                                  CHANGELOG

Cuckoo Sandbox 2.0-rc2 (2016-xx-xx)
===================================

* Import and Export analysis for improved debugging of user issues
* Added Elasticsearch support and rely on it for global search
* Fixed pythonw.exe execution for the new Agent
* Added initial MISP integration
* Added initial IRMA integration
* Added reboot analysis
* Added Process Monitor (procmon) support to aid debugging
* Added .docm documents to the Word document analysis package
* Added .wsf analysis package
* Added dynamic VBA analysis for Office 2007 products
* Added dynamic Javascript analysis for Adobe PDF Reader 9
* Added PE files reconstruction from memory dumps
* Added dump_delete option to delete process memory dumps after analysis
* Added sniffer.debug option to create a debug network capture
* Added PID tracking for dropped files
* Added per-task Cuckoo logging
* Added trigger support to the Cuckoo Monitor to reduce behavioral calls noise
* Added static analysis for Office and PDF samples
* Added screenshots auxiliary module for Mac OS X analysis
* Added IP address pinning for the new Cuckoo Agent
* Introduce the Gatherer (collect VM-specific information)
* Greatly improved the stability of the Cuckoo Monitor
* Fixed setting the clock in the Guest for non-English users
* Fixed support for Ubuntu 16.04
* Fixed Moloch-related web interface bugs
* Fixed title issue with the generic package
* Included Git hashes for debugging purposes in Cuckoo reports
* Improved tcpdump output and error filtering
* Enable special monitoring modes by default for malicious documents
* Use custom pefile2 package to avoid pefile issues
* Automatically start PowerPoint documents in slide show mode
* Use the Linux routing table for properly routing analysis traffic
* Document known 2.0-rc1 issues and fixes in our FAQ
* Prettify HTML and Javascript content
* Make Cuckoo Agent interaction less error prone on the Host
* Updated monitor to include various improvements and fixes
* Upgraded to the latest httpreplay version
* Improve dead host identification
* Custom DNS serve utility
* Added clicking through of French buttons
* Resolve names for CLSID identifiers
* Added meta information to our reports
* Experimental alpha version of VPN check cronjob script
* Many Web Interface UI & backend tweaks
* Many, many bug fixes and code tweaks

Cuckoo Sandbox 2.0-rc1 (2016-01-21)
===================================

* Added Suricata processing module
* Added screenshots processing module with OCR support
* Added mitmproxy support to intercept SSL/TLS traffic
* Added new Flask based distributed utility
* Added Javascript analyzer package
* Added Mozilla FireFox analyzer package
* Added auxiliary module to install a custom certificate in analysis' machine
* Added auxiliary module to dump TLS master secrets as used by Windows libraries
* Added analyzer for Linux
* Added Qemu machinery module
* Added PDB path extraction
* Added public / private keys extraction
* Added processing module for dropped buffers
* Added option to drop privileges to a specified user
* Added SMTP sinkhole utility
* Added Javascript execution with jsbeautifier
* Added "service" VM to optionally boot a second VM with honeyd support
* Added noagent machine option for not engaging with cuckoo agent
* Added nictrace machine option to have virtualbox dump network traffic
* Added per-machine options (it allows to set extra per-machine options)
* Added near realtime detection and reflection of changes to guest status
* Added TLS & SSLv3 Master Secrets dump
* Added httpreplay dissector to show HTTP and HTTPS traffic
* Added option to skip calls from JSON report
* Added option to load the entire process memory dump into IDA Pro
* Added some process memory dump analysis improvements
* Added URLs parsing from memory dump and URLs whitelist
* Added tracking and reporting dead IP address/port combinations
* Added maliciousness scoring system
* Added option to web interface to submit dropped files for analysis
* Added some performance improvements to signature engine
* Added Volatility support for netscan and sockscan
* Added re-submit button to web interface
* Added baseline processing and representation
* Added traffic routing options
* Added moloch processing module
* Added Snort processing module
* By default HTML report is disabled now
* By default Virtualbox is starting in headless mode now
* Improved physical machine support
* Improved reported data from Virustotal
* Upgraded HTML analyzer package to Internet Explorer with proper setup phase
* Upgraded to MAEC 4.1
* Removed web.py interface
* Removed option to store analysis data in legacy CSV format

Cuckoo Sandbox 1.2 (2015-03-04)
===============================

* Added support for baremetal analysis (physical machinery module)
* Added XenServer machinery module
* Added process memory processing module
* Added support for Volatility 2.4 and additional modules
* Added more memory analysis information to web interface
* Added memory dump to VMWare workstation module
* Added machine information in reports
* Added skeleton for comparative analysis of two reports
* Added TCP and UDP streams hexdump view
* Added possibility to delete analysis from web interface
* Added search by string to web interface
* Added dynamic search of API call logs to web interface
* Added display of PE compilation time to web interface
* Added memory dump download to web interface
* Refactored analysis packages and simplified syntax
* Added analysis package for Microsoft PowerPoint
* Added analysis package for MSI (Windows installer package)
* Added analysis package for Python scripts
* Added loader option to DLL analysis package (fake parent process)
* Added additional signatures helper functions
* Added terminate_processes option to terminate processes before virtual machine shutdown
* Added option to skip an area when comparing screenshots, avoiding duplicates
* Added automatic generation of Yara rules indexes
* Added support for Pillow (PIL fork)
* Added machine utility to automatically update machinery configuration
* Added utility to distribute analysis across Cuckoo instances
* Added un-hook detection (if malware removes Cuckoo's hooks) 
* Added Microsoft Crypto API hooks
* Added optional aggressive sleep skipping mode
* Allow Auxiliary modules to run a callback at the very end of an analysis
* Replaced ./utils/clean.sh with ./cuckoo.py --clean
* Replaced diStorm3 disassembler with Capstone disassembler
* Fixed process.py to use delete_original and delete_bin_copy when used in auto mode
* Fixed analysis of HTML pages without a proper extension
* Fixed logic bug in mouse activity emulator
* Fixed bug in the sleep skipping mechanism
* Fixed memory leak if using a old version of python-magic
* Fixed out of memory exceptions when calculating hash of big files
* Fixed BPF filter to skip agent traffic from PCAP
* Fixed a variety of bugs in Windows analyzer
* Fixed a number of anti-sandbox tricks
* Fixed locking issues with SQLite database
* Removed hpfeeds reporting module

Cuckoo Sandbox 1.1.1 (2014-10-07)
=================================

* Fixed path sanitization vulnerability in resultserver.

Cuckoo Sandbox 1.1 (2014-04-07)
===============================

* Added imphash to static PE analysis
* Added search for URLs in the web interface
* Added search for PE Imphash in the web interface
* Added possibility in web interface to queue to all machines
* Added filtering by behavior category in Django web interface
* Added analyzer log to Django web interface
* Added REST API to retrieve screenshots associated with a task
* Added REST API to retrieve the PCAP associated with a task
* Added database migration utility
* Added remote submission to submit.py utility
* Added small stats utility (utils/stats.py)
* Added analysis package for PowerShell scripts
* Added overlay configuration for signatures (data/signatures_overlay.json)
* Fixed bug in MAEC report
* Fixed package selection for Office documents and CPL scripts
* Fixed issue with tcpdump filters
* Fixed unhandled exception when uploading files to the analysis machines
* Fixed issues in CuckooMon that resulted in Internet Explorer crashes
* Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
* Fixed bug in behavior processing module that resulted in a trailing backslash in summary's registry keys
* Multiple minor bug fixes

Cuckoo Sandbox 1.0 (2014-01-09)
===============================

* Introduced Auxiliary modules
* Added option to set sniffing interface for each virtual machine
* Added option to set snapshot for each virtual machine
* Added pagination to API
* Added option to REST API to return compressed archives of files ("all" and "dropped")
* Added option to set Result Server IP and port for each virtual machine
* Added processing module for volatility to analyze memory dumps, disabled by default
* Added new "reported" status for analysis tasks
* Added automated rescheduling of locked tasks at startup
* Added tags to machines
* Added reduced behavioral events
* Added new Django/Mongo-powered web interface
* Added Windows analyzer auxiliary module to disguise the analysis environment
* Added VBS, CPL and RTF analysis package
* Added generic analysis package to execute samples via cmd.exe
* Added MAEC 4.0.1 reporting module
* Added filter for private networks in Network Analysis processing module
* Added max_analysis_count to cuckoo.conf to automatically shutdown Cuckoo
* Added check for available disk space
* Added support for BSON logging format
* Added option to specify a custom DLL to the analyzer and the analysis packages
* Added ICMP protocol dissection
* Added ESX Virtual Machine Manager
* Slightly improved CuckooMon's stealthiness and stability
* Refactored processing to improve performances
* Refactored signature engine, introducing event-based signatures to improve performances
* Refactored generation of process tree
* Transitioned network sniffer to auxiliary module
* Renamed MachineManagers to Machinery modules
* Renamed Metadata to MMDef reporting module
* Fixed virtual machine clock, now is updated to current time or specified by user via --clock option
* Fixed bug in Human auxiliary module, now moving cursor to absolute positions
* Fixed issue in Human auxiliary module, using SetCursorPos instead of mouse_event
* Fixed issues with resolving relative filenames in CuckooMon
* Removed support for GrayLog2
* Removed pickle reporting module
* Removed MAEC 1.1 reporting module

Cuckoo Sandbox 0.6 (2013-04-15)
===============================

* Added procmemdump option to all analysis packages
* Added randomization of folders and pipes in the analysis machines
* Added checks to block injection of Cuckoo's agent and analyzer
* Added configuration file for processing modules
* Added result server to collect logs, files, screenshots and all results in real-time
* Added option for enabling/disabling generation of CSV logs
* Added REST API function to delete analysis task
* Added matching of Yara signatures against dropped files
* Added default fail-over on "exe" package if can't automatically identify the correct one
* Added password option to zip package
* Improved human auxiliary module
* Improved Sleep() bypass
* Improved dump of dropped files by tracking writing operations
* Improved creation of screenshots by calculating a diff threshold
* Fixed memory error issues
* Fixed bugs in analysis procedure logic and in deletion of original files
* Fixed bugs in MongoDB reporting module
* Fixed bugs in HTML reporting module
* Fixed bugs in VirusTotal processing module
* Fixed bug in handling GetLastError() result
* Fixed bug in network traffic capture
* Fixed bug in submission and creation of tasks in the database
* Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues

Cuckoo Sandbox 0.5 (2012-12-20)
===============================

* Added native support for URL analysis
* Added full memory dump of the virtual machine
* Added base class for libvirt machine managers
* Added auxiliary modules for Windows analyzer
* Added Jar analysis package
* Added Java Applet analysis package
* Added Zip analysis package
* Added option to enforce full timeout execution
* Added support for Graylog2 logging
* Transitioned internal database to SQLAlchemy
* Added logging of analysis errors into the database
* Added logging of guest executions into the database
* Added logging of active analysis machines into the database
* Added logging of details of submitted samples into the database
* Added functionality for automatic version lookup to get notified of available updates
* Added possibility to order processing and reporting modules
* Added extraction of strings from analyzed binaries
* Added Yara signature with indicators of possible virtualization-aware samples
* Added dissection of intercepted SMTP traffic
* Added a REST API server to interact with Cuckoo
* Added user interaction emulation (clicking dialogs buttons and mouse movements)
* Added support for Windows 7 execution
* Added support for dumping queried and modified registry data
* Added more functions to be hooked and logged
* Added simple functionality to omit injection into Cuckoo processes
* Added support for dumping files with relative paths
* Added shared VirusTotal API key
* Introduced fairly smart way of skipping Sleep calls
* Unified utility for results processing and reports generation
* Improved analysis process logic
* Improved automatic analysis package selection
* Improved process injection and process following
* Improved dumping of modified files
* Improved logging to reduce the amount of useless entries
* Improved unicode support
* Improved management of analysis machines parallel execution
* Improved internal management of plugins and modules
* Improved dissection of intercepted DNS traffic
* Fixed bugs in connection with the agent
* Fixed some issues in dumping dropped files
* Fixed bug in termination of tcpdump processes
* Fixed bugs in MongoDB reporting module
* Fixed issues with internal DNS resolution

Cuckoo Sandbox 0.4.2 (2012-09-08)
=================================

* Added support for VMWare Workstation
* Added VirtualBox status change monitor and option "timeout" to virtualbox.conf
* Added log file processing size limit and option "analysis_size_limit" to cuckoo.conf
* Added directory submission to submit.py utility
* Added community.py utility to sync custom modules from the community repository
* Fixed missing critical_timeout implementation
* Fixed delete_original race condition
* Fixed some bugs in virtual machine management
* Fixed submission with relative path
* Fixed UTF-8 chars handling in analysis.log
* Fixed race conditions in Windows analyzer
* Some minor fixes

Cuckoo Sandbox 0.4.1 (2012-08-09)
=================================

* Added Yara signatures to HTML report
* Replaced pyssdeep with pydeep
* Added support for signatures' version requirements
* Added unit tests
* Fixed delete_original race condition
* Fixed reconstruction of registry keys
* Fixed logging in cuckoomon
* Improved exception handling

Cuckoo Sandbox 0.4 (2012-07-24)
===============================

* Completely re-engineered the code base
* Replaced hooking mechanism and DLL with new, more solid code
* Removed dependency from VirtualBox
* Added support for KVM
* Introduced XMLRPC-based agent that handles the data exchange between host and guests
* Refactored the project structure
* Removed processor.py script
* Introduced support for multiple platforms and multiple analyzers
* Introduced support for custom virtualization modules
* Introduced support for custom post-analysis processing modules
* Introduced support for custom behavioral signatures
* Added VirusTotal support
* Added Yara support
* Added MongoDB reporting module
* Added HPFeeds reporting module
* Refactored Windows analyzer
* Refactored the analysis packages structure
* Introduced support for analysis packages' options
* Refactored Windows analyzer's API functions
* Introduced process memory dump support
* Introduced support for QueueUserAPC injection

Cuckoo Sandbox 0.3.2 (2012-02-04)
=================================

* Introduced MAEC analysis report.
* Introduced MAEC metadata report.
* Introduced Python pickled report.
* Added base64 encoded screenshots to CuckooDict.
* Added screenshots to HTML report.
* Added static analysis Python modules.
* Added static analysis to HTML report.
* Added list of unique involved hosts to HTML report.
* Added forced restore of snapshot at startup before checking if a virtual machine is in a valid state.
* Added forced restore of snapshots at Cuckoo's termination.
* Improved logging capabilities.
* Added invocation of processor.py also at analysis failures.
* Added IPv6 support to PCAP processing.
* Added option to delete original files after submission.
* Added folder for additional files and data to drop.
* Added API category and parent ID to raw behavioral logs entries.
* Removed distorm3.dll as a system dependency.
* Fixed issue with dumped files' names.
* Fixed bug in web server's search functionality.
* Fixed generation of analysis duration time and timestamps.
* Fixed bug in acquisition of a user-specified virtual machine.
* Fixed PHP analysis package.
* Fixed processing of screenshots and refactored their file names to a 3 digit format.
* Fixed bugs on encoding special characters in analysis data and network packets.
* Decreased default analysis timeout.
* Removed instructions trace functionalities and analysis package.

Cuckoo Sandbox 0.3.1 (2011-12-28)
=================================

* Reintroduced an older version of cmonitor, in order to address troubles encountered in 0.3 release.
* Fixed a bug in files dump caused by invalid/not regular files such as named pipes.
* Disabled suspended mode in browsers' packages.

Cuckoo Sandbox 0.3 (2011-12-27)
===============================

* Introduced minimal web server with web interface to browse through the analysis reports.
* Added a reporting engine, configurable via reporting.conf, which supports reporting modules.
* Added HTML report.
* Added TXT report.
* Added JSON data export.
* Introduced support to URL submission.
* Added possibility to specify on which virtual machine run the analysis.
* Added database interaction functions to search analysis by MD5.
* Introduced DLL analysis package.
* Introduced assembly instructions trace analysis package.
* Added MD5 filtering of dropped files.
* Added libmagic bindings to identify file types.
* Added pydoc comments to all sources.
* Added CRC32 hash.
* Added ssdeep hash.
* Added process tree generation class.
* Added UDP connections extraction.
* Distorm3 built-in into cmonitor
* Fixed cmonitor.
* Fixed chook.
* Migrated Cuckoo to Python's logging library.
* Improved Cuckoo User Guide.
* Added changelog file.
* Some minor fixes.

Cuckoo Sandbox 0.2 (2011-11-02)
===============================

First stable release, completely refactored.

Cuckoo Sandbox 0.1 beta (2011-02-05)
====================================

First public beta release.
