Installing and running Cuckoo malware analysis platform – Part 1

In this post I’ll be guiding you thru all the steps required to install and run a Cuckoo malware analysis platform. I’ve talked about it briefly in my previous post and promised this guide as a continuation. I estimate the time to accomplish this installation in something about 40 to 60 minutes, depending on how straight forward you plan to follow this guide.

I’ve faced many dependencies problems and errors until I was able to compile (or at least hope so) everything you need to run the platform on the first try. I’ve also spent a lot of time reading different guides until I finally could compile this one. Most guides out there would only help you set up the platform with none-basic settings and modules, which may not deliver satisfactory results.

This guide will cover from preparing the platform host to the creation of the Windows 7 VM, where the files will be run. I’m splitting this tutorial in two main parts, preparing the host and the virtual machines. Let us begin then with the host.

---

Preparing the Host

You’ll need a physical machine with a Linux distro. This machine must be able to run at least a single virtual machine, so something about 4gb of RAM and a quad core processor should do the job just fine but the more, the better.

Install Ubuntu Server

Ubuntu Server was my OS of choice while installing Cuckoo, it is also recommended OS from the Cuckoo’s website.

• Navigate to https://www.ubuntu.com/download/server and download the latest Ubuntu server ISO to install in your host;

Install SSH

First thing you should do is to install a SSH server on the host. SSH will allow you to connect to this machine from anywhere on your network or internet. Useful if you want to finish this tutorial from another machine.

• sudo apt-get install openssh-server
• sudo service ssh restart

Install a graphic (XFCE) interface and RDP compatibility

I’ve added this step because in my corporate network we mainly use Windows with the Remote Desktop app. It is not mandatory to install a GUI, but it helps a lot.

• sudo apt-get install xfce4
• sudo apt-get install xfce4-terminal
• sudo apt-get install gnome-icon-theme-full tango-icon-theme
• sudo apt-get install xrdp

The next two steps set XFCE as the default GUI when using the Remote Desktop app. Edit the startwm.sh and add the text below to the file.

• echo xfce4-session >~/.xsession
• nano /etc/xrdp/startwm.sh
• Type in the following:

#!/bin/sh
 if [ -r /etc/default/locale ]; then
 . /etc/default/locale
 export LANG LANGUAGE
 fi
 startxfce4

• sudo service xrdp restart

Install SAMBA

Samba will be used for directory sharing between Linux and Windows systems. You’ll need a share on the host for transferring the VMs and any other files.

• sudo apt-get install -y samba samba-common python-glade2 system-config-samba

Edit the smb.conf for share definitios, run the following command and add the text in the box below at the end of the smb.conf file.

• sudo nano /etc/samba/smb.conf
• Type in the following at the very bottom of the file:

 [global]
 workgroup = WORKGROUP
 server string = Samba Server %v
 netbios name = ubuntu
 security = user
 map to guest = bad user
 dns proxy = no
 
 [Sandbox]
 path = /samba/share
 browsable = yes
 writable = yes
 guest ok = yes
 read only = no

• sudo service smbd restart

Install VirtualBox

Cuckoo needs a virtualization software in order to automate it’s malware analysis functions. For this guide, I’ll be recommending Virtual Box, Oracle’s open source solution for virtualization.

• sudo nano /etc/apt/sources.list
• Edit the sources.list with Virtual Box’s repositories. Add the text above to the end of the sources.list file.
  
  # Virtualbox
  deb http://download.virtualbox.org/virtualbox/debian xenial contrib

• sudo apt-get update
• sudo apt-get install virtualbox-5.1
• sudo apt-get install dkms

Install Cuckoo and Dependencies

This step is responsible for installing the Cuckoo platform itself, as well all its dependencies. Being modular means that Cuckoo will be depending on many other tools to work properly. I went thru this process a few times and tried to make sure that I’ve noted down all the tools needed.

• sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
• sudo apt-get install python python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg-dev
• sudo apt-get install git mongodb python python-dev python-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils yara python-yara ssdeep libfuzzy-dev exiftool curl openjdk-8-jre-headless
• sudo pip install –upgrade pip

Install Cuckoo Modules

• PDF Reports
  • sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi
• TCP Dump
  • sudo apt-get install tcpdump libcap2-bin
  • sudo chmod +s /usr/sbin/tcpdump
• ClamAV for malware id
  • sudo apt-get install clamav clamav-daemon clamav-freshclam
• Pydeep for fuzzy hashes
  • sudo pip install git+https://github.com/kbandla/pydeep.git
• Malheur for malware behavior analysis
  • sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall
  • git clone https://github.com/rieck/malheur.git
  • cd malheur
  • ./bootstrap
  • ./configure –prefix=/usr
  • make
  • cd
• Volatility for memory analysis
  • sudo apt-get install python-pil
  • sudo pip install distorm3 pycrypto openpyxl
  • sudo pip install git+https://github.com/volatilityfoundation/volatility.git
• PyV8 JavaScript engine for malicious JavaScript analysis
  • sudo apt-get install libboost-all-dev
  • sudo pip install git+https://github.com/buffer/pyv8
• Suricata IDS
  • sudo apt-get install suricata
  • sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata-cuckoo.yaml
  • sudo nano /etc/suricata/suricata-cuckoo.yaml
    • Search for “# a line based alerts log similar to Snort’s fast.log” by pressing “ctrl+w”
    • Set to “enable” to “no” for “fast.log” and “unified2”
    • Find “file-store” set “enabled” to “yes”
    • Set to “yes” the fields “force-md5” and “file-log”
    • Find ” # Stream engine settings. Here the TCP stream tracking and reassembly” and set “depth” to “0”
    • Find “request-body-limit” and “response-body-limit” under “default-config” to 0, without any unit
    • Find “vars” and under “address-groups” set “EXTERNAL_NET” to “any”
  • Update threats on open IDS rules
    • git clone https://github.com/seanthegeek/etupdate.git
    • sudo cp etupdate/etupdate /usr/sbin
    • sudo /usr/sbin/etupdate -V
    • sudo crontab -e
      • choose 2
      • Add the line * 22 * * * /usr/sbin/etupdate so it will update at ever 22 hours, or modify the time at your will;

Installing Cuckoo

For this step, you can either download the ZIP file from the Cuckoo website (https://cuckoosandbox.org/) or download a improved and modified but outdated version from the git link mentioned below. You can check the improvements out at https://github.com/spender-sandbox/cuckoo-modified.

• Create Cuckoo user (not mandatory)
  • sudo adduser cuckoo
  • sudo usermod -L cuckoo
• Download Cuckoo
  • sudo su cuckoo (if installing under root or any other user, skip this)
  • cd
  • wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar
  • git clone https://github.com/spender-sandbox/cuckoo-modified.git
  • sudo pip install -r /cuckoo-modified/requirements.txt
  • cd cuckoo-modified/utils
  • ./community.py -afw

Starting Cuckoo

Every time you restart the machine, you will have to re-create and start the virtual network interface. You will also need to start Cuckoo and the webservice used for checking results, statistics and submitting malware.

• sudo VBoxManage hostonlyif create
• sudo VBoxManage hostonlyif ipconfig vboxnet0 –ip 192.168.56.1 –netmask 255.255.255.0
• cd cuckoo-modified
• sudo python cuckoo.py -d (start Cuckoo platform)
• cd cuckoo-modified/web
• sudo python manage.py runserver XXX.XXX.XXX.XXX:YY (X should be the Linux machine IP address and Y should be the http port)

Obs.: Cuckoo won’t run properly on this first try since we didn’t set up any virtual machine as the sandbox.

Conclusion

In this post I covered everything you need to install and run Cuckoo, also giving you a RDP interface, for using the GUI with Windows Remote Desktop and being able to connect to this host by a network share. The main difference of this guide to others on the web is that this is a compilation of my efforts for running Cuckoo on an enterprise production environment, as I stated before, most guides will only help you install the basic functionality of the platform, which won’t be as good as a fully geared Cuckoo.

I’ll be posting soon the continuation of this guide, which I’ll be helping you out on creating your sandbox VM with most of the tweaks needed to make it harder to detect when analyzing sandbox-proof malwares.

References:

• https://github.com/spender-sandbox/cuckoo-modified
• https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
• http://mostlyaboutsecurity.com/?p=15&i=1
• https://cuckoosandbox.org/