Cuckoo Sandbox Installation and Setup

My Cuckoo Sandbox Setup and installation guide.

This is my attempt to help install and configure Cuckoo Sandbox. Cuckoo is a sandbox which allows you to analyze Malware on a systems from Windows to Linux and even OSX! This is a great tool to see what a file/url or hash will do when detonated in any environment. Open-Sourced but was a bit confusing setting up so thought this might help.

I am running Cuckoo Sandbox on Ubuntu Desktop 14.04 LTS using VirtualBox.

Installation of Ubuntu will follows as any normal installation. Installing CuckooSandbox is a different story.

First read the python requirements needed here.

Firstly be sure Ubuntu is updated.

1
$ sudo apt-get update

Then:

1
2
3
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

Also in order to utilize Cuckoo’s web interface you will need to install MongoDB.

1
$ sudo apt-get install mongodb

Cuckoo’s recommended database is PostgreSQL and can be installed.

1
$ sudo apt-get install postgresql libpq-dev

Cuckoo Sandbox Installation

Once this is been completed, proceed to download Cuckoo Sandbox(https://cuckoosandbox.org/index.html) then extracting it.

1
tar -xvf filename.tar.gz

Next you will want to ‘cd‘ into the Cuckoo directory to run the installation.

1
$ sudo python setup.py install

The Following are additional plugins that are recommended for this installation.

TCPDump

1
2
3
4
$ sudo apt-get install tcpdump
$ sudo apt-get install libcap2-bin
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

Volatility

1
2
3
4
$ sudo apt install git 
$ git clone https://github.com/volatilityfoundation/volatility.git
cd into the Volatility directory
$ sudo python setup.py install

Volatility Plugins

Distorm3

1
2
3
$ tar -xvf filename.tar.gz
cd into directory
$ sudo python setup.py install

Yara

1
2
3
4
5
6
7
8
9
10
11
$ sudo apt-get install autoconf
$ sudo apt-get install libtool-bin
Download Yara
$ tar -xvf filename.tar.gz
cd into directory
 
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install
$ sudo -H pip install yara-python

PyCrypto

1
2
3
4
5
Download PyCrypto
$ tar -xvf filename.tar.gz
cd into directory
$ python setup.py build
$ sudo python setup.py install

Openpyxl

1
$ sudo -H pip install openpyxl

UJSON

1
$ sudo -H pip install ujson

Jupyter

1
$ sudo -H pip install jupyter

Mitmproxy

1
2
3
4
5
6
$ sudo apt-get install python3-pip python3-dev libssl-dev libtiff5-dev libjpeg8-dev zlib1g-dev libwebp-dev
$ sudo pip3 install mitmproxy
$ mitmproxy
$ cd ~/.mitmproxy
$ cp mitmproxy-ca-cert.p12 /home/YourUserName/Downloads/cuckoo/analyzer/windows/bin/cert.p12
$ mitmdump = /usr/local/bin/mitmdump

Now you will want to configure cuckoo. Before proceeding we need to correctly setup Virtualbox and its interfaces. Without configuring Virtualbox’s interface, you should only see

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ ifconfig 
eno1      Link encap:Ethernet  HWaddr 5c:26:0a:32:f9:33  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:20 Memory:f5400000-f5420000 
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:23242 (23.2 KB)  TX bytes:23242 (23.2 KB)
 
wlp2s0    Link encap:Ethernet  HWaddr 00:27:10:b2:62:b8  
          inet addr:192.168.1.192  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::f4e6:df50:354:206c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1702 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1205 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1383413 (1.3 MB)  TX bytes:195228 (195.2 KB)

Now to create a “Host-Only Adapter” run the following:

1
2
3
4
5
$ vboxmanage hostonlyif create
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Interface 'vboxnet0' was successfully created
 
$ vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

Now you should see “vboxnet0“:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ ifconfig 
eno1      Link encap:Ethernet  HWaddr 5c:26:0a:32:f9:33  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:20 Memory:f5400000-f5420000 
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:23242 (23.2 KB)  TX bytes:23242 (23.2 KB)
 
wlp2s0    Link encap:Ethernet  HWaddr 00:27:10:b2:62:b8  
          inet addr:192.168.1.192  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::f4e6:df50:354:206c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1702 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1205 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1383413 (1.3 MB)  TX bytes:195228 (195.2 KB)
 
vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          inet addr:192.168.56.1  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Here you can configure VirtualBox for Host-Only Adapter:

Next you will need to configure the FW so networking gets to the VM. Using “iptables” to set these rules:

1
2
3
4
5
6
7
8
9
$ sudo iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The rules are as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE
 
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.56.0/24      anywhere             ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

You will want to set a static address in the VM using the following parameters:
IP Address – 192.168.56.101
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.56.1
DNS Servers – 8.8.8.8/8.8.4.4

While on the subject of setting up the VM, you will want to be sure to have Windows Update and Firewall Disabled.

Then you will want to install python for Windows which can be found here:
https://www.python.org/downloads/release/python-2713/

Once installed you will want to upload the agent.py file which can be found in:

1
2
~/.cuckoo/agent $ ls
agent.py  agent.sh

Once uploaded you can launch it manually or place it in the Startup folder located:

C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Should see the following when launched:

Be sure to launch the agent as “administrator and also be sure to disable UAC.

It is also suggested that you install Adobe PDF and Microsoft Office.

Once all this has been installed, remember to start the agent.py file and it is running prior to creating your Snapshot = “Snapshot1” as mentioned in the configuration file below.

Now to configure cuckoo’s config files:

1
2
3
4
5
$ cd .cuckoo/conf/
~/.cuckoo/conf $ ls
auxiliary.conf  esx.conf     physical.conf    reporting.conf   vmware.conf
avd.conf        kvm.conf     processing.conf  routing.conf     vsphere.conf
cuckoo.conf     memory.conf  qemu.conf        virtualbox.conf  xenserver.conf

Starting with cuckoo.conf
Using your favorite editor, edit the file with the following parameters:

[cuckoo]
memory_dump = on
machinery = virtualbox

[resultserver]
ip = ip_addr of host machine

auxiliary.conf

[mitm]
enable = yes

[sniffer]
enable = yes

virtualbox.conf

machines = Windows7x64
[Windows7x64]
label = [Windows7x64]
platform = windows
snapshot = Snapshot1

processing.conf

[memory]
enable = yes

memory.conf

[basic]
guest_profile = “Volatility profile name”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
~/.cuckoo/conf $ vol.py --info |grep Profiles -A48
Volatility Foundation Volatility Framework 2.6
Profiles
--------
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
VistaSP1x64           - A Profile for Windows Vista SP1 x64
VistaSP1x86           - A Profile for Windows Vista SP1 x86
VistaSP2x64           - A Profile for Windows Vista SP2 x64
VistaSP2x86           - A Profile for Windows Vista SP2 x86
Win10x64              - A Profile for Windows 10 x64
Win10x64_10586        - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393        - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86              - A Profile for Windows 10 x86
Win10x86_10586        - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393        - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86         - A Profile for Windows 2003 SP0 x86
Win2003SP1x64         - A Profile for Windows 2003 SP1 x64
Win2003SP1x86         - A Profile for Windows 2003 SP1 x86
Win2003SP2x64         - A Profile for Windows 2003 SP2 x64
Win2003SP2x86         - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64       - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64       - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64         - A Profile for Windows 2008 SP1 x64
Win2008SP1x86         - A Profile for Windows 2008 SP1 x86
Win2008SP2x64         - A Profile for Windows 2008 SP2 x64
Win2008SP2x86         - A Profile for Windows 2008 SP2 x86
Win2012R2x64          - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340    - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64            - A Profile for Windows Server 2012 x64
Win2016x64_14393      - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64            - A Profile for Windows 7 SP0 x64
Win7SP0x86            - A Profile for Windows 7 SP0 x86
Win7SP1x64            - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418      - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86            - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418      - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64            - A Profile for Windows 8.1 Update 1 x64
Win81U1x86            - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64            - A Profile for Windows 8 x64
Win8SP0x86            - A Profile for Windows 8 x86
Win8SP1x64            - A Profile for Windows 8.1 x64
Win8SP1x64_18340      - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86            - A Profile for Windows 8.1 x86
WinXPSP1x64           - A Profile for Windows XP SP1 x64
WinXPSP2x64           - A Profile for Windows XP SP2 x64
WinXPSP2x86           - A Profile for Windows XP SP2 x86
WinXPSP3x86           - A Profile for Windows XP SP3 x86

reporting.conf

[reporthtml]
enable = yes

[mongodb]
enable = yes
(Be sure that mongodb is started and running.)

Now you should be able start/submit files/urls to cuckoo either via the command line or the web interface. If you choose the web interface simply run the following:

1
2
3
4
5
6
7
8
$ cuckoo web runserver
Performing system checks...
 
System check identified no issues (0 silenced).
April 28, 2017 - 14:13:27
Django version 1.8.4, using settings 'cuckoo.web.web.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

This will bring up the webpage as so:

I suggest running this along side Cuckoo’s debug which you simply call cuckoo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ cuckoo
 
                                 _|
     _|_|_|  _|    _|    _|_|_|  _|  _|      _|_|      _|_|
   _|        _|    _|  _|        _|_|      _|    _|  _|    _|
   _|        _|    _|  _|        _|  _|    _|    _|  _|    _|
     _|_|_|    _|_|_|    _|_|_|  _|    _|    _|_|      _|_|
 
 Cuckoo Sandbox 2.0.1
 www.cuckoosandbox.org
 Copyright (c) 2010-2017
 
 Checking for updates...
 You're good to go!
2017-04-28 14:19:05,998 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager

Now simply click on submit and you will be able to process a file, url or hash.

This should be all thats needed to configure your own Cuckoo Sandbox. Hope this helps.

“CUCKOO UPDATES”

Issue I am running into is Error Timeout which I am still working on.

You will also want to be sure to update signatures for Scoring to work, simply run

1
cuckoo community

Leave a Reply

Your email address will not be published. Required fields are marked *