Setting up Cuckoo 2.0.5 – Part I

This is a comprehensive, step by step documentation of the procedure that I followed for installing the latest version of cuckoo, i.e. 2.0.5.

This was part of a bigger project I was working on during my master’s education. Your feedback on how to improve or any corrections related to my cuckoo setup would be greatly appreciated.

The article is for anyone who is trying to understand malware analysis and wants to use cuckoo for it. It is an open source automated malware analysis system which helps in automatically running and analyzing files and collect comprehensive analysis results that outlines what a malware does while running inside an isolated windows operating system.

A special thanks to the cuckoo team, Jordan Watkins, and Bdavis for their implementation and articles which were of great help.

The cuckoo sandbox requires at least 2 machines to work, i.e., the host and a guest machine.

Specification of the Host machine:

• Ubuntu 16.04 (latest Ubuntu version recommended)
• 16Gb RAM or higher
• 256 GB SSD or higher (for faster processing)
• VirtualBox (latest version)
• Cuckoo Sandbox 2.0.5 (latest cuckoo version)

The Guest machine:

• Windows XP or Windows 7. I used windows 7 and it has been explained below.
• Older versions of Microsoft office, and other basic applications.

The installation process has been broken in two parts. This article will cover the installation on the Host machine and the other will focus on setting up the guest machine.

Installation on Host Machine

We will first start the installation on the base(host) machine.

Installing Dependencies

Cuckoo sandbox requires certain packages and libraries before installing it. Below are the steps to go about installing these dependencies.

sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev

sudo apt-get install python-virtualenv python-setuptools

sudo apt-get install libjpeg-dev zlib1g-dev

sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++

sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2

sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet

Installing Python 3

 At this stage if we perform “python -v”, we should be able to see that 2.7 is already in the system.

We now require the installation of python 3 because mitmproxy, covered in later steps, requires Python 3.5 or above. Starting with version 1.0 released in 12/2016, mitmproxy no longer supports Python 2.

To begin with the installation, we will navigate to the “src” folder and perform the process in it.

cd /usr/src
sudo wget https://www.python.org/ftp/python/3.6.3/Python-3.6.3.tgz

sudo tar -xvf Python-3.6.3.tgz
cd Python-3.6.3/

To continue with the installation, we will proceed as the super user. To become super user type “sudo su” and enter the root password

./configure

sudo make && make install

python3 --version

Next, we need pillow installed on ubuntu as well. Before we proceed with a pip installation, we will upgrade pip.

pip install --upgrade pip
sudo -H pip install pillow

In order to use the Django-based Web Interface, MongoDB is required. We will change the directory to the downloads folder and begin the installation process in there.

sudo apt-get install mongodb

In order to use PostgreSQL as database, type the following:

sudo apt-get install postgresql libpq-dev

If you want to use KVM as machinery module you will have to install KVM:

sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt

In order to use MariaDB server:

sudo apt-get install mariadb-server

If you want to use XenServer you’ll have to install the XenAPI Python package:

sudo -H pip install XenAPI

Installing tcpdump

 This module will be useful in analyzing the network activity performed. It is a sniffer which captures the network traffic and dumps it into a file.

sudo apt-get install tcpdump apparmor-utils

sudo aa-disable /usr/sbin/tcpdump

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpgetcap /usr/sbin/tcpdump

(result: /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip)

sudo -H pip install lxml
sudo -H pip install cybox==2.0.1.4    
sudo -H pip install maec==4.0.1.0
sudo -H pip install "Django<2"

(The above command installs for python 2)

sudo -H pip install py3compat
sudo -H pip install pymongo

Now restart the machine and go back to the downloads folder to continue the process of setting up the sandbox.

sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev

Installing M2Crypto

M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME.

sudo apt-get install swig

sudo -H pip install m2crypto==0.24.0

Installing Volatility

Useful for the extraction of digital artifacts from volatile memory (RAM) samples. Run the following command:

git clone https://github.com/volatilityfoundation/volatility.git

Navigate to the volatility folder that just now cloned.

sudo python setup.py install

Distorm Installation

This module takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.

Download the file from the link https://github.com/gdabah/distorm/releases

tar -zxvf distorm-3.3.4.tar.gz

Now navigate inside the extracted folder

sudo python setup.py install

sudo apt-get install libjansson-dev libmagic-dev

sudo apt-get install libtool-bin

Pycrypto Installation

Download from the following link https://pypi.python.org/pypi/pycrypto

Go back to the downloads folder and run

tar -zxvf pycrypto-2.6.1.tar.gz
python setup.py build
sudo python setup.py install

We will now proceed with the Ansible upgrade. Ansible works by configuring client machines from a computer with Ansible components installed and configured. It communicates over normal SSH channels to retrieve information from remote machines, issue commands, and copy files.

sudo -H pip install ansible --upgrade

Following the upgrade of Ansible we will also install Ipython-5, Jupyter, openpyxl, and ujson as well.

sudo -H pip install IPython==5.0
sudo -H pip install jupyter
sudo -H pip install openpyxl
sudo -H pip install ujson

Increase “Open Files Limit”

This is a precautionary step to avoid the following error:

“If you are getting error “Too many open files (24)” then your application/command/script is hitting max open file limit allowed by linux. You need to increase open file limit as below:”

sudo nano /etc/security/limits.conf 

*            hard    nofile      500000
*            soft    nofile      500000
root      hard    nofile      500000
root      soft    nofile      500000

In order to exit from the nano editer, first save the file by pressing “ctrl+o” and enter and then to exit from the editor press “ctrl+x”

YARA installation

 Download YARA from the link https://github.com/VirusTotal/yara/releases

sudo tar -zxvf yara-3.7.1.tar.gz 

Navigate inside the Yara folder.

sudo ./bootstrap.sh
sudo ./configure --with-crypto --enable-magic –enable-cuckoo

sudo make

sudo make install

sudo -H pip install yara-python

Man in the middle proxy setup

An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed.

cd ..
sudo apt-get install libtiff5-dev libjpeg8-dev libwebp-dev

sudo apt-get install python3-pip

sudo pip3 install mitmproxy

mitmproxy

At this window press “ctrl+c” to exit and we will continue the installation of MITM proxy after we are done installing the cuckoo module.

Installing Cuckoo

Before we start the cuckoo module, installation make sure that you are currently set as the super user. After that proceed with the following command execution.

virtualenv venv
sudo su
. venv/bin/activate    
sudo pip install -U pip setuptools
sudo pip install -U cuckoo

Now to first start cuckoo run the following command.

run cuckoo -d 

Note: At this point, the command will checkout the cuckoo working directory, which has all the configuration files.

You will see a similar text as in the figure above. Please note the locations that have been checked out and mentioned on the screen after you execute the command. We will be using these location in the installation process from this point on wards.

We can now continue with MITM proxy setup, as the file that was needed to complete the process was in the cuckoo directory

Exit and open new window

cd ~/.mitmproxy
sudo su
cp mitmproxy-ca-cert.p12 /root/.cuckoo/analyzer/windows/bin/cert.p12
mitmdump = /usr/local/bin/mitmdump

press “ctrl+c” to stop the proxy server.

Starting Cuckoo Web Server

Now go back to ubuntu terminal and navigate to the cuckoo folder by typing in

cd /root/.cuckoo
sudo service mongodb start

Make sure you are super user before you type in the above commands. The above command will start the mongodb services. But since they are still disabled for cuckoo, we can enable them in the “reporting.conf” file in the cuckoo directory. Start by typing:

nano /root/.cuckoo/conf/reporting.conf

change the value in reporting.conf to “yes” infront of mongodb

cuckoo web runserver

This will start the webserver and you should be able to see the cuckoo analysis webpage in your browser. The location will be mentioned in the terminal opened and the port number.

In this case type “http://127.0.0.1:8000/”

Setting up Cuckoo Agent transfer

Create a folder by the name agent in the downloads folder

Right click on it and select properties.

Click on local network share and then check the “share this folder” option.

It will ask you whether to install new services or not. Click on install service. Click install again and enter the root account password. Upon completion you will see something like this

This indicates that the folder is now shareable. We can now use this folder to share documents back and forth the virtual machine which we will setup in the next article.

(Featured Image credits: A cuckoo-clock heart, by KaleidoMewStar, deviantart.com)