MENU

Arnaud Loos
All things IT

Cuckoo Sandbox Installation

Arnaud Loos
April 11, 2019

CATEGORIES security

Cuckoo Sandbox is an open source malware analysis system used to launch files in an isolated environment and observe their behavior.
Pass it a URL, executable, office document, pdf, or any file, and it will get launched in an isolated virtual machine where cuckoo can
observe it’s process execution, API calls, network access, and all filesystem activity. You’ll then get a report and a threat score based on
the observed behavior. Once the analysis is complete the VM restores to a known good snapshot and waits for the next execution.

Once Cuckoo is running you can pass it samples in three ways. Drag and Drop through the web interface, through the command line
with cuckoo --submit , or through the API.

I’m going to install Cuckoo 2.0.6 on Ubuntu Desktop 16.04. I need a GUI to run Virtualbox and running this on 18.04 is problematic due to
a change in Openssl 1.1.0. I’m sure I could have just as easily gone with a server OS and GUI. I’m running as the user cuckoo.

The official installation instructions are here and many of the steps in this tutorial were copied from this excellent guide.

For my VM I’m using a licensed copy of Windows XP. You’ll need the XP ISO and a license key or a trial version. Cuckoo is supposed to
work equally well with Windows 7 but I’ve not tested that.

Note that this is not an efficient or secure installation. I’m unsure if all the packages being installed are necessary, for instance you’ll be
installing sqlite, mongodb, and postgres which is really not recommended. I’ve taken these steps from other guides and haven’t
bothered to do a full clean-up. Also note ironically that if you want to enable searching in Cuckoo you need to install yet another
database, Elasticsearch.

Installation

Start with some pre-requisites

sudo apt-get install git mongodb libffi-dev build-essential python-django python python-dev python-pip python-pil pyth

Set TCPDump for non-root user

sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Test by running getcap /usr/sbin/tcpdump and expect to get back /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
Install Yara

wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz

tar -zxf yara-3.4.0.tar.gz
cd yara-3.4.0
./bootstrap.sh
./configure -with-crypto -enable-cuckoo -enable-magic
make
sudo make install

Test and make sure you get back a version number

yara -v

And install yara-python

cd yara-python
python setup.py build
sudo python setup.py install

Install ssdeep

cd ~/
wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz
tar -zxf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install

Test and make sure you get back a version number

ssdeep -V

Install some python dependencies

pip install pydeep

pip install openpyxl
pip install ujson
pip install pycrypto
pip install distorm3
pip install pytz
pip install jsonschema

Install Volatility
 git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py build
python setup.py install

Make sure you’re installing VirtualBox 5.1 or earlier, not 5.2 or later.
apt-cache policy virtualbox

Install Virtualbox
sudo apt-get install virtualbox

Add my cuckoo user to the vboxusers group

sudo usermod -a -G vboxusers cuckoo

Copy your Windows XP ISO (or Win7) to /home/cuckoo/

As the cuckoo user create the VM.

vboxmanage createvm --name windowsxp --ostype WindowsXP --register

vboxmanage modifyvm windowsxp --memory 1000 --acpi on --boot1 dvd --nic1 nat
cd ~/VirtualBox/windowsxp
vboxmanage createhd --filename windowsxp.vdi --size 12000
vboxmanage storagectl windowsxp --name 'IDE Controller' --add ide --controller PIIX4
vboxmanage storageattach windowsxp --storagectl 'IDE Controller' --port 0 --device 0 --type hdd --medium windowsxp.vdi
vboxmanage storageattach windowsxp --storagectl 'IDE Controller' --port 0 --device 1 --type dvddrive --medium /home/cu
vboxmanage hostonlyif create
vboxmanage modifyvm windowsxp --nic1 hostonly
vboxmanage modifyvm windowsxp --hostonlyadapter1 vboxnet0

Locally, from the GUI console of the OS (not an ssh session), open the Terminal application and run vboxmanage startvm windowsxp .

Your VM should start and boot from the ISO allowing you to install the Operating System.

While the OS is installing we’ll switch gears for a moment and setup the host machine to talk to the guest and forward traffic.

You’ll want to change enp0s25 in the first rule to match the public interface name of the network card in the host with Internet access.
Get this by running ip addr .
Run the following commands on the Linux host machine.

sudo iptables -t nat -A POSTROUTING -o enp0s25 -s 192.168.56.0/24 -j MASQUERADE

sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
 sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -j LOG

Note that these rules aren’t currently persistent, meaning they’ll be erased on reboot. To make them permanent install the iptables-
persistent package. When you modify the rules in the future use sudo netfilter-persistent save to make the change permanent.

Now we’ll enable forwarding in the kernel.

echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward

sudo sysctl -w net.ipv4.ip_forward=1

Complete the guest OS install and continue with the steps below.

Once completed, don’t install any additional system updates and configure the VM with a static IP.

IP: 192.168.56.10
Subnet: 255.255.255.0
Gateway: 192.168.56.1
DNS: 8.8.8.8

Try and ping the host PC ping 192.168.56.1 . You should get a response.

Install the Virtualbox guest additions in the guest OS and enable host to guest drag and drop from the VM settings.
Settings > General > Advanced > Drag'n'Drop: Host to Guest

Download the following packages and drag them into the guest OS to copy them to the Desktop. Now install them.

The Python 2.7 installer for your guest OS.

The Python Imaging Library to take snapshots of the files executing.
Cuckoo Agent and place the file in the startup folder of the guest VM so it executes on startup. A command window should open
showing the agent is listening.

This would also be a good time to install Adobe Acrobat Reader and perhaps a trial version of Microsoft Office.

The way in which the VM is snapshotted and the state it’s in is very important for cuckoo.
Do the following exactly as I describe. Visit the Cuckoo troubleshooting doc for more information.

While the VM is running

vboxmanage snapshot windowsxp take snapshot1 --pause

vboxmanage controlvm windowsxp poweroff
vboxmanage snapshot windowsxp restorecurrent

And now, as the cuckoo user, install Cuckoo.

 cd ~\
git clone https://github.com/cuckoosandbox/cuckoo
cd cuckoo
python stuff/monitor.py
python setup.py build
sudo python setup.py sdist
sudo python setup.py build install

Now run Cuckoo

cuckoo -d

eeee e e eeee e e eeeee eeeee

8 8 8 8 8 8 8 8 8 88 8 88
8e 8e 8 8e 8eee8e 8 8 8 8
88 88 8 88 88 8 8 8 8 8
88e8 88ee8 88e8 88 8 8eee8 8eee8

Cuckoo Sandbox 2.0.6

www.cuckoosandbox.org
Copyright (c) 2010-2018

=======================================================================
Welcome to Cuckoo Sandbox, this appears to be your first run!
We will now set you up with our default configuration.
You will be able to see and modify the Cuckoo configuration,
Yara rules, Cuckoo Signatures, and much more to your likings
by exploring the /home/cuckoo/.cuckoo directory.

Among other configurable items of most interest is the

new location for your Cuckoo configuration:
/home/cuckoo/.cuckoo/conf
=======================================================================

Cuckoo has finished setting up the default configuration.

Please modify the default settings where required and
start Cuckoo again (by running `cuckoo` or `cuckoo -d`).

Modify the Cuckoo configuration

nano /home/cuckoo/.cuckoo/conf/cuckoo.conf
under [resultserver] verify that "ip=192.168.56.1" is set.
nano /home/cuckoo/.cuckoo/conf/virtualbox.conf
Since we’re using Virtualbox as our provider we’ll also modify some VM settings in this file.

[cuckoo1]
label = windowsxp
ip = 192.168.56.10
snapshot = snapshot1

This part is optional: sudo nano reporting.conf

[mongodb]
enabled = yes

Now start it all up again

cuckoo -d

2019-04-04 12:32:53,616 [cuckoo] WARNING: It appears that you haven't loaded any Cuckoo Signatures. Signatures are hig
2019-04-04 12:32:53,616 [cuckoo] WARNING: You'll be able to fetch all the latest Cuckoo Signatures, Yara rules, and mo
2019-04-04 12:32:53,616 [cuckoo] INFO: $ cuckoo community

Run cuckoo community . I know I could have just told you to do that before but I wanted you to be aware that cuckoo has the ability to
download and refresh signatures and rules.

Verify that the cuckoo directory is owned by the cuckoo user.

If not run sudo chown -R cuckoo:cuckoo ~/.cuckoo

Remember that your VM was created by the cuckoo user so don’t expect to find it if you run sudo cuckoo -d

Now run cuckoo -d again.

2019-04-04 17:05:57,609 [cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.

2019-04-04 17:05:57,611 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2019-04-04 17:05:58,288 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine windowsxp to snapshot1
2019-04-04 17:05:58,727 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019-04-04 17:05:58,767 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Cuckoo is online and awaiting a file submission. Let’s submit a sample from the command line, you can submit any file on the system.

cuckoo submit evilfile.exe

2019-04-04 17:09:25,364 [cuckoo.core.scheduler] DEBUG: Processing task #6

2019-04-04 17:09:25,385 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "evilfile.exe" (task #6, options "")
2019-04-04 17:09:25,509 [cuckoo.core.scheduler] INFO: Task #6: acquired machine cuckoo1 (label=windowsxp)
2019-04-04 17:09:25,510 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay
2019-04-04 17:09:25,544 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3537 (interface=vboxnet0, host=192.1
2019-04-04 17:09:25,545 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
...
2019-04-04 17:09:25,734 [cuckoo.machinery.virtualbox] DEBUG: Starting vm windowsxp
2019-04-04 17:09:26,048 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine windowsxp to snapshot1
2019-04-04 17:09:26,551 [cuckoo.common.abstracts] DEBUG: Waiting 0 cuckooseconds for machine windowsxp to switch to st
2019-04-04 17:09:27,793 [cuckoo.common.abstracts] DEBUG: Waiting 1 cuckooseconds for machine windowsxp to switch to st
...
2019-04-04 17:30:08,011 [cuckoo.core.scheduler] INFO: Task #6: acquired machine cuckoo1 (label=windowsxp)
2019-04-04 17:30:08,012 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay
2019-04-04 17:30:08,025 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 7198 (interface=vboxnet0, host=192.1
2019-04-04 17:30:08,027 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2019-04-04 17:30:08,211 [cuckoo.machinery.virtualbox] DEBUG: Starting vm windowsxp
2019-04-04 17:30:08,508 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine windowsxp to snapshot1
2019-04-04 17:30:11,536 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.10)
2019-04-04 17:30:12,548 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-04-04 17:30:13,553 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-04-04 17:30:16,586 [cuckoo.core.guest] DEBUG: cuckoo1: waiting for status 0x0001
2019-04-04 17:30:16,595 [cuckoo.core.guest] DEBUG: cuckoo1: status ready
2019-04-04 17:30:16,699 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.10, monitor=
2019-04-04 17:30:18,723 [cuckoo.core.guest] DEBUG: cuckoo1: analyzer started with PID 1616
2019-04-04 17:30:18,811 [cuckoo.core.guest] DEBUG: cuckoo1: waiting for completion
2019-04-04 17:30:19,280 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2019-04-04 17:30:19,823 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:30:20,834 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:30:23,484 [cuckoo.core.resultserver] DEBUG: New process (pid=1880, ppid=1960, name=PIL-1.1.7.win32-py2.7
2019-04-04 17:30:23,884 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:30:24,481 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2019-04-04 17:30:24,493 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 45281
2019-04-04 17:30:24,894 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:30:25,599 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.jpg
2019-04-04 17:30:25,619 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 62214
2019-04-04 17:30:25,903 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:30:26,710 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0003.jpg
2019-04-04 17:30:26,727 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 62648
2019-04-04 17:30:26,912 [cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2019-04-04 17:33:19,549 [cuckoo.core.guest] INFO: cuckoo1: end of analysis reached!
2019-04-04 17:33:19,642 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay
2019-04-04 17:33:19,683 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2019-04-04 17:33:19,684 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm windowsxp
2019-04-04 17:33:21,358 [cuckoo.core.scheduler] DEBUG: Released database task #6
2019-04-04 17:33:21,502 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #6
2019-04-04 17:33:21,630 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #6
2019-04-04 17:33:21,643 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #6
2019-04-04 17:33:21,644 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #6
2019-04-04 17:33:21,645 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #6
 2019-04-04 17:33:21,646 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #6
2019-04-04 17:33:21,647 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #6
2019-04-04 17:33:21,823 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #6
2019-04-04 17:33:22,714 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #6
2019-04-04 17:33:22,825 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #6
2019-04-04 17:33:22,899 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #6
2019-04-04 17:33:22,911 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #6
2019-04-04 17:33:22,911 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #6
2019-04-04 17:33:22,912 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #6
2019-04-04 17:33:22,917 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #6
2019-04-04 17:33:22,921 [cuckoo.core.plugins] DEBUG: Running 540 signatures
2019-04-04 17:33:23,852 [cuckoo.core.plugins] DEBUG: Analysis matched signature: has_pdb
2019-04-04 17:33:23,853 [cuckoo.core.plugins] DEBUG: Analysis matched signature: packer_entropy
2019-04-04 17:33:23,985 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2019-04-04 17:33:24,299 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB"
2019-04-04 17:33:24,299 [cuckoo.core.scheduler] INFO: Task #6: reports generation completed
2019-04-04 17:33:24,319 [cuckoo.core.scheduler] INFO: Task #6: analysis procedure completed

Launching Cuckoo the next time

[cuckoo] CRITICAL: CuckooCriticalError: Unable to bind ResultServer on 192.168.56.1:2042 [Errno 99] Cannot assign re
quested address. This usually happens when you start Cuckoo without bringing up the virtual interface associated with
dress. Please refer to https://cuckoo.sh/docs/faq/#troubles-problem for more information.

Run:
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
before running cuckoo -d

Cuckoo API

Start the API listener

cuckoo api --host 0.0.0.0

Runs on port 8090 by default.

I’m calling Cuckoo Sandbox from Cortex and I’m currently unsure how to pass an API token from there so for now I’m just disabling
authentication.

nano /home/cuckoo/.cuckoo/conf/cuckoo.conf
Comment out the api_token

Launch cuckoo web server

Submit files and view results on the cuckoo webpage.

cuckoo web -H 0.0.0.0

Navigate to http://<IP of server>:8000 to view the Dashboard.

View the results of recently run scans and open the summary page.
View an analysis summary.
View in-depth system activity.
View and capture network activity.
See additional files that are downloaded
You now have your very own sandbox in which to detonate any suspicious file you come across. Consider enabling the Cuckoo Analyzer
in Cortex and giving it the IP of your new sandbox server.
0 Comments 
1 Login

Start the discussion…

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Sort by Best  ⥅

Be the first to comment.

✉ Subscribe 🔒 Privacy ⚠ Do Not Sell My Data

Previous
Open Source SIRP with Elasticsearch and TheHive - Part 5 - ElastAlert

Next
Enable X-Pack Security for Elasticsearch

© 2019. Powered by Jekyll.