Cuckoo Sandbox – 2.0.3 Installation Guide

This being my first article is a comprehensive step by step documentation of the procedure that I followed for installing Cuckoo. You may come across some extra dependencies, but they are mainly for some purposes that I intend to work on with later, but they will not hinder the installation for cuckoo.

A special thanks to the Cuckoo team for putting information related to the installation, Jordan Watkins tutorial of the implementation, bdavis’s article on the installation.

Your feedback on how to improve or any corrections related to my cuckoo setup would be greatly appreciated as I am still a student trying to learn and contribute to the security community.

Tools used:

  • Linux OS: Ubuntu 16.04 LTS
  • Cuckoo version: 2.0.3 (Latest available up till the 3rd of august 2017)
  • Virtual Operating system: windows 7 SP1, 32 bit
  • Virtual box

The cuckoo community is very helpful, and in case of any troubleshooting, please post your questions there.

Once again, your feedback would be extremely appreciated.

Installing dependencies for Cuckoo

Cuckoo requires some packages and libraries before actually installing it. Below mentioned is how you can go about it.

Just press “Y” for any Yes or No questions that you come across during the installation.

Run the following 3 for the above warnings (although it won’t bother with the installation):

Reboot your machine once and then continue with the process.

Since I had a 64bit operating system, I went with the above, but you can go for mingw32 for a 32bit operating system.

To install the XENserver

TCP Dump installation

Required to collect the network activity performed by the malware running in the virtual machine.

The AppArmor profile disabling (the aa-disable command) is only required when using the default CWD directory as AppArmor would otherwise prevent the creation of the actual PCAP files [1]. Now install tcpdump:

Tcpdump requires root privileges, but since you don’t want Cuckoo to run as root you’ll have to set specific Linux capabilities to the binary: [1]

Installing ssdeep.

 

M2Crypto Installation

The following will set you up with swig which supports m2M2crypto.

 

Volatility Installation

 

Distorm Installation

Download the file from the link below

Distorm Download

Navigate inside the folder

 

Pycrypto Installation

Download from the following link

Pycrypto Download

Go back to the downloads folder and run

Navigate inside the folder

 

Increase “Open Files Limit”

This is a precautionary step to avoid the following scenario:

“If you are getting error “Too many open files (24)” then your application/command/script is hitting max open file limit allowed by Linux. You need to increase open file limit as below:” [2]

Paste this section of code at the end of the file.

 

YARA installation

Download YARA from the link below

Yara Download

Navigate inside the folder

 

Installing Virtualization Software

Using: Virtualbox There are two ways of going about this Part of the installation process. At present the available version is 5.1.24, which apparently will create an issue and halt your process. It took me quite some time to figure that out with my colleague. So, let do this first. Try the method below and check the version that gets installed. If the version is greater than 5.1.24 then we are good to go as I saw this issue already raised by somebody else and I guess the virtual box team is working on it. If not, then we will install an older version, as that worked for me.

I will walk you through the process. Enter credentials and continue the process as super user.

In case you are using a different version Linux, then please look at this first

For Ubuntu 17.04 (“Zesty”)

deb http://download.virtualbox.org/virtualbox/debian zesty contrib

For Ubuntu 16.04 (“Xenial”)

deb http://download.virtualbox.org/virtualbox/debian xenial contrib

For Ubuntu 14.04 (“Trusty”)

deb http://download.virtualbox.org/virtualbox/debian trusty contrib

For Ubuntu 12.04 LTS (“Precise Pangolin”)

deb http://download.virtualbox.org/virtualbox/debian precise contrib

For Debian 8 (“Jessie”)

deb http://download.virtualbox.org/virtualbox/debian jessie contrib

For Debian 7 (“Wheezy”)

deb http://download.virtualbox.org/virtualbox/debian wheezy contrib

Refer: https://www.virtualbox.org/wiki/Linux_Downloads

 

Now once you figure it out, you can accordingly modify the echo command below.

Now to check what is installed, type this

If it is greater than 5.1.24 then good, else do the following to remove it and install an older version. (I know, it’s a bit of a length process)

Uninstall VirtualBox first.

Go to this link (it’s the repository) and download an older virtual box version. I chose 5.1.22

virtualbox 5.1.22 download

Also, download libqt5x11extras5 from the link below, by selecting the appropriate OS architecture type.

libqt5x11extras5 download

Install it using

For virtualbox. Run this command:

OR

I downloaded the 64bit version as you can see in the image below

 

Installing cuckoo

Installing Cuckoo in a virtualenv

You can use the virtualenv later after this whenever you want to.

If you see this error then ignore it. It’s just a deprecation note.

Running the following will give you the path of the cuckoo directory, where you will find your configuration files.

Now take a note of the path that is shown on your screen.

 

Installing man in the middle [MITM] proxy

ctrl + c and stop the process

This should open virtual box as a root and now you can start with your windows installation side by side

make a note of the label you assign for the operating system in virtual box.

Mine is “windows7”.

 

Configuring the sandbox

Now switch to super user (root) and navigate to

Make the following changes in the below mentioned files

1) File: cuckoo.conf file

memory_dump = on

default = 240 critical = 1200 vm_state = 600

I have set the values a little high, but you can keep them on the lower side for a quick analysis.

2) File: auxiliary.conf file

mitm = yes

3) File: memory.conf file

guest profile = Win7SP1x86

delete_memdump = yes

4) File: processing.conf

memory = yes

You can also add your virusTotal API in this file. There is a section for it. Scroll down and you’ll be able to find it.

5) File: virtual box configuration file

mode = gui

machines = windows7

[windows7]

label = windows7

snapshot = snapshot_1

6) File: reporting.conf file

[mongodb] enabled = yes

[singlefile]

# Enable creation of report.html and/or report.pdf?

enabled = yes

# Enable creation of report.html?

html = yes

# Enable creation of report.pdf?

pdf = yes

For .pdf creation and storage

 

Configurations for the VirtualBox

Once done with the OS installation on VirtualBox, install virtualbox guest edition

Disable the windows firewall

Disable UAC settings

Type in the following commands in the Linux terminal. Replace windows7 with the label you created in VirtualBox for your windows installation

Switch to super user.

NOTE: enp0s25 is the name of my network interface. Look for yours by typing ifconfig.

(iptables-persistent: to make the rules stay in the system after you reboot)

On the windows machine do the following

Now if everything is correct then you should be able to ping 192.168.56.1

Installing the Agent

Create a folder share in the Ubuntu downloads folder, or anywhere you like.

Make it shareable by right clicking on it and selecting local network share

click on create share

Click on install service and install it by entering your password.

Select the Restart session option.

Click on allow others to create and delete files in this folder and click on create share.

Click on add permissions when the dialogue box pops up.

Start the virtual machine and add the share folder you created in the shared settings of the windows 7 machine.

click OK and log in to windows.

Go to networks and you should see the “vboxsvr” containing the shared folder “share in it”

now let’s copy the agent in to the share folder we created so that we can get it over to the windows machine.

The agent is now in the share folder. Copy it on to the desktop in the windows machine.

Open Internet explorer in the VM. Download and install python from the below mentioned link

Python Download

Also, install python-pillow for screenshots

Pillow Download

After this, install all your software like office, adobe etc.

Now go to the “Downloads” folder on the Ubuntu machine and create a folder infected files. We will be placing all our malicious files to be analyzed there

Now download a few malwares from git hub and put them there, but be careful.

First: download locky.zip

Locky Malware

Second: download Kelihos.zip

Kelihos Malware

Unzip them. Password: infected

Now go back to Ubuntu terminal and navigate to the cuckoo folder and type in

This will start the web server and you should be able to see the cuckoo analysis web page in your browser. Type 127.0.0.1:8000

Now having installed all the software on the machine, run the agent.py.

A window will open with nothing in it, but its ok, as data will be generated once the analysis starts.

Keep that open in the background and take a snapshot of the virtual machine.

NOTE: Keep the snapshot name same mentioned in the configuration file.

If you have turned off the server then start it again from the cuckoo directory.

To start cuckoo, open another terminal and turn on the virtual environment and navigate to the cuckoo directory.

A similar screenshot will appear, may be with a different art on display (pretty cool btw).

Now just run this last command and you are all set

This will update your setup with the latest cuckoo signatures

Now submit your malicious file in the browser and watch cuckoo do its analysis.

Hope this works for you. Please provide your feedback for any improvements; it will help me learn more about the cuckoo project.

 

References

[1] http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/

[2] https://easyengine.io/tutorials/linux/increase-open-files-limit/

 

 

 

Leave a Reply