Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

Sample diagram of Cuckoo’s main architecture.

Setup

Cuckoo sandbox needs at least 2 machines to work: the host and one or more guests.

The Host:

Ubuntu 16.04 (latest Ubuntu version recommended)

2Gb RAM (minimum)

VirtualBox (latest version)

Cuckoo Sandbox 2.0 rc-1 (latest cuckoo version)

The Guest:

WindowsXP ( or Windows 7)

Preparing the Host

Installing Python and dependencies

$ sudo apt-get install git mongodb libffi-dev build-essential python-django python python-dev python-pip python-pil python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y

Configuring Tcpdump

Tcpdump normally requires root privileges. However since Cuckoo is not going to run as root we need to configure it properly.

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Verify the results of the last command:

$ getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Installing Yara

$ sudo apt-get install autoconf libtool libjansson-dev libmagic-dev libssl-dev -y $ wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz $ tar -zxf yara-3.4.0.tar.gz $ cd yara-3.4.0 $ ./bootstrap.sh $ ./configure --with-crypto --enable-cuckoo --enable-magic $ make $ sudo make install

Validate the installation:

$ yara -v yara 3.4.0

To build and install the yara-python extension:

$ cd yara-python $ python setup.py build $ sudo python setup.py install

Validate the installation

$ pip show yara-python --- Name: yara-python Version: 3.4.0 Location: /usr/local/lib/python2.7/dist-packages Requires:

Installing Pydeep

Pydeep depends on ssdeep 2.8+

$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz $ tar -zxf ssdeep-2.13.tar.gz $ cd ssdeep-2.13 $ ./configure $ make $ sudo make install

Validate the installation

$ ssdeep -V

Then proceed by installing pydeep:

$ pip install pydeep

Validate that the package is installed:

$ pip show pydeep --- Name: pydeep Version: 0.2 Location: /usr/local/lib/python2.7/dist-packages Requires:

Installing Volatility

Volatility is a tool used for forensic analysis on memory dumps. As stated in the Cuckoo configuration guide it is optional but you can might miss some rootkits if not installed.

$ pip install openpyxl $ pip install ujson $ pip install pycrypto $ pip install distorm3 $ pip install pytz

To install volatility type the following commands:

$ git clone https://github.com/volatilityfoundation/volatility.git $ cd volatility $ python setup.py build $ python setup.py install

Validate the installation by typing:

$ python vol.py -h

Installing Cuckoo

As a final step of our preparation we are going to download and install Cuckoo.

Download the latest Cuckoo sandbox version from the following site and create a folder.

https://cuckoosandbox.org/

Create a user to for Cuckoo.

$ useradd cuckoo

Make sure that the user who is going to run cuckoo is the owner of the files.

$ chown -R cuckoo:cuckoo <path/to/cuckoo/folder>

Preparing the guest

Issue the following as cuckoo user.

Installing VirtualBox

$ sudo apt-get install vitualbox

Add cuckoo user to the vboxusers group:

$ sudo usermod -a -G vboxusers cuckoo

Creating a Virtual Machine

Download windowsxpsp3.iso or windows7.iso according to your preferred options

(Notice that you might need to change the path /home/cuckoo/windowsxpsp3.iso for the iso according to your environment.)

$ vboxmanage createvm --name "windowsxp" --ostype WindowsXP --register $ vboxmanage modifyvm "windowsxp" --memory 1000 --acpi on --boot1 dvd --nic1 nat $ vboxmanage createhd --filename "windowsxp.vdi" --size 12000 $ vboxmanage storagectl "windowsxp" --name "IDE Controller" --add ide --controller PIIX4 $ vboxmanage storageattach "windowsxp" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "windowsxp.vdi" $ vboxmanage storageattach "windowsxp" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /home/cuckoo/windowsxpsp3.iso $ vboxmanage hostonlyif create $ vboxmanage modifyvm "windowsxp" --nic1 hostonly $ vboxmanage modifyvm "windowsxp" --hostonlyadapter1 vboxnet0

Create a share for the guest as we are going to need it in order to transfer the cuckoo agent from the host to the guest. (You can either do it manually: Create a shared folder and copy cuckoo agent.py to it)

$ mkdir -p /home/cuckoo/VirtualBox VMs/windowsxpshare $ vboxmanage sharedfolder add "windowsxp" --name "windowsxpshare" --hostpath /home/cuckoo/VirtualBox VMs/windowsxpshare --automount $ cp /home/cuckoo/cuckoo/agent/agent.py /home/cuckoo/VirtualBox VMs/windowsxpshare/agent.py

We used a host-only adapter for the guest VM in order to isolate it from the rest of the network. However we are going to need internet connectivity from the VM in order for the analysis to work. We can achieve that by adding the following rules to the iptables.

$ sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT $ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -A POSTROUTING -t nat -j MASQUERADE $ sudo sysctl -w net.ipv4.ip_forward=1

Installing and Configuring Guest OS

Start up your VM and install your Operating System.

$ vboxmanage startvm "windowsxp"

Wait for the installation to finish. When you are done login and configure your network.

Also turn off Windows Firewall and Automatic Updates as we need to have a VM as vulnerable as possible for the analysis although this might not be the case in every scenario.

Download and install VitualBOxGuestAdditions via virtualbox interface.

The guest needs some configuration before it ready for Cuckoo. The following must be downloaded and installed on the guest:

· Python 2.7 https://www.python.org/downloads/release/python-2711/

· Python Imaging Library for windows http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe

Last step is installing the Cuckoo Agent which runs an XMLRPC server that is listening for connections.

Mount the share from windows. Then move the file agent.py to C:Documents and SettingsAll UsersStart MenuProgramsStartup. That way the agent will be automatically started once the VM is powered on. (or you can run agent manually each time)

Taking a snapshot

Now that we have completed the configuration of the Guest we should take the snapshot. It is very important to take the snapshot with the guest VM powered on with agent running otherwise cuckoo will not be able to perform the analysis. (You also can manually get a snapshot and restore it using virtualbox interface)

$ vboxmanage snapshot "windowsxp" take "snapshot1" --pause $ vboxmanage controlvm "windowsxp" poweroff $ vboxmanage snapshot "windowsxp" restorecurrent

Configuring Cuckoo

At least the following files must be configured for Cuckoo to be able to run properly.

cuckoo.conf

machinery = virtualbox [resultserver] ip = 192.168.56.1 #This is the IP address of the host port = 2042 #leave default unless you have services running

auxiliary.conf

[sniffer] # Enable or disable the use of an external sniffer (tcpdump) [yes/no]. enabled = yes # Specify the path to your local installation of tcpdump. Make sure this # path is correct. # You can check this using the command: whereis tcpdump tcpdump = /usr/sbin/tcpdump # Specify the network interface name on which tcpdump should monitor the # traffic. Make sure the interface is active. # The ifconfig command will show you the interface name. interface = vboxnet0

virtualbox.conf

machines = windowsxp [windowsxp] label = windowsxp platform = windows ip = 192.168.56.10 # IP address of the guest snapshot = snapshot1 # name of snapshot

reporting.conf

[mongodb] enabled = yes

Start Cuckoo

On the host issue the following commands to start cuckoo.

$ cd /home/cuckoo/cuckoo $ python cuckoo.py

Start the web interface:

$ cd /home/cuckoo/cuckoo/web $ python manage.py runserver 0.0.0.0:8000

Open your web browser and type your host ip and port to access Cuckoo’s web interface. (Ex: 0.0.0.0:8000)

You can submit a file through web interface and check the results.

Tips for Troubleshooting