In this post I’ll be guiding you thru all the steps required to install and run a Cuckoo malware analysis platform. I’ve talked about it briefly in my previous post and promised this guide as a continuation. I estimate the time to accomplish this installation in something about 40 to 60 minutes, depending on how straight forward you plan to follow this guide.
I’ve faced many dependencies problems and errors until I was able to compile (or at least hope so) everything you need to run the platform on the first try. I’ve also spent a lot of time reading different guides until I finally could compile this one. Most guides out there would only help you set up the platform with none-basic settings and modules, which may not deliver satisfactory results.
This guide will cover from preparing the platform host to the creation of the Windows 7 VM, where the files will be run. I’m splitting this tutorial in two main parts, preparing the host and the virtual machines. Let us begin then with the host.
Preparing the Host
You’ll need a physical machine with a Linux distro. This machine must be able to run at least a single virtual machine, so something about 4gb of RAM and a quad core processor should do the job just fine but the more, the better.
Install Ubuntu Server
Ubuntu Server was my OS of choice while installing Cuckoo, it is also recommended OS from the Cuckoo’s website.
- Navigate to https://www.ubuntu.com/download/server and download the latest Ubuntu server ISO to install in your host;
Install SSH
First thing you should do is to install a SSH server on the host. SSH will allow you to connect to this machine from anywhere on your network or internet. Useful if you want to finish this tutorial from another machine.
- sudo apt-get install openssh-server
- sudo service ssh restart
Install a graphic (XFCE) interface and RDP compatibility
I’ve added this step because in my corporate network we mainly use Windows with the Remote Desktop app. It is not mandatory to install a GUI, but it helps a lot.
- sudo apt-get install xfce4
- sudo apt-get install xfce4-terminal
- sudo apt-get install gnome-icon-theme-full tango-icon-theme
- sudo apt-get install xrdp
The next two steps set XFCE as the default GUI when using the Remote Desktop app. Edit the startwm.sh and add the text below to the file.
- echo xfce4-session >~/.xsession
- nano /etc/xrdp/startwm.sh
- Type in the following:
#!/bin/sh if [ -r /etc/default/locale ]; then . /etc/default/locale export LANG LANGUAGE fi startxfce4
- sudo service xrdp restart
Install SAMBA
Samba will be used for directory sharing between Linux and Windows systems. You’ll need a share on the host for transferring the VMs and any other files.
- sudo apt-get install -y samba samba-common python-glade2 system-config-samba
Edit the smb.conf for share definitios, run the following command and add the text in the box below at the end of the smb.conf file.
- sudo nano /etc/samba/smb.conf
- Type in the following at the very bottom of the file:
[global] workgroup = WORKGROUP server string = Samba Server %v netbios name = ubuntu security = user map to guest = bad user dns proxy = no [Sandbox] path = /samba/share browsable = yes writable = yes guest ok = yes read only = no
- sudo service smbd restart
Install VirtualBox
Cuckoo needs a virtualization software in order to automate it’s malware analysis functions. For this guide, I’ll be recommending Virtual Box, Oracle’s open source solution for virtualization.
- sudo nano /etc/apt/sources.list
- Edit the sources.list with Virtual Box’s repositories. Add the text above to the end of the sources.list file.
# Virtualbox
deb http://download.virtualbox.org/virtualbox/debian xenial contrib
- sudo apt-get update
- sudo apt-get install virtualbox-5.1
- sudo apt-get install dkms
Install Cuckoo and Dependencies
This step is responsible for installing the Cuckoo platform itself, as well all its dependencies. Being modular means that Cuckoo will be depending on many other tools to work properly. I went thru this process a few times and tried to make sure that I’ve noted down all the tools needed.
- sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
- sudo apt-get install python python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg-dev
- sudo apt-get install git mongodb python python-dev python-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils yara python-yara ssdeep libfuzzy-dev exiftool curl openjdk-8-jre-headless
- sudo pip install –upgrade pip
Install Cuckoo Modules
- PDF Reports
- sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi
- TCP Dump
- sudo apt-get install tcpdump libcap2-bin
- sudo chmod +s /usr/sbin/tcpdump
- ClamAV for malware id
- sudo apt-get install clamav clamav-daemon clamav-freshclam
- Pydeep for fuzzy hashes
- sudo pip install git+https://github.com/kbandla/pydeep.git
- Malheur for malware behavior analysis
- sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall
- git clone https://github.com/rieck/malheur.git
- cd malheur
- ./bootstrap
- ./configure –prefix=/usr
- make
- cd
- Volatility for memory analysis
- sudo apt-get install python-pil
- sudo pip install distorm3 pycrypto openpyxl
- sudo pip install git+https://github.com/volatilityfoundation/volatility.git
- PyV8 JavaScript engine for malicious JavaScript analysis
- sudo apt-get install libboost-all-dev
- sudo pip install git+https://github.com/buffer/pyv8
- Suricata IDS
- sudo apt-get install suricata
- sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata-cuckoo.yaml
- sudo nano /etc/suricata/suricata-cuckoo.yaml
- Search for “# a line based alerts log similar to Snort’s fast.log” by pressing “ctrl+w”
- Set to “enable” to “no” for “fast.log” and “unified2”
- Find “file-store” set “enabled” to “yes”
- Set to “yes” the fields “force-md5” and “file-log”
- Find ” # Stream engine settings. Here the TCP stream tracking and reassembly” and set “depth” to “0”
- Find “request-body-limit” and “response-body-limit” under “default-config” to 0, without any unit
- Find “vars” and under “address-groups” set “EXTERNAL_NET” to “any”
- Update threats on open IDS rules
- git clone https://github.com/seanthegeek/etupdate.git
- sudo cp etupdate/etupdate /usr/sbin
- sudo /usr/sbin/etupdate -V
- sudo crontab -e
- choose 2
- Add the line * 22 * * * /usr/sbin/etupdate so it will update at ever 22 hours, or modify the time at your will;
Installing Cuckoo
For this step, you can either download the ZIP file from the Cuckoo website (https://cuckoosandbox.org/) or download a improved and modified but outdated version from the git link mentioned below. You can check the improvements out at https://github.com/spender-sandbox/cuckoo-modified.
- Create Cuckoo user (not mandatory)
- sudo adduser cuckoo
- sudo usermod -L cuckoo
- Download Cuckoo
- sudo su cuckoo (if installing under root or any other user, skip this)
- cd
- wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar
- git clone https://github.com/spender-sandbox/cuckoo-modified.git
- sudo pip install -r /cuckoo-modified/requirements.txt
- cd cuckoo-modified/utils
- ./community.py -afw
Starting Cuckoo
Every time you restart the machine, you will have to re-create and start the virtual network interface. You will also need to start Cuckoo and the webservice used for checking results, statistics and submitting malware.
- sudo VBoxManage hostonlyif create
- sudo VBoxManage hostonlyif ipconfig vboxnet0 –ip 192.168.56.1 –netmask 255.255.255.0
- cd cuckoo-modified
- sudo python cuckoo.py -d (start Cuckoo platform)
- cd cuckoo-modified/web
- sudo python manage.py runserver XXX.XXX.XXX.XXX:YY (X should be the Linux machine IP address and Y should be the http port)
Obs.: Cuckoo won’t run properly on this first try since we didn’t set up any virtual machine as the sandbox.
Conclusion
In this post I covered everything you need to install and run Cuckoo, also giving you a RDP interface, for using the GUI with Windows Remote Desktop and being able to connect to this host by a network share. The main difference of this guide to others on the web is that this is a compilation of my efforts for running Cuckoo on an enterprise production environment, as I stated before, most guides will only help you install the basic functionality of the platform, which won’t be as good as a fully geared Cuckoo.
I’ll be posting soon the continuation of this guide, which I’ll be helping you out on creating your sandbox VM with most of the tweaks needed to make it harder to detect when analyzing sandbox-proof malwares.
References:
When will you write pt 2 of the cuckoo sandbox? By the way, this tutorial is awesome!
LikeLike
It’ really awesome to hear that! I currently have most of the work done already, just need to summarize it all. I’m looking forward to be working on it next week.
LikeLike
Maybe, you know this question or can pass this one to the smart people with these tools. Where exactly do cuckoo sandboxes sit on the network? The reason I ask because I don’t know if it’s a lab tool (digital forensics/malware analysis) or perimeter defense (for testing).
LikeLike
It is mainly used as a lab tool but you sure can use any information that comes from it’s analysis for perimeter defense. Example, when you run a task, the results often come with information about remote hosts that the malware contacts (IP addresses, URLs, etc), this kind of information can be used for a Proxy, IPS or firewall as hosts blacklist.
Another example is how I use it at my company, whenever some critical employee (Manager, CEO, etc) receives a phishing with a attachment on it, we check it out on our lab an take any actions if necessary.
You also should put the Cuckoo machine in a DMZ, it’s not recommended that you work with this kind o thing in some shared network.
LikeLike
Hey, thanks for getting back to my question. Another Cuckoo sandbox question for you: have you tried version 2.0 of Cuckoo?
LikeLike
My pleasure. Yes, I’ve tried it but it was crashing whenever I ran an PDF analysis, I wasn’t able to figure out why… Anyway, you can leave a folder for the modified version (which have some nice tweaks) and another for the latest one, be sure to have the same conf files on both and you will be able to run any of the versions, you will have to just navigate to the folder you want and run the command.
By the way, my second part is almost over now, I’m about to post it in this week.
LikeLike
neom22,
I glanced through the second part of your cuckoo sandbox; looks a great man! Maybe, you can help me understand something… Why is the ‘w’ attached to the agent.py file?
LikeLike
The “w” at the ende of the file is because this binary runs on the background. The file without “w” will popup a CMD windows when running.
LikeLike
In the malheur section of your instructions you forgot to include the ‘make install’ command. Hence the files are there but you are not running it, there are no errors because by default it is not enabled in the conf file. If you want to make use of this reporting feature you must enable it in ‘reporting.conf’
LikeLike
Pingback: Additional Cuckoo Resources | Tocsin