ACUBETotal - The One-Stop Portal
Welcome to ACUBE! ACUBE stands for "Automated Analysis and Attribution", or A3 for short.
ACUBE's objective is to automate the analysis and identification of common malware. Advanced malware, such as those developed by APTs, are not the intended target. Ideally, when given a large amount of malware, ACUBE will allow analysts to sift out the common samples that do not require their attention and allow them to instead focus on files that ACUBE fails to identify. Even on these advanced malware, ACUBE may still be of use by providing information about the sample through the various tools run on it, as well as identifying known functions within the binary through the function similarity model.
ACUBE does so in by:
- Running all common tools used by malware analysts
- Dynamic analysis by detonating the sample and observing its capabilities
- Utilising a function similarity model to help in the identification of functions found within malware (WiP)
ACUBE is made up of 3 teams:
- Sandbox team
- Fork of the open-source CAPEv2 sandbox
- Responsible for the detonation of the sample in a controlled environment (sandbox)
- Tracking of the malware's behaviour and capabilities via API calls and signatures
- Capable of malware Configuration and Payload Extraction
- Correlation team (WiP)
- ACUBETotal team
- Build a modular pipeline system to integrate all components into a single system and run tools in parallel
- Web portal and API to present results to users
- Aggregation of information via OpenCTI, an open-source threat intelligence platform
Sandbox
CAPEv2 is written in Python, with the hooking engine CAPEmon written in C. It utilizes Django for the web UI, PostgreSQL and MongoDB for databases, and SQLAlchemy as the object-relation mapper.
- Detonation of all files
- Support different operating systems (Windows, Linux, Android, etc.)
- Support all different types of files (e.g. docx, exe, elf, pdf, ps1)
- Complete detonation of the full attack chain
- Often requires network simulation (e.g. INetSim, FakeDNS)
- Support custom C2 scripts written by malware analysts
- Some sandboxes will physically reach out to the network endpoints via a secure mechanism (e.g. VPNs)
- Monitoring of malware capabilities
- Monitor typical Indicators of Compromise (IOCs) (e.g. registry, files, mutexes, etc.)
- Monitor network traffic
- Overcome anti-sandbox techniques (e.g. anti-hooking techniques)
Correlation
ACUBETotal
ACUBETotal can be split into 3 main portions - the Web UI, the pipeline, and the miscellaneous microservices.
The web platform is written in Next.js/React with TypeScript. Other common libraries would be TailwindCSS for styling and NextAuth.js for a custom-built SSO solution.
The pipeline is written in Node.js, with Prisma as the object-relation mapper. Currently, the results are mostly stored on the filesystem, with records of each submission stored in PostgreSQL.
In the future, the results may be stored on either MinIO or MongoDB instead of the filesystem.
Most of the microservices are written in Python, using FastAPI to spin up APIs that ACUBETotal can query for each submission. Communication between the various microservices is performed either via the APIs or using a message-queue system, RabbitMQ.
- Run multiple tools and processes in the shortest time possible
- Multi-processing in the form of microservices
- Provide links between current submission and past samples for better linkages of IOCs
- Present users with information in the best form
Throughout the onboarding process, there will be quite a few links to resources and concepts. Do read through them and don't forget - Google is your best friend!
If you need any additional help, do seek help from any of your peers, and feel free to contribute to the documentation to improve the onboarding process.