Cuckoo Sandbox Installation


What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

The above text is copied from the link below. For more details you can check it:http://www.cuckoosandbox.org/about.html

For video explanation in English:

Cuckoo Sandbox Installation :

This installation is tested with Ubuntu 14.04 and Kali 1.0.6.

First open terminal and use the command below so that you are working with root privildges:
# sudo -i

Install Virtualbox:
# apt-get install virtualbox

Install Python some of the necessary libraries and also install git:
# apt-get install python git
# apt-get install python-sqlalchemy python-bson
# apt-get install python-pip
# pip install sqlalchemy bson
# apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet python-dev
# pip install jinja2 pymongo bottle pefile cybox==2.0.1.4 
# pip install maec==4.0.1.0 django chardet

Install ssdeep:
Download it from http://ssdeep.sourceforge.net/#download
In our example the version is 2.12.
# tar xvfz ssdeep-2.12.tar.gz
# cd ssdeep
# ./configure
# make
# make install

Install pydeep:
# cd /opt
# git clone https://github.com/kbandla/pydeep.git pydeep
# cd /opt/pydeep/
# python setup.py build
# sudo python setup.py install 

Install yara:
Go to https://github.com/plusvic/yara/releases
Download version 3.1.0.
# apt-get install automake libtool
# tar xvfz yara-3.1.0.tar.gz
# cd yara-3.1.0
# ./bootstrap.sh
# ./configure
# make
# make install
# cd yara-ptyhon
# python setup.py build
# python setup.py install
# apt-get install python-yara
If everything goes fine the command below should give positive result.
# python tests.py 

Install tcpdump:
# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Install Cuckoo:
# adduser cuckoo
# addgroup cuckoo vboxusers
# cd ~
# git clone git://github.com/cuckoobox/cuckoo.git

Configure Cuckoo:
# cd cuckoo
# ./utils/community.py -wafb monitor
# ./utils/community.py -wafb 2.0
# cd conf

edit cuckoo.conf and make sure that you have the details below:
machinery = virtualbox
ip = 192.168.56.1 (the ip of vboxnet host)

Edit virtualbox.conf and make sure that you have the details below:
label = windows7-cuckoo
platform = windows
ip = 192.168.56.101

Above we set the details for virtualbox host-only network and the virtual machine we will use.

Guest Machine Installation and Setup:
Run Virtualbox and go to network settings “File -> Preferences -> Network -> Host-only Networks” . Create a new host-only network “vboxnet0”.
Cuckoo Sandbox Installation

Check the details of vboxnet0 and see that you have the settings below and also the DHCP enabled.
cuckoo virtualbox

Create a new machine named: “windows7-cuckoo”. Select the details below:
64bit Windows
1 GB RAM
Host-only network vboxnet0

Install Windows7 64 bit. Run the virtual machine and follow the steps below:

  • Install vbox addons.
  • Assign a shared folder which will be needed for sending files to your guest.
  • Disable windows auto update.
  • Disable windows firewall.
  • Install different software that will be needed:
    MS Office
    Acrobat Reader
    Flash Player
    Java
    Winzip
    Firefox

Install the cuckoo agent to virtual machine:

  • Copy cuckoo agent file: from cuckoo/agent/agent.py to your shared folder.
  • From shared folder in guest copy it to C:\ProgramData\Microsoft\Start Menu\Programs\Startup
  • Rename it to agent.pyw
  • Run it by doubleclick
  • Open a command prompt and run ?netstat -aon?
    There should be a line with ?TCP 0.0.0.0:8000 ? LISTENING?

Make network settings of the virtual machine like in the screenshot:
cuckoo guest tcp settings

Lastly pause the machine and take a snapshot of it. Close Virtualbox.

Enable Virtual Machine Internet connection:
Normally a host-only network cannot connect to Internet. What we want is that it does not connect to the host but can connect to the Internet. So that we need to make some settings. These settings needs to be made each time you restart your host. If you prefer you can make them permanent.

  • First add iptables rules for vboxnet0:
    # iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
    # iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    # iptables -A POSTROUTING -t nat -j MASQUERADE
  • Enable forwarding:
    # sysctl -w net.ipv4.ip_forward=1
  • Install dnsmasq and start the service
    # apt-get install dnsmasq
    # service dnsmasq start

Lastly start the cuckoo:
# cd ~/cuckoo
# ./cuckoo.py
You will see a screen like below:
cuckoo

You can open another terminal to submit your first malware example. To do it:

  • Open a new terminal and run the commands below:
    # cd ~/cuckoo
    # ./utils/submit.py binaryname
    cuckoo2
  • During the analysis you will see the details about what is going on in the other terminal window where cuckoo runs. When it ends you will see a massage saying that the analysis procedure completed.
    cuckoo3
  • Now you can browse to the folder ~/cuckoo/storage/analysis/id number/reports:
    cuckoo report
  • You can double click the report.html to see the details:
    cuckoo report2

Here the post completes. Later we will continue with more details about submitting malware in different formats.

Next post: Cuckoo Submitting Malware