This is a comprehensive, step by step documentation of the procedure that I followed for installing the latest version of cuckoo, i.e. 2.0.5.
This was part of a bigger project I was working on during my master’s education. Your feedback on how to improve or any corrections related to my cuckoo setup would be greatly appreciated.
The article is for anyone who is trying to understand malware analysis and wants to use cuckoo for it. It is an open source automated malware analysis system which helps in automatically running and analyzing files and collect comprehensive analysis results that outlines what a malware does while running inside an isolated windows operating system.
A special thanks to the cuckoo team, Jordan Watkins, and Bdavis for their implementation and articles which were of great help.
The cuckoo sandbox requires at least 2 machines to work, i.e., the host and a guest machine.
Specification of the Host machine:
- Ubuntu 16.04 (latest Ubuntu version recommended)
- 16Gb RAM or higher
- 256 GB SSD or higher (for faster processing)
- VirtualBox (latest version)
- Cuckoo Sandbox 2.0.5 (latest cuckoo version)
The Guest machine:
- Windows XP or Windows 7. I used windows 7 and it has been explained below.
- Older versions of Microsoft office, and other basic applications.
The installation process has been broken in two parts. This article will cover the installation on the Host machine and the other will focus on setting up the guest machine.
Installation on Host Machine
We will first start the installation on the base(host) machine.
Cuckoo sandbox requires certain packages and libraries before installing it. Below are the steps to go about installing these dependencies.
sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev
sudo apt-get install python-virtualenv python-setuptools
sudo apt-get install libjpeg-dev zlib1g-dev
sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++
sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2
sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet
Installing Python 3
At this stage if we perform “python -v”, we should be able to see that 2.7 is already in the system.
We now require the installation of python 3 because mitmproxy, covered in later steps, requires Python 3.5 or above. Starting with version 1.0 released in 12/2016, mitmproxy no longer supports Python 2.
To begin with the installation, we will navigate to the “src” folder and perform the process in it.
cd /usr/src sudo wget https://www.python.org/ftp/python/3.6.3/Python-3.6.3.tgz
sudo tar -xvf Python-3.6.3.tgz cd Python-3.6.3/
To continue with the installation, we will proceed as the super user. To become super user type “sudo su” and enter the root password
sudo make && make install
Next, we need pillow installed on ubuntu as well. Before we proceed with a pip installation, we will upgrade pip.
pip install --upgrade pip sudo -H pip install pillow
In order to use the Django-based Web Interface, MongoDB is required. We will change the directory to the downloads folder and begin the installation process in there.
sudo apt-get install mongodb
In order to use PostgreSQL as database, type the following:
sudo apt-get install postgresql libpq-dev
If you want to use KVM as machinery module you will have to install KVM:
sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt
In order to use MariaDB server:
sudo apt-get install mariadb-server
If you want to use XenServer you’ll have to install the XenAPI Python package:
sudo -H pip install XenAPI
This module will be useful in analyzing the network activity performed. It is a sniffer which captures the network traffic and dumps it into a file.
sudo apt-get install tcpdump apparmor-utils
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpgetcap /usr/sbin/tcpdump
(result: /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip)
sudo -H pip install lxml sudo -H pip install cybox==126.96.36.199 sudo -H pip install maec==188.8.131.52 sudo -H pip install "Django<2"
(The above command installs for python 2)
sudo -H pip install py3compat sudo -H pip install pymongo
Now restart the machine and go back to the downloads folder to continue the process of setting up the sandbox.
sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev
M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME.
sudo apt-get install swig
sudo -H pip install m2crypto==0.24.0
Useful for the extraction of digital artifacts from volatile memory (RAM) samples. Run the following command:
git clone https://github.com/volatilityfoundation/volatility.git
Navigate to the volatility folder that just now cloned.
sudo python setup.py install
This module takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.
Download the file from the link https://github.com/gdabah/distorm/releases
tar -zxvf distorm-3.3.4.tar.gz
Now navigate inside the extracted folder
sudo python setup.py install
sudo apt-get install libjansson-dev libmagic-dev
sudo apt-get install libtool-bin
Download from the following link https://pypi.python.org/pypi/pycrypto
Go back to the downloads folder and run
tar -zxvf pycrypto-2.6.1.tar.gz python setup.py build sudo python setup.py install
We will now proceed with the Ansible upgrade. Ansible works by configuring client machines from a computer with Ansible components installed and configured. It communicates over normal SSH channels to retrieve information from remote machines, issue commands, and copy files.
sudo -H pip install ansible --upgrade
Following the upgrade of Ansible we will also install Ipython-5, Jupyter, openpyxl, and ujson as well.
sudo -H pip install IPython==5.0 sudo -H pip install jupyter sudo -H pip install openpyxl sudo -H pip install ujson
Increase “Open Files Limit”
This is a precautionary step to avoid the following error:
“If you are getting error “Too many open files (24)” then your application/command/script is hitting max open file limit allowed by linux. You need to increase open file limit as below:”
sudo nano /etc/security/limits.conf * hard nofile 500000 * soft nofile 500000 root hard nofile 500000 root soft nofile 500000
In order to exit from the nano editer, first save the file by pressing “ctrl+o” and enter and then to exit from the editor press “ctrl+x”
Download YARA from the link https://github.com/VirusTotal/yara/releases
sudo tar -zxvf yara-3.7.1.tar.gz
Navigate inside the Yara folder.
sudo ./bootstrap.sh sudo ./configure --with-crypto --enable-magic –enable-cuckoo
sudo make install
sudo -H pip install yara-python
Man in the middle proxy setup
An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed.
cd .. sudo apt-get install libtiff5-dev libjpeg8-dev libwebp-dev
sudo apt-get install python3-pip
sudo pip3 install mitmproxy
At this window press “ctrl+c” to exit and we will continue the installation of MITM proxy after we are done installing the cuckoo module.
Before we start the cuckoo module, installation make sure that you are currently set as the super user. After that proceed with the following command execution.
virtualenv venv sudo su . venv/bin/activate sudo pip install -U pip setuptools sudo pip install -U cuckoo
Now to first start cuckoo run the following command.
run cuckoo -d
Note: At this point, the command will checkout the cuckoo working directory, which has all the configuration files.
You will see a similar text as in the figure above. Please note the locations that have been checked out and mentioned on the screen after you execute the command. We will be using these location in the installation process from this point on wards.
We can now continue with MITM proxy setup, as the file that was needed to complete the process was in the cuckoo directory
Exit and open new window
cd ~/.mitmproxy sudo su cp mitmproxy-ca-cert.p12 /root/.cuckoo/analyzer/windows/bin/cert.p12 mitmdump = /usr/local/bin/mitmdump
press “ctrl+c” to stop the proxy server.
Starting Cuckoo Web Server
Now go back to ubuntu terminal and navigate to the cuckoo folder by typing in
cd /root/.cuckoo sudo service mongodb start
Make sure you are super user before you type in the above commands. The above command will start the mongodb services. But since they are still disabled for cuckoo, we can enable them in the “reporting.conf” file in the cuckoo directory. Start by typing:
change the value in reporting.conf to “yes” infront of mongodb
cuckoo web runserver
This will start the webserver and you should be able to see the cuckoo analysis webpage in your browser. The location will be mentioned in the terminal opened and the port number.
In this case type “http://127.0.0.1:8000/”
Setting up Cuckoo Agent transfer
Create a folder by the name agent in the downloads folder
Right click on it and select properties.
Click on local network share and then check the “share this folder” option.
It will ask you whether to install new services or not. Click on install service. Click install again and enter the root account password. Upon completion you will see something like this
This indicates that the folder is now shareable. We can now use this folder to share documents back and forth the virtual machine which we will setup in the next article.
(Featured Image credits: A cuckoo-clock heart, by KaleidoMewStar, deviantart.com)