For the past couple of months, I thought of implementing an internal Sandbox for my organization as you cannot rely totally on other community-based sandboxes available on the internet like Hybrid Analysis, Joe Sandbox, Reverse It, etc… Though they give you the best results, very much need arises to have an internal sandbox in your organization as you don’t want to expose any internal organization documents or data while analyzing the file through any community-based sandboxes where the results are saved on their databases and anyone with the analysis link can have access to that report. However, in our case, the results will be stored in our local database.
So in this post, I will try to help out those who are trying to do the same or at least feels the same need or even for their own learning purpose. This post will be divided into several parts of installation and configuration to make it perfectly working for you. While doing some research I found several posts regarding the installation of Cuckoo Sandbox but I haven’t found a detailed post yet that provides everything from installation to configuration and troubleshooting of Cuckoo Sandbox modules so as to achieve desired results without any issue. And this is what I am trying to achieve it here.
Disclaimer – Setting up a Cuckoo Sandbox is not an easy task as it doesn’t come in one complete package. It requires installing of several modules separately to make it work perfectly. You might break something while installing. Proper care to the instruction is required while performing an installation.
Cuckoo Sandbox works around the concept of having a vulnerable guest machine(s) for analysis inside the Virtual Machine (VM), installed on the host machine. So, it requires a host and a guest machine for it to work properly.
Specification of Host Machine:
- Ubuntu Desktop 18.04 (latest version recommended)
- 16Gb of RAM or higher
- 500 Gb hard disk (SSD for better processing)
- Virtual Box v5.2 (latest version)
- Cuckoo Sandbox v2.0.6 (latest version)
Specification of Guest Machine:
- Windows 7 Professional 64 bit
- An old vulnerable version of Microsoft Office, Adobe Reader, Flash Player, Java, etc..
Will get into more details about the software when we will install these in the vulnerable machine.
In this article, I will be focusing on getting the host machine ready so that Cuckoo Sandbox doesn’t give any issues in future installation.
Getting Your Host Machine Ready
After having a fresh install of Ubuntu’s latest version it is recommended to perform a full update of your system and upgrade your Linux kernels (if any available).
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
Cuckoo Sandbox requires several packages and libraries to be installed before installing it. Without these dependencies, you will run into an issue. Proceed with the steps below to install the
sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev
sudo apt-get install python-virtualenv python-setuptools
sudo apt-get install libjpeg-dev zlib1g-dev
sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++
sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2
sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet
Installing Python 3
Before we proceed with the newer version of Python installation, let’s just check which version is already installed. You can do that by typing “python -v” in a terminal. If version 2.7 is what you see then proceed further with the installation.
To begin the installation, navigate to the “src” folder and follow the below steps.
cd /usr/src sudo wget https://www.python.org/ftp/python/3.7.1/Python-3.7.1.tgz
sudo tar -xvf Python-3-7.1.tgz cd Python-3-7.1
Now to proceed with the installation you have to be a super user. Type “
./configure sudo make && make install python3 --version (to check Python3 version)
Next, we need a Pillow to be installed in our host machine. But before we do that let’s just first upgrade the version of pip as we will be installing pillow through pip.
pip install --upgrade pip sudo -H pip install pillow
If you want to use
sudo apt-get install mongodb
Cuckoo by default uses SQLite database for tracking analysis tasks which work perfectly but is not as robust as PostgreSQL database. The only drawback with SQLite is that when an analysis task is deleted, task IDs are recycled which leads to confusion when a new analysis task exists at the same location, possibly for a different malware sample.
To install PostgreSQL, type
sudo apt-get install postgresql libpq-dev
tcpdump is a common packet analyzer that captures the network packets being transmitted or received over a network. This would be helpful to us in analyzing the network activity performed by the malware.
sudo apt-get install tcpdump apparmor-utils
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump
Result will be (/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip)
sudo -H pip install lxml sudo -H pip install cybox==126.96.36.199 sudo -H pip install maec==188.8.131.52 sudo -H pip install "Django<2"
Now restart your system so that all the new installation settings can be applied and navigate to the Downloads folder again as we will be downloading more software.
sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev
M2Crypto is a complete Python wrapper of OpenSSL that features RSA, DA, DH, EC, HMACs, and more. We will be installing M2Crypto for adding cryptographic support and security to your Python applications.
Currently, M2Crypto library is only supported when SWIG has been installed. To install SWIG, type:
sudo apt-get install swig
If SWIG is already installed on your system like as in my case as well, we can now go ahead and install M2Crypto. Here, I have installed the latest version i.e 0.31.0.
sudo -H pip install m2crypto==0.31.0
Now we will be installing Volatility as we want our Cuckoo Sandbox to also perform forensic analysis on memory dumps of the given sample. It can automatically provide additional visibility into deep modifications in the operating system as well as detect the presence of rootkit technology that escaped the monitoring domain of Cuckoo’s analyzer.
git clone https://github.com/volatilityfoundation/volatility.git
Navigate to the folder that you have just cloned and run command:
sudo python setup.py install
diStorm3 is a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.
Download the latest version of distorm from the given link:
tar -zxvf distorm-3.4.1.tar.gz
Now navigate to the extracted folder and run below command
sudo python setup.py install sudo apt-get install libjansson-dev libmagic-dev sudo apt-get install libtool-bin
PyCrypto actually stands for Python Cryptography toolkit and is a collection of both secure hash function and various encryption algorithms.
sudo -H pip install pycrypto
sudo -H pip install ansible --upgrade
sudo -H pip install IPython==5.0 sudo -H pip install jupyter sudo -H pip install openpyxl sudo -H pip install ujson
YARA is a tool that helps malware researchers identify and classify malware samples. With YARA we can create descriptions of malware families based on textual or binary patterns.
Now with this tool, we will be able to identify the type of malware when our sample is analyzed.
Download the latest version of YARA from the link: https://github.com/VirusTotal/yara/releases
sudo tar -zxvf yara-3.8.1.tar.gz
Navigate inside the YARA folder and type below commands:
sudo ./configure --with-crypto --enable-magic –enable-cuckoo
sudo make install
sudo -H pip install yara-python
Installing FTP Server
Now we will be installing an anonymous FTP server called vsftpd. This is the simplest way to share files between the Virtual machines and your host machine.
First, we have to create a publicly accessible folder. Follow the commands below:
$ sudo mkdir -p /home/<replace_your_username>/vmshared/pub $ sudo chown -R cuckoo:cuckoo /home/<replace_your_username> $ sudo chmod -R ug=rwX,o=rX /home/<replace_your_username>/vmshared/ $ sudo chmod -R ugo=rwX /home/<replace_your_username>/vmshared/pub
Then install vsftpd:
$ sudo apt-get install vsftpd
Now after installing, edit the vsftpd.conf file:
$ sudo nano /etc/vsftpd.conf
Change listen to YES
Change listen_ipv6 to NO
Change anonymous_enable to YES
Now, uncomment the following lines:
write_enable=YES anon_upload_enable=YES anon_mkdir_write_enable=YES
And add the following lines at the bottom:
listen_address=192.168.100.1 listen_port=2121 anon_root=/home/cuckoo/vmshared anon_umask=000 chown_upload_mode=0666 pasv_enable=Yes pasv_min_port=10090 pasv_max_port=10100
Restart the service:
$ sudo service vsftpd restart
Now the VMs can read /home/samy/vmshared and can write to /home/samy/vmshard/pub
We can now access the FTP server from the Windows VM by typing in ftp://192.168.56.1:2121 into any explorer window.
Before installing Cuckoo module, make sure you are currently set as a superuser. Once done proceed the following commands mentions below:
virtualenv venv sudo su . venv/bin/activate sudo pip install -U pip setuptools sudo pip install -U cuckoo
After successful installation of Cuckoo, we will first check whether it is perfectly installed by first starting Cuckoo with the following command
If you see the same in your system as above then Cuckoo has been successfully installed.
Now copy the Cuckoo agent to the vmshared directory which we created earlier.
$ cp /home/cuckoo/.cuckoo/agent/agent.py /home/<replace_your_username>/vmshared/agent.pyw
Next is to start the Cuckoo Web Server. But before that make sure you are still set as a superuser and type the commands provided below.
cd /root/.cuckoo sudo service mongodb start
The above command will start the MongoDB service. But it is currently disabled for Cuckoo. So, we have to enable the MongoDB service in one of the Cuckoo’s configuration files i.e. reporting.conf. Proceed by typing.
Under [mongodb], change the value of enabled to yes.
Save the file by hitting “ctrl+o” and enter and exit out of the editor by pressing “ctrl+x“.
Finally, we will start the cuckoo web server to check whether everything is working fine. Type the command:
cuckoo web runserver
If everything goes fine then you will see the Cuckoo Sandbox Webpage in your browser. The location of your Cuckoo would be mentioned in your terminal with the port number specified.
In my case, it was “http://127.0.0.1/8000/”.
In the next few posts, we will be setting up a guest machine(s) for Cuckoo Sandbox and some additional steps where we will be hardening our VM so that the malware couldn’t bypass it.