Cuckoo Sandbox Installation - Arnaud Loos
Cuckoo Sandbox Installation - Arnaud Loos
Arnaud Loos
All things IT
CATEGORIES security
Cuckoo Sandbox is an open source malware analysis system used to launch files in an isolated environment and observe their behavior.
Pass it a URL, executable, office document, pdf, or any file, and it will get launched in an isolated virtual machine where cuckoo can
observe it’s process execution, API calls, network access, and all filesystem activity. You’ll then get a report and a threat score based on
the observed behavior. Once the analysis is complete the VM restores to a known good snapshot and waits for the next execution.
Once Cuckoo is running you can pass it samples in three ways. Drag and Drop through the web interface, through the command line
with cuckoo --submit , or through the API.
I’m going to install Cuckoo 2.0.6 on Ubuntu Desktop 16.04. I need a GUI to run Virtualbox and running this on 18.04 is problematic due to
a change in Openssl 1.1.0. I’m sure I could have just as easily gone with a server OS and GUI. I’m running as the user cuckoo.
The official installation instructions are here and many of the steps in this tutorial were copied from this excellent guide.
For my VM I’m using a licensed copy of Windows XP. You’ll need the XP ISO and a license key or a trial version. Cuckoo is supposed to
work equally well with Windows 7 but I’ve not tested that.
Note that this is not an efficient or secure installation. I’m unsure if all the packages being installed are necessary, for instance you’ll be
installing sqlite, mongodb, and postgres which is really not recommended. I’ve taken these steps from other guides and haven’t
bothered to do a full clean-up. Also note ironically that if you want to enable searching in Cuckoo you need to install yet another
database, Elasticsearch.
Installation
sudo apt-get install git mongodb libffi-dev build-essential python-django python python-dev python-pip python-pil pyth
Test by running getcap /usr/sbin/tcpdump and expect to get back /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
Install Yara
cd yara-python
python setup.py build
sudo python setup.py install
Install ssdeep
cd ~/
wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz
tar -zxf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install
Install Volatility
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py build
python setup.py install
Make sure you’re installing VirtualBox 5.1 or earlier, not 5.2 or later.
apt-cache policy virtualbox
Install Virtualbox
sudo apt-get install virtualbox
Locally, from the GUI console of the OS (not an ssh session), open the Terminal application and run vboxmanage startvm windowsxp .
Your VM should start and boot from the ISO allowing you to install the Operating System.
While the OS is installing we’ll switch gears for a moment and setup the host machine to talk to the guest and forward traffic.
You’ll want to change enp0s25 in the first rule to match the public interface name of the network card in the host with Internet access.
Get this by running ip addr .
Run the following commands on the Linux host machine.
Note that these rules aren’t currently persistent, meaning they’ll be erased on reboot. To make them permanent install the iptables-
persistent package. When you modify the rules in the future use sudo netfilter-persistent save to make the change permanent.
Complete the guest OS install and continue with the steps below.
Once completed, don’t install any additional system updates and configure the VM with a static IP.
IP: 192.168.56.10
Subnet: 255.255.255.0
Gateway: 192.168.56.1
DNS: 8.8.8.8
Try and ping the host PC ping 192.168.56.1 . You should get a response.
Install the Virtualbox guest additions in the guest OS and enable host to guest drag and drop from the VM settings.
Settings > General > Advanced > Drag'n'Drop: Host to Guest
Download the following packages and drag them into the guest OS to copy them to the Desktop. Now install them.
This would also be a good time to install Adobe Acrobat Reader and perhaps a trial version of Microsoft Office.
The way in which the VM is snapshotted and the state it’s in is very important for cuckoo.
Do the following exactly as I describe. Visit the Cuckoo troubleshooting doc for more information.
=======================================================================
Welcome to Cuckoo Sandbox, this appears to be your first run!
We will now set you up with our default configuration.
You will be able to see and modify the Cuckoo configuration,
Yara rules, Cuckoo Signatures, and much more to your likings
by exploring the /home/cuckoo/.cuckoo directory.
nano /home/cuckoo/.cuckoo/conf/cuckoo.conf
under [resultserver] verify that "ip=192.168.56.1" is set.
nano /home/cuckoo/.cuckoo/conf/virtualbox.conf
Since we’re using Virtualbox as our provider we’ll also modify some VM settings in this file.
[cuckoo1]
label = windowsxp
ip = 192.168.56.10
snapshot = snapshot1
[mongodb]
enabled = yes
2019-04-04 12:32:53,616 [cuckoo] WARNING: It appears that you haven't loaded any Cuckoo Signatures. Signatures are hig
2019-04-04 12:32:53,616 [cuckoo] WARNING: You'll be able to fetch all the latest Cuckoo Signatures, Yara rules, and mo
2019-04-04 12:32:53,616 [cuckoo] INFO: $ cuckoo community
Run cuckoo community . I know I could have just told you to do that before but I wanted you to be aware that cuckoo has the ability to
download and refresh signatures and rules.
Remember that your VM was created by the cuckoo user so don’t expect to find it if you run sudo cuckoo -d
Cuckoo is online and awaiting a file submission. Let’s submit a sample from the command line, you can submit any file on the system.
[cuckoo] CRITICAL: CuckooCriticalError: Unable to bind ResultServer on 192.168.56.1:2042 [Errno 99] Cannot assign re
quested address. This usually happens when you start Cuckoo without bringing up the virtual interface associated with
dress. Please refer to https://cuckoo.sh/docs/faq/#troubles-problem for more information.
Run:
VBoxManage hostonlyif create
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
before running cuckoo -d
Cuckoo API
I’m calling Cuckoo Sandbox from Cortex and I’m currently unsure how to pass an API token from there so for now I’m just disabling
authentication.
nano /home/cuckoo/.cuckoo/conf/cuckoo.conf
Comment out the api_token
View the results of recently run scans and open the summary page.
View an analysis summary.
View in-depth system activity.
View and capture network activity.
See additional files that are downloaded
You now have your very own sandbox in which to detonate any suspicious file you come across. Consider enabling the Cuckoo Analyzer
in Cortex and giving it the IP of your new sandbox server.
0 Comments
1 Login
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
Sort by Best ⥅
Previous
Open Source SIRP with Elasticsearch and TheHive - Part 5 - ElastAlert
Next
Enable X-Pack Security for Elasticsearch