What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.
What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
The above text is copied from the link below. For more details you can check it:http://www.cuckoosandbox.org/about.html
Cuckoo Sandbox Installation :
This installation is tested with Ubuntu 14.04 and Kali 1.0.6.
First open terminal and use the command below so that you are working with root privildges:
# sudo -i
# apt-get install virtualbox
Install Python some of the necessary libraries and also install git:
# apt-get install python git
# apt-get install python-sqlalchemy python-bson
# apt-get install python-pip
# pip install sqlalchemy bson
# apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet python-dev
# pip install jinja2 pymongo bottle pefile cybox==22.214.171.124
# pip install maec==126.96.36.199 django chardet
Download it from http://ssdeep.sourceforge.net/#download
In our example the version is 2.12.
# tar xvfz ssdeep-2.12.tar.gz
# cd ssdeep
# make install
# cd /opt
# git clone https://github.com/kbandla/pydeep.git pydeep
# cd /opt/pydeep/
# python setup.py build
# sudo python setup.py install
Go to https://github.com/plusvic/yara/releases
Download version 3.1.0.
# apt-get install automake libtool
# tar xvfz yara-3.1.0.tar.gz
# cd yara-3.1.0
# make install
# cd yara-ptyhon
# python setup.py build
# python setup.py install
# apt-get install python-yara
If everything goes fine the command below should give positive result.
# python tests.py
# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
# adduser cuckoo
# addgroup cuckoo vboxusers
# cd ~
# git clone git://github.com/cuckoobox/cuckoo.git
# cd cuckoo
# ./utils/community.py -wafb monitor
# ./utils/community.py -wafb 2.0
# cd conf
edit cuckoo.conf and make sure that you have the details below:
machinery = virtualbox
ip = 192.168.56.1 (the ip of vboxnet host)
Edit virtualbox.conf and make sure that you have the details below:
label = windows7-cuckoo
platform = windows
ip = 192.168.56.101
Above we set the details for virtualbox host-only network and the virtual machine we will use.
Create a new machine named: “windows7-cuckoo”. Select the details below:
1 GB RAM
Host-only network vboxnet0
Install Windows7 64 bit. Run the virtual machine and follow the steps below:
- Install vbox addons.
- Assign a shared folder which will be needed for sending files to your guest.
- Disable windows auto update.
- Disable windows firewall.
- Install different software that will be needed:
Install the cuckoo agent to virtual machine:
- Copy cuckoo agent file: from cuckoo/agent/agent.py to your shared folder.
- From shared folder in guest copy it to C:\ProgramData\Microsoft\Start Menu\Programs\Startup
- Rename it to agent.pyw
- Run it by doubleclick
- Open a command prompt and run ?netstat -aon?
There should be a line with ?TCP 0.0.0.0:8000 ? LISTENING?
Lastly pause the machine and take a snapshot of it. Close Virtualbox.
Enable Virtual Machine Internet connection:
Normally a host-only network cannot connect to Internet. What we want is that it does not connect to the host but can connect to the Internet. So that we need to make some settings. These settings needs to be made each time you restart your host. If you prefer you can make them permanent.
- First add iptables rules for vboxnet0:
# iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A POSTROUTING -t nat -j MASQUERADE
- Enable forwarding:
# sysctl -w net.ipv4.ip_forward=1
- Install dnsmasq and start the service
# apt-get install dnsmasq
# service dnsmasq start
You can open another terminal to submit your first malware example. To do it:
- Open a new terminal and run the commands below:
# cd ~/cuckoo
# ./utils/submit.py binaryname
- During the analysis you will see the details about what is going on in the other terminal window where cuckoo runs. When it ends you will see a massage saying that the analysis procedure completed.
- Now you can browse to the folder ~/cuckoo/storage/analysis/id number/reports:
- You can double click the report.html to see the details:
Here the post completes. Later we will continue with more details about submitting malware in different formats.
Next post: Cuckoo Submitting Malware