Cuckoo Sandbox is an open source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
Cuckoo Sandbox has been recently updated to the version 2.0 and the steps to install it have changed a lot.
For this reason I’m re-writing my tutorial to explain how to install it.
It is based on my own experience and taking commands I used to setup new Cuckoo’s version.
Basic structure is based on the official Cuckoo Sandbox documentation.
Cuckoo Sandbox architecture
Host : runs the main components to manage the whole analysis process.
Analysis guest : isolated virtual environments where the samples are executed.
Preparing the host
The following topics describes the main requirements to install Cuckoo Sandbox.
The following software packages from the apt repositories are required to get Cuckoo to install and run properly (currently only Python 2.7 is supported):
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig
In order to use the Django-based Web Interface, MongoDB is required:
$ sudo apt-get install mongodb
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. Yara is an optional package.
Yara previous requirements:
$ sudo apt-get install automake libtool make gcc libjansson-dev libmagic-dev
Currently needed (future version of cuckoo won’t need it)
$ pip install yara-python
$ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
$ tar -zxf yara-3.5.0.tar.gz
$ cd yara-3.5.0
$ ./configure --enable-cuckoo --enable-magic
$ sudo make install
Run the test cases to make sure that everything is fine:
$ make check
It is a Python/C binding’s library for the Ssdeep. Pydeep is an optional package:
$ sudo apt-get install ssdeep libfuzzy-dev
Pydeep package installation:
$ wget https://github.com/kbandla/pydeep/archive/0.2.tar.gz
$ tar –zxf 0.2.tar.gz
$ cd pydeep-0.2/
$ python setup.py build
$ sudo python setup.py install
Virtualboox is the virtualization software used to allocate the isolated guests machines:
$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add –
$ sudo apt-get update
$ sudo apt-get install virtualbox-5.1
Tcpdump is a network sniffer used to capture and to dump the network activity performed by the malware sample executed:
$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump
For Linux platforms with AppArmor disabled (e.g., Debian) the following command will suffice to install Tcpdump:
$ sudo apt-get install tcpdump
Due to Cuckoo must be executed as non-root user; Tcpdump must be configured to run without root privileges:
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
You can verify the results of the last command:
$ getcap /usr/sbin/tcpdumpp
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples:
$ sudo apt-get install volatility
WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF.
It will help us generating pdf reports of the analyses.
$ sudo pip install weasyprint
M2Crypto is a crypto and SSL toolkit for Python. M2Crypto library is only supported when SWIG has been installed (if SWIG is present on the system, Cuckoo will automatically install the M2Crypto dependency upon installation):
$ sudo apt-get install swig
Create a user
To run Cuckoo as non-root user we must create a new user:
$ sudo adduser cuckoo
Make sure the new user belongs to the “vboxusers” group (or the group you used to run VirtualBox):
$ sudo usermod -a -G vboxusers cuckoo
Cuckoo package needs to be installed in a virtual environment (virtualenv):
$ virtualenv venv
$ . venv/bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo
Host Network Routing
The following iptables rules will allow the VMs access to the Cuckoo host machine
$ sudo iptables -t nat -A POSTROUTING -o interfaceName -s 192.168.56.0/24 -j MASQUERADE
# Default drop.
$ sudo iptables -P FORWARD DROP
# Existing connections.
$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept connections from vboxnet to the whole internet.
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
# Internal traffic.
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
# Log stuff that reaches this point (could be noisy).
$ sudo iptables -A FORWARD -j LOG
Modify interface name by the name obtained from the command sudo ifconfig.
For an automatic loading on every server startup, these rules must be stored.
Save the rules:
$ sudo iptables-save > /etc/firewall.conf
Open /etc/network/if-up.d/interfaces and add:
Iptables-restore < /etc/firewall.conf
Provide it execution privileges
$ sudo chmod +x /etc/network/if-up.d/iptables
If you need to save changes to your rules in the future, you can manually edit /etc/firewall.conf or you can adjust your rules live and run:
$ sudo iptables-save > /etc/firewall.conf
IP forwarding must be enabled in kernel configuration:
$ echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
$ sudo sysctl -w net.ipv4.ip_forward=1
Other option to make ip forwarding permanent is edit /etc/sysctl.conf and search for the following lines:
# Uncomment the next line to enable packet forwarding for IPv4
Cuckoo Working Directory
All configurable components, generated data, and results of Cuckoo are stored in Cuckoo Working Directory.
By default, this directory is located at /home/cuckoo/.cuckoo as it defaults to ~/.cuckoo (CWD can be modified if needed)
Cuckoo configuration files
All documents are located in Cuckoo Working Directory $CWD/conf
The cuckoo.conf file contains generic configuration options.
machinery in [cuckoo]:
This option defines which Machinery module you want Cuckoo to use to interact with your analysis machines.
The value must be the name of the module without extension.
machinery = virtualbox
ip and port in [resultserver]:
These define the local IP address and port that Cuckoo is going to try to bind the result server on.
Make sure this matches the network configuration of your analysis machines or they won’t be able to return any results.
ip = 192.168.56.1
connection in [database]:
The database connection string defines how Cuckoo will connect to the internal database.
If empty, defaults to a SQLite3 database at $CWD/cuckoo.db. (our case)
Auxiliary modules are scripts that run concurrently with malware analysis.
Activation in [sniffer]:
Enable or disable the use of an external sniffer (tcpdump)
enabled = yes
Activation in [mitm]:
Enable man in the middle proxying (mitmdump)
Enabled = yes
Virtualbox module is the script that define how Cuckoo should interact with your virtualization software of choice.
Mode in [Virtualbox]:
Specify which VirtualBox mode you want to run your machines on. Can be “gui” or “headless”.
mode = headless
Virtual machine config in [machineName]:
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = Cuckoo
Specify the label name of the current machine as specified in your VirtualBox configuration.
label = Cuckoo
Specify the operating system platform used by current machine [windows/darwin/linux].
platform = windows
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail.
ip = 192.168.56.101
The memory.conf file contains the Volatility configuration.
This file allows you to enable, disable and configure all processing modules. These modules are located under the cuckoo processing module and define how to digest the raw data collected during the analysis.
This file contains information on the reports generation.
Configuration in [mongodb]:
enabled = yes
Configuration in [elasticsearch]:
enabled = no
In the next article we will cover the last step of the installation.