Installing and running Cuckoo malware analysis platform – Part 1

In this post I’ll be guiding you thru all the steps required to install and run a Cuckoo malware analysis platform. I’ve talked about it briefly in my previous post and promised this guide as a continuation. I estimate the time to accomplish this installation in something about 40 to 60 minutes, depending on how straight forward you plan to follow this guide.

I’ve faced many dependencies problems and errors until I was able to compile (or at least hope so) everything you need to run the platform on the first try. I’ve also spent a lot of time reading different guides until I finally could compile this one. Most guides out there would only help you set up the platform with none-basic settings and modules, which may not deliver satisfactory results.

This guide will cover from preparing the platform host to the creation of the Windows 7 VM, where the files will be run. I’m splitting this tutorial in two main parts, preparing the host and the virtual machines. Let us begin then with the host.

capture4


Preparing the Host

You’ll need a physical machine with a Linux distro. This machine must be able to run at least a single virtual machine, so something about 4gb of RAM and a quad core processor should do the job just fine but the more, the better.

Install Ubuntu Server

Ubuntu Server was my OS of choice while installing Cuckoo, it is also recommended OS from the Cuckoo’s website.

Install SSH

First thing you should do is to install a SSH server on the host. SSH will allow you to connect to this machine from anywhere on your network or internet. Useful if you want to finish this tutorial from another machine.

  • sudo apt-get install openssh-server
  • sudo service ssh restart

capture3

Install a graphic (XFCE) interface and RDP compatibility

I’ve added this step because in my corporate network we mainly use Windows with the Remote Desktop app. It is not mandatory to install a GUI, but it helps a lot.

capture1

  • sudo apt-get install xfce4
  • sudo apt-get install xfce4-terminal
  • sudo apt-get install gnome-icon-theme-full tango-icon-theme
  • sudo apt-get install xrdp

The next two steps set XFCE as the default GUI when using the Remote Desktop app. Edit the startwm.sh and add the text below to the file.

  • echo xfce4-session >~/.xsession
  • nano /etc/xrdp/startwm.sh
  • Type in the following:
#!/bin/sh
 if [ -r /etc/default/locale ]; then
 . /etc/default/locale
 export LANG LANGUAGE
 fi
 startxfce4
  • sudo service xrdp restart

capture2

Install SAMBA

Samba will be used for directory sharing between Linux and Windows systems. You’ll need a share on the host for transferring the VMs and any other files.

  • sudo apt-get install -y samba samba-common python-glade2 system-config-samba

Edit the smb.conf for share definitios, run the following command and add the text in the box below at the end of the smb.conf file.

  • sudo nano /etc/samba/smb.conf
  • Type in the following at the very bottom of the file:
 [global]
 workgroup = WORKGROUP
 server string = Samba Server %v
 netbios name = ubuntu
 security = user
 map to guest = bad user
 dns proxy = no
 
 [Sandbox]
 path = /samba/share
 browsable = yes
 writable = yes
 guest ok = yes
 read only = no
  • sudo service smbd restart

Install VirtualBox

Cuckoo needs a virtualization software in order to automate it’s malware analysis functions. For this guide, I’ll be recommending Virtual Box, Oracle’s open source solution for virtualization.

  • sudo apt-get update
  • sudo apt-get install virtualbox-5.1
  • sudo apt-get install dkms

Install Cuckoo and Dependencies

This step is responsible for installing the Cuckoo platform itself, as well all its dependencies. Being modular means that Cuckoo will be depending on many other tools to work properly. I went thru this process a few times and tried to make sure that I’ve noted down all the tools needed.

  • sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
  • sudo apt-get install python python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg-dev
  • sudo apt-get install git mongodb python python-dev python-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils yara python-yara ssdeep libfuzzy-dev exiftool curl openjdk-8-jre-headless
  • sudo pip install –upgrade pip

Install Cuckoo Modules

  • PDF Reports
    • sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi
  • TCP Dump
    • sudo apt-get install tcpdump libcap2-bin
    • sudo chmod +s /usr/sbin/tcpdump
  • ClamAV for malware id
    • sudo apt-get install clamav clamav-daemon clamav-freshclam
  • Pydeep for fuzzy hashes
    • sudo pip install git+https://github.com/kbandla/pydeep.git
  • Malheur for malware behavior analysis
    • sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall
    • git clone https://github.com/rieck/malheur.git
    • cd malheur
    • ./bootstrap
    • ./configure –prefix=/usr
    • make
    • cd
  • Volatility for memory analysis
    • sudo apt-get install python-pil
    • sudo pip install distorm3 pycrypto openpyxl
    • sudo pip install git+https://github.com/volatilityfoundation/volatility.git
  • PyV8 JavaScript engine for malicious JavaScript analysis
    • sudo apt-get install libboost-all-dev
    • sudo pip install git+https://github.com/buffer/pyv8
  • Suricata IDS
    • sudo apt-get install suricata
    • sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata-cuckoo.yaml
    • sudo nano /etc/suricata/suricata-cuckoo.yaml
      • Search for “# a line based alerts log similar to Snort’s fast.log” by pressing “ctrl+w”
      • Set to “enable” to “no” for “fast.log” and “unified2”
      • Find “file-store” set “enabled” to “yes”
      • Set to “yes” the fields “force-md5” and “file-log”
      • Find ” # Stream engine settings. Here the TCP stream tracking and reassembly” and set “depth” to “0”
      • Find “request-body-limit” and “response-body-limit” under “default-config” to 0, without any unit
      • Find “vars” and under “address-groups” set “EXTERNAL_NET” to “any”
    • Update threats on open IDS rules
      • git clone https://github.com/seanthegeek/etupdate.git
      • sudo cp etupdate/etupdate /usr/sbin
      • sudo /usr/sbin/etupdate -V
      • sudo crontab -e
        • choose 2
        • Add the line * 22 * * * /usr/sbin/etupdate so it will update at ever 22 hours, or modify the time at your will;

Installing Cuckoo

For this step, you can either download the ZIP file from the Cuckoo website (https://cuckoosandbox.org/) or download a improved and modified but outdated version from the git link mentioned below. You can check the improvements out at https://github.com/spender-sandbox/cuckoo-modified.

Starting Cuckoo

Every time you restart the machine, you will have to re-create and start the virtual network interface. You will also need to start Cuckoo and the webservice used for checking results, statistics and submitting malware.

  • sudo VBoxManage hostonlyif create
  • sudo VBoxManage hostonlyif ipconfig vboxnet0 –ip 192.168.56.1 –netmask 255.255.255.0
  • cd cuckoo-modified
  • sudo python cuckoo.py -d (start Cuckoo platform)
  • cd cuckoo-modified/web
  • sudo python manage.py runserver XXX.XXX.XXX.XXX:YY (X should be the Linux machine IP address and Y should be the http port)

capture5

Obs.: Cuckoo won’t run properly on this first try since we didn’t set up any virtual machine as the sandbox.

Conclusion

In this post I covered everything you need to install and run Cuckoo, also giving you a RDP interface, for using the GUI with Windows Remote Desktop and being able to connect to this host by a network share. The main difference of this guide to others on the web is that this is a compilation of my efforts for running Cuckoo on an enterprise production environment, as I stated before, most guides will only help you install the basic functionality of the platform, which won’t be as good as a fully geared Cuckoo.

I’ll be posting soon the continuation of this guide, which I’ll be helping you out on creating your sandbox VM with most of the tweaks needed to make it harder to detect when analyzing sandbox-proof malwares.

References:

Advertisements

9 thoughts on “Installing and running Cuckoo malware analysis platform – Part 1

    • It’ really awesome to hear that! I currently have most of the work done already, just need to summarize it all. I’m looking forward to be working on it next week.

      Like

      • Maybe, you know this question or can pass this one to the smart people with these tools. Where exactly do cuckoo sandboxes sit on the network? The reason I ask because I don’t know if it’s a lab tool (digital forensics/malware analysis) or perimeter defense (for testing).

        Like

      • It is mainly used as a lab tool but you sure can use any information that comes from it’s analysis for perimeter defense. Example, when you run a task, the results often come with information about remote hosts that the malware contacts (IP addresses, URLs, etc), this kind of information can be used for a Proxy, IPS or firewall as hosts blacklist.
        Another example is how I use it at my company, whenever some critical employee (Manager, CEO, etc) receives a phishing with a attachment on it, we check it out on our lab an take any actions if necessary.

        You also should put the Cuckoo machine in a DMZ, it’s not recommended that you work with this kind o thing in some shared network.

        Like

    • My pleasure. Yes, I’ve tried it but it was crashing whenever I ran an PDF analysis, I wasn’t able to figure out why… Anyway, you can leave a folder for the modified version (which have some nice tweaks) and another for the latest one, be sure to have the same conf files on both and you will be able to run any of the versions, you will have to just navigate to the folder you want and run the command.

      By the way, my second part is almost over now, I’m about to post it in this week.

      Like

      • neom22,
        I glanced through the second part of your cuckoo sandbox; looks a great man! Maybe, you can help me understand something… Why is the ‘w’ attached to the agent.py file?

        Like

      • The “w” at the ende of the file is because this binary runs on the background. The file without “w” will popup a CMD windows when running.

        Like

  1. In the malheur section of your instructions you forgot to include the ‘make install’ command. Hence the files are there but you are not running it, there are no errors because by default it is not enabled in the conf file. If you want to make use of this reporting feature you must enable it in ‘reporting.conf’

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s