This is a comprehensive, step by step documentation of the procedure that I followed for installing the latest version of cuckoo, i.e. 2.0.5.
This was part of a bigger project I was working on during my master’s education. Your feedback on how to improve or any corrections related to my cuckoo setup would be greatly appreciated.
The article is for anyone who is trying to understand malware analysis and wants to use cuckoo for it. It is an open source automated malware analysis system which helps in automatically running and analyzing files and collect comprehensive analysis results that outlines what a malware does while running inside an isolated windows operating system.
A special thanks to the cuckoo team, Jordan Watkins, and Bdavis for their implementation and articles which were of great help.
The cuckoo sandbox requires at least 2 machines to work, i.e., the host and a guest machine.
Specification of the Host machine:
- Ubuntu 16.04 (latest Ubuntu version recommended)
- 16Gb RAM or higher
- 256 GB SSD or higher (for faster processing)
- VirtualBox (latest version)
- Cuckoo Sandbox 2.0.5 (latest cuckoo version)
The Guest machine:
- Windows XP or Windows 7. I used windows 7 and it has been explained below.
- Older versions of Microsoft office, and other basic applications.
The installation process has been broken in two parts. This article will cover the installation on the Host machine and the other will focus on setting up the guest machine.
Installation on Host Machine
We will first start the installation on the base(host) machine.
Installing Dependencies
Cuckoo sandbox requires certain packages and libraries before installing it. Below are the steps to go about installing these dependencies.
sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev
sudo apt-get install python-virtualenv python-setuptools
sudo apt-get install libjpeg-dev zlib1g-dev
sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++
sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2
sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet
Installing Python 3
At this stage if we perform “python -v”, we should be able to see that 2.7 is already in the system.
We now require the installation of python 3 because mitmproxy, covered in later steps, requires Python 3.5 or above. Starting with version 1.0 released in 12/2016, mitmproxy no longer supports Python 2.
To begin with the installation, we will navigate to the “src” folder and perform the process in it.
cd /usr/src
sudo wget https://www.python.org/ftp/python/3.6.3/Python-3.6.3.tgz
sudo tar -xvf Python-3.6.3.tgz
cd Python-3.6.3/
To continue with the installation, we will proceed as the super user. To become super user type “sudo su” and enter the root password
./configure
sudo make && make install
python3 --version
Next, we need pillow installed on ubuntu as well. Before we proceed with a pip installation, we will upgrade pip.
pip install --upgrade pip
sudo -H pip install pillow
In order to use the Django-based Web Interface, MongoDB is required. We will change the directory to the downloads folder and begin the installation process in there.
sudo apt-get install mongodb
In order to use PostgreSQL as database, type the following:
sudo apt-get install postgresql libpq-dev
If you want to use KVM as machinery module you will have to install KVM:
sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt
In order to use MariaDB server:
sudo apt-get install mariadb-server
If you want to use XenServer you’ll have to install the XenAPI Python package:
sudo -H pip install XenAPI
Installing tcpdump
This module will be useful in analyzing the network activity performed. It is a sniffer which captures the network traffic and dumps it into a file.
sudo apt-get install tcpdump apparmor-utils
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpgetcap /usr/sbin/tcpdump
(result: /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip)
sudo -H pip install lxml
sudo -H pip install cybox==2.0.1.4
sudo -H pip install maec==4.0.1.0
sudo -H pip install "Django<2"
(The above command installs for python 2)
sudo -H pip install py3compat
sudo -H pip install pymongo
Now restart the machine and go back to the downloads folder to continue the process of setting up the sandbox.
sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev
Installing M2Crypto
M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME.
sudo apt-get install swig
sudo -H pip install m2crypto==0.24.0
Installing Volatility
Useful for the extraction of digital artifacts from volatile memory (RAM) samples. Run the following command:
git clone https://github.com/volatilityfoundation/volatility.git
Navigate to the volatility folder that just now cloned.
sudo python setup.py install
Distorm Installation
This module takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.
Download the file from the link https://github.com/gdabah/distorm/releases
tar -zxvf distorm-3.3.4.tar.gz
Now navigate inside the extracted folder
sudo python setup.py install
sudo apt-get install libjansson-dev libmagic-dev
sudo apt-get install libtool-bin
Pycrypto Installation
Download from the following link https://pypi.python.org/pypi/pycrypto
Go back to the downloads folder and run
tar -zxvf pycrypto-2.6.1.tar.gz
python setup.py build
sudo python setup.py install
We will now proceed with the Ansible upgrade. Ansible works by configuring client machines from a computer with Ansible components installed and configured. It communicates over normal SSH channels to retrieve information from remote machines, issue commands, and copy files.
sudo -H pip install ansible --upgrade
Following the upgrade of Ansible we will also install Ipython-5, Jupyter, openpyxl, and ujson as well.
sudo -H pip install IPython==5.0
sudo -H pip install jupyter
sudo -H pip install openpyxl
sudo -H pip install ujson
Increase “Open Files Limit”
This is a precautionary step to avoid the following error:
“If you are getting error “Too many open files (24)” then your application/command/script is hitting max open file limit allowed by linux. You need to increase open file limit as below:”
sudo nano /etc/security/limits.conf
* hard nofile 500000
* soft nofile 500000
root hard nofile 500000
root soft nofile 500000
In order to exit from the nano editer, first save the file by pressing “ctrl+o” and enter and then to exit from the editor press “ctrl+x”
YARA installation
Download YARA from the link https://github.com/VirusTotal/yara/releases
sudo tar -zxvf yara-3.7.1.tar.gz
Navigate inside the Yara folder.
sudo ./bootstrap.sh
sudo ./configure --with-crypto --enable-magic –enable-cuckoo
sudo make
sudo make install
sudo -H pip install yara-python
Man in the middle proxy setup
An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed.
cd ..
sudo apt-get install libtiff5-dev libjpeg8-dev libwebp-dev
sudo apt-get install python3-pip
sudo pip3 install mitmproxy
mitmproxy
At this window press “ctrl+c” to exit and we will continue the installation of MITM proxy after we are done installing the cuckoo module.
Installing Cuckoo
Before we start the cuckoo module, installation make sure that you are currently set as the super user. After that proceed with the following command execution.
virtualenv venv
sudo su
. venv/bin/activate
sudo pip install -U pip setuptools
sudo pip install -U cuckoo
Now to first start cuckoo run the following command.
run cuckoo -d
Note: At this point, the command will checkout the cuckoo working directory, which has all the configuration files.
You will see a similar text as in the figure above. Please note the locations that have been checked out and mentioned on the screen after you execute the command. We will be using these location in the installation process from this point on wards.
We can now continue with MITM proxy setup, as the file that was needed to complete the process was in the cuckoo directory
Exit and open new window
cd ~/.mitmproxy
sudo su
cp mitmproxy-ca-cert.p12 /root/.cuckoo/analyzer/windows/bin/cert.p12
mitmdump = /usr/local/bin/mitmdump
press “ctrl+c” to stop the proxy server.
Starting Cuckoo Web Server
Now go back to ubuntu terminal and navigate to the cuckoo folder by typing in
cd /root/.cuckoo
sudo service mongodb start
Make sure you are super user before you type in the above commands. The above command will start the mongodb services. But since they are still disabled for cuckoo, we can enable them in the “reporting.conf” file in the cuckoo directory. Start by typing:
nano /root/.cuckoo/conf/reporting.conf
change the value in reporting.conf to “yes” infront of mongodb
cuckoo web runserver
This will start the webserver and you should be able to see the cuckoo analysis webpage in your browser. The location will be mentioned in the terminal opened and the port number.
In this case type “http://127.0.0.1:8000/”
Setting up Cuckoo Agent transfer
Create a folder by the name agent in the downloads folder
Right click on it and select properties.
Click on local network share and then check the “share this folder” option.
It will ask you whether to install new services or not. Click on install service. Click install again and enter the root account password. Upon completion you will see something like this
This indicates that the folder is now shareable. We can now use this folder to share documents back and forth the virtual machine which we will setup in the next article.
(Featured Image credits: A cuckoo-clock heart, by KaleidoMewStar, deviantart.com)
Hey, loved the article.
LikeLiked by 1 person
Would you agree that your command…
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpgetcap /usr/sbin/tcpdump
does not need…
/usr/sbin/tcpdumpgetcap
??:)
LikeLike
Hello,
Sorry for the late revert, but to answer your question:
Yes, you would require that. I don’t remember correctly but they had it mentioned in the previous versions of the cuckoo documentations. 🙂
LikeLike
its two different commands
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
LikeLike
In your YARA area, your command:
sudo ./configure –with-crypto –enable-magic –enable-cuckoo
Gives me the following at the end:
checking build system type… Invalid configuration `–enable-cuckoo’: machine `–enable’ not recognized
configure: error: /bin/bash build-aux/config.sub –enable-cuckoo failed
This makes sense to me because cuckoo does not exist yet.
What steps do I need to repeat after cuckoo is installed OR what alternate steps do I need to take and at what time should I take those steps????
THANKS!!!!!
LikeLike
If that is the case, you can try installing yara once you do “sudo pip install -U cuckoo”, and then run sudo ./configure –with-crypto –enable-magic –enable-cuckoo
that should take care of the cuckoo not found part as it seems magic was enabled except for cuckoo, so try that after the cuckoo installation but before you do run cuckoo
LikeLike