Installing Cuckoo
In the first post of the Cuckoo Sandbox series, we will cover installation and basic configuration to get you started with automated dynamic malware analysis.
Background
Cuckoobox is an open source platform for automated dynamic analysis written by Claudio Guarnieri (nex) for the Google Summer of Code project in 2010. In 2012, Cuckoo was sponsored by Rapid7's Magnificent7 program "due to [its] innovative approach to traditional malware analysis". Currently Cuckoo can analyze Windows Executables, DLLs, PDF's, Office Docs, and URLs. Each sample to be analyzed is run through its own "clean" virtual machine, execution is tracked, and after completion the virtual machine is reverted back to its original "clean" state. A detailed report of the behavior the sample produced is generated and cataloged for later review. The system is written in Python and is very modular so it could be leveraged in other frameworks as well as extended for additional analysis or reporting.
Installation
Cuckoo has EXCELLENT documentation so check there for any questions that may arise after running through this installation. There is also an IRC channel (#cuckoosandbox on freenode) and community question portal for additional help.
As with the MASTIFF installation I am assuming a base installation of Ubuntu 12.10. As always the first step I perform is ensure that I have a fully updated system and have openssh installed for remote management.
sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y; sudo apt-get autoremove -y; sudo apt-get install openssh-server -y; sudo shutdown -r now later
Next we will begin the installation of the required dependencies.
sudo apt-get install python python-dev python-sqlalchemy python-dpkt python-jinja2 python-magic python-pymongo python-bottle -y
It is also recommended to install python-pefile, this could be accomplished by installing pefile from the apt repo or from source. I mention this as MASTIFF required pefile to be built from source. If both applications will be installed on the same machine I recommend going with the source option.
PEfile from APT
sudo apt-get install python-pefile
PEfile from source
cd /optsvn checkout http://pefile.googlecode.com/svn/trunk/ pefilecd /opt/pefilepython setup.py buildsudo python setup.py build install
sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev -ycd /opt/wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.9/ssdeep-2.9.tar.gztar -xvzf ssdeep-2.9.tar.gzrm -f ssdeep-2.9.tar.gzmv ssdeep-2.9 ssdeepcd /opt/ssdeep/./configuremakesudo make installsudo ldconfigcd /opt/git clone https://github.com/kbandla/pydeep.git pydeepcd /opt/pydeep/https://github.com/kbandla/pydeep.gitpython setup.py buildsudo python setup.py install
sudo apt-get install automake -ycd /optsvn checkout http://yara-project.googlecode.com/svn/trunk/ yaracd /opt/yarasudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12./configuremakesudo make installcd yara-pythonpython setup.py buildsudo python setup.py install
sudo apt-get install tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
sudo apt-get install libqt4-opengl libsdl1.2debian -ywget http://download.virtualbox.org/virtualbox/4.2.8/virtualbox-4.2_4.2.8-83876~Ubuntu~quantal_amd64.debwget http://download.virtualbox.org/virtualbox/4.2.8/Oracle_VM_VirtualBox_Extension_Pack-4.2.8-83876.vbox-extpacksudo dpkg -i virtualbox-4.2_4.2.8-83876~Ubuntu~quantal_amd64.debsudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.2.8-83876.vbox-extpacksudo /etc/init.d/vboxdrv setup
sudo useradd cuckoosudo usermod -g vboxusers cuckoo
git clone https://github.com/cuckoobox/cuckoo.git cuckoo
sudo apt-get install mysql-server python-mysqldb -ymysql -u root -pcreate database cuckoo;grant all privileges on cuckoo.* to cuckoo@localhost identified by 'Cuck00@n@lyst!' ;flush privileges;quit;
[virtualbox]mode = guipath = /usr/bin/VBoxManagemachines = cuckoonode01, cuckoonode02, cuckoonode10,cuckoonode20[cuckoonode01]label = cuckoonode01platform = windowsip = 192.168.56.101[cuckoonode02]label = cuckoonode02platform = windowsip = 192.168.56.102[cuckoonode10]label = cuckoonode10platform = darwinip = 192.168.56.110[cuckoonode20]label = cuckoonode20platform = linuxip = 192.168.56.120
- Install Windows XP SP3 or Windows 7 with UAC disabled
- Disable Windows Firewall
- Configure the network
- Set a static IP address in the network range of the vboxnet0 (default host only network)
- Configure iptables
- sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
- sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- sudo iptables -A POSTROUTING -t nat -j MASQUERADE
- Enable forwarding
- sudo sysctl -w net.ipv4.ip_forward=1
- sudo sysctl -p
- Rename VM based on virtualbox.conf
- Install Python 2.7
- Install Python Imaging Library 1.7 for Python 2.7
- Install additional software (not required but recommended)
- Microsoft Office
- Adobe Reader
- Additional browsers
- etc
- Install the Cuckoo agent.py
- Download from \\vboxsvr\ TEMPORARY share (remove prior to snapshot)
- cd /opt/cuckoo/agent; python -m SimpleHTTPServer - and download to VM
- Save/Rename agent.py to agent.pyw if you do not want the terminal window present
- Execute agent.pyw
- Snapshot the VM
- VBoxManage snapshot "cuckoonode01" take "pristine" --pause
- VBoxManage controlvm "cuckoonode01" poweroff
- VBoxManage snapshot "cuckoonode01" restorecurrent
- Rename the VM (based on virtualbox.conf)
- ReIP the machine (based on virtualbox.conf)
- Stop the process associated with agent.py and reexecute agent.pyw
- Take a new "pristine" snapshot using the steps outlined above
sudo apt-get install tmux -ytmuxcd /opt/cuckoo
python cuckoo.py
cd /opt/cuckoo/utilspython web.py
- Windows PEs
- DLLs
- PDFs
- Office Documents
- URLs
usage: submit.py [-h] [--url] [--package PACKAGE] [--custom CUSTOM][--timeout TIMEOUT] [--options OPTIONS] [--priority PRIORITY][--machine MACHINE] [--platform PLATFORM] [--memory][--enforce-timeout]targetpositional arguments:target URL, path to the file or folder to analyzeoptional arguments:-h, --help show this help message and exit--url Specify whether the target is an URL--package PACKAGE Specify an analysis package--custom CUSTOM Specify any custom value--timeout TIMEOUT Specify an analysis timeout--options OPTIONS Specify options for the analysis package (e.g."name=value,name2=value2")--priority PRIORITY Specify a priority for the analysis represented by aninteger--machine MACHINE Specify the identifier of a machine you want to use--platform PLATFORM Specify the operating system platform you want to use(windows/darwin/linux)--memory Enable to take a memory dump of the analysis machine--enforce-timeout Enable to force the analysis to run for the fulltimeout period
python submit.py --url http://www.tekdefense.compython submit.py malware.exepython submit.py malware.pdfpython submit.py malware.doc