APK and URL submited but not analyzed

[100303536]

I have cuckoo droid installed and I can start cuckoo.py and submit an APK and a URL to be analyze, but I don't se any performance on the emulator and in the final report, no information is given and the screenshots show nothing. I've followed this 2 guides to install the cuckoo droid and neither of them work: https://hydrasky.com/malware-analysis/how-to-install-cuckoodroid/ and https://github.com/idanr1986/cuckoo-droid/issues/10.

Any idea what might I miss??

[jbremer]

Did you resolve this issue? Sorry for not replying to your email yet, but at the moment we don't do all that much Android analysis ourself, so any and all feedback is welcome!

[100303536]

Yes, finally I solved updating cuckoo to the newest version and it's working fine, although I don't know how to enable HTML report, but I really don't need it.

The problem was between Cuckoo 1.2 and Cuckoo Droid. If Cuckoo 2.0.2 and Cuckoo Droid are installed as described in both their documentations it works. Just point that in Cuckoo Droid it is said to clone the Cuckoo git repository and it is specified the "-b 1.2". That make git to install Cuckoo 1.2 version so just remove that option and it will work fine.

Thanks, Santiago

2017-05-09 10:45 GMT+02:00 Jurriaan Bremer notifications@github.com:

Did you resolve this issue? Sorry for not replying to your email yet, but at the moment we don't do all that much Android analysis ourself, so any and all feedback is welcome!

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-300100697, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVB-gvren0dvAUmUp5rfIn9IwC8Ypks5r4CeSgaJpZM4NR300 .

[jbremer]

Thanks @100303536 for the feedback! When you say "as described in both their documentation", does that mean that there are steps missing in Cuckoo's official documentation or are the cuckoo-droid docs ready to be copied over 1:1? Also, did you end up doing any modifications on Cuckoo's Android stuff, or did it work out of the box once setup? Thanks again for the feedback. It's been a while since we really put effort into Android - we hope to do so soon'ish, but any and all additional feedback is useful for that.

[100303536]

The Cuckoo documentation is correct. what I tried to said it that some of the steps to download Cuckoo Droid should be modified in order to work with Cuckoo 2.

1. Install Cuckoo 2 as described in the documentation
2. Correct the Cuckoo Droid git README as indicated in the attached image
3. Configure Cuckoo Droid as described in the documentation

I haven't made any modification on Cuckoo's Android stuff yet. My aim is to analyze URLs. In the Bachelor tesis I'm just creating a proof of concept. The report generated by cuckoo doesn't give mucho information, so I guess I should create my own Yara rules to capture malicious behavior, but that will be future work.

Regards, Santiago

2017-05-10 14:41 GMT+02:00 Jurriaan Bremer notifications@github.com:

Thanks @100303536 https://github.com/100303536 for the feedback! When you say "as described in both their documentation", does that mean that there are steps missing in Cuckoo's official documentation or are the cuckoo-droid docs ready to be copied over 1:1? Also, did you end up doing any modifications on Cuckoo's Android stuff, or did it work out of the box once setup? Thanks again for the feedback. It's been a while since we really put effort into Android - we hope to do so soon'ish, but any and all additional feedback is useful for that.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-300469771, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVBegUyRqeHhfPefPWvlfsLgMcldcks5r4bCOgaJpZM4NR300 .

[100303536]

Sorry I didn't attach the image: [image: Imágenes integradas 1]

2017-05-12 21:41 GMT+02:00 SANTIAGO PALOMARES GALLEGO < 100303536@alumnos.uc3m.es>:

The Cuckoo documentation is correct. what I tried to said it that some of the steps to download Cuckoo Droid should be modified in order to work with Cuckoo 2.

1. Install Cuckoo 2 as described in the documentation
2. Correct the Cuckoo Droid git README as indicated in the attached image
3. Configure Cuckoo Droid as described in the documentation

I haven't made any modification on Cuckoo's Android stuff yet. My aim is to analyze URLs. In the Bachelor tesis I'm just creating a proof of concept. The report generated by cuckoo doesn't give mucho information, so I guess I should create my own Yara rules to capture malicious behavior, but that will be future work.

Regards, Santiago

2017-05-10 14:41 GMT+02:00 Jurriaan Bremer notifications@github.com:

Thanks @100303536 https://github.com/100303536 for the feedback! When you say "as described in both their documentation", does that mean that there are steps missing in Cuckoo's official documentation or are the cuckoo-droid docs ready to be copied over 1:1? Also, did you end up doing any modifications on Cuckoo's Android stuff, or did it work out of the box once setup? Thanks again for the feedback. It's been a while since we really put effort into Android - we hope to do so soon'ish, but any and all additional feedback is useful for that.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-300469771, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVBegUyRqeHhfPefPWvlfsLgMcldcks5r4bCOgaJpZM4NR300 .

[idanr1986]

hi Santiago sorry for the late response whats type of info are you seeking to get when running url's in cuckoodroid?

[100303536]

I've been told that malware in android came mainly when you are redirected when click on a URL to en exploit (less common) or to an APK. I want to capture which are the redirections that the URL does and if any exploit/APK is downloaded. I ve analyzed an URL that download an APK and all I got is what you can see in the report.json I attatch. I can see that a connection is made to the website but I can only see that a file have been download in the screenshots, that I see the downloaded file android icon.

This will be the main functionality of Cuckoo Droid for this project. I ve seen that Cuckoo Droid takes too much time just to verify this things, and I was wondering if I could disable featured related to analyse APKs or other things that my Cuckoo Droid will not do but may be their are running and making Cuckoo Droid to take too long in the analysis.

Regards, Santiago

2017-05-13 10:32 GMT+02:00 idanr notifications@github.com:

hi Santiago sorry for the late response whats type of info are you seeking to get when running url's in cuckoodroid?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-301234129, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVK7PsTUcjzLUrp0PxwNyuwUSPG2Bks5r5Wq4gaJpZM4NR300 .

[100303536]

Hi Idan,

Sorry for disturbing but if you could give me any information about what I told you in the las e-mail would be great as in three weeks I will delivery my bachelor tesis and the more features I can add to Cuckoo Droid analysis, the best would be for me.

Thanks in advance, Santiago

2017-05-13 10:58 GMT+02:00 SANTIAGO PALOMARES GALLEGO < 100303536@alumnos.uc3m.es>:

I've been told that malware in android came mainly when you are redirected when click on a URL to en exploit (less common) or to an APK. I want to capture which are the redirections that the URL does and if any exploit/APK is downloaded. I ve analyzed an URL that download an APK and all I got is what you can see in the report.json I attatch. I can see that a connection is made to the website but I can only see that a file have been download in the screenshots, that I see the downloaded file android icon.

This will be the main functionality of Cuckoo Droid for this project. I ve seen that Cuckoo Droid takes too much time just to verify this things, and I was wondering if I could disable featured related to analyse APKs or other things that my Cuckoo Droid will not do but may be their are running and making Cuckoo Droid to take too long in the analysis.

Regards, Santiago

2017-05-13 10:32 GMT+02:00 idanr notifications@github.com:

hi Santiago sorry for the late response whats type of info are you seeking to get when running url's in cuckoodroid?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-301234129, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVK7PsTUcjzLUrp0PxwNyuwUSPG2Bks5r5Wq4gaJpZM4NR300 .

[100303536]

Hi Idan,

I'm currently still working on the project and I'm trying to make CuckooDroid work with a higher version of Android, such as Lollipop. I'm facing problems with the "XposedFramwork", have you managed to use a higher Android version than KitKat?

Best regards, Santiago

2017-05-29 12:01 GMT+02:00 SANTIAGO PALOMARES GALLEGO < 100303536@alumnos.uc3m.es>:

Hi Idan,

Sorry for disturbing but if you could give me any information about what I told you in the las e-mail would be great as in three weeks I will delivery my bachelor tesis and the more features I can add to Cuckoo Droid analysis, the best would be for me.

Thanks in advance, Santiago

2017-05-13 10:58 GMT+02:00 SANTIAGO PALOMARES GALLEGO < 100303536@alumnos.uc3m.es>:

I've been told that malware in android came mainly when you are redirected when click on a URL to en exploit (less common) or to an APK. I want to capture which are the redirections that the URL does and if any exploit/APK is downloaded. I ve analyzed an URL that download an APK and all I got is what you can see in the report.json I attatch. I can see that a connection is made to the website but I can only see that a file have been download in the screenshots, that I see the downloaded file android icon.

This will be the main functionality of Cuckoo Droid for this project. I ve seen that Cuckoo Droid takes too much time just to verify this things, and I was wondering if I could disable featured related to analyse APKs or other things that my Cuckoo Droid will not do but may be their are running and making Cuckoo Droid to take too long in the analysis.

Regards, Santiago

2017-05-13 10:32 GMT+02:00 idanr notifications@github.com:

hi Santiago sorry for the late response whats type of info are you seeking to get when running url's in cuckoodroid?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/idanr1986/cuckoo-droid/issues/35#issuecomment-301234129, or mute the thread https://github.com/notifications/unsubscribe-auth/APFlVK7PsTUcjzLUrp0PxwNyuwUSPG2Bks5r5Wq4gaJpZM4NR300 .