r requirements.txt
Clone Mac-a-mal-cuckoo
Replace subfolders in cuckoo-legacy with mac-a-mal-cuckoo's subfolders.
Setting up VMWare/VirtualBox configuration in conf/
folder.
Start cuckoo
python ./cuckoo.py
Skip to guest setup and return to this step after you've done with Guest virtual machine installation. Submit samples with sample's path and optional options: runas username instead of root, gctimeout timeout for kernel-mode macamal monitor, and timeout for total analysis time.
python submit.py --platform darwin sample -o runas=admin,gctimeout=60 --timeout=600
macOS versions supported 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 10.12, and 10.13 (untested)
sudo pip install pymongo
brew install libtiff libjpeg webp little-cms2
pip install Pillow
sudo chown -R root:wheel mac-a-mal.kext &&
sudo kextload mac-a-mal.kext &&
cp grey-cuckoo /tmp/&&
sudo chown root:wheel /tmp/grey-cuckoo &&
sudo python ./agent.py