This post is a continuation to the earlier part – How To Install and Get Cuckoo Sandbox Working Perfectly – Part 1 (Setting Up Host Machine).
In the earlier part of the post, we had set up the host machine. I highly recommend you to go through the first part before proceeding to the second one.
In this part, we will be focusing on getting our guest machine ready for our analysis purposes.
Specification of Guest Machine For Cuckoo:
- Windows 7 Professional 64 bit
- An old vulnerable version of Microsoft Office, Adobe Reader, Flash Player, Java, etc..
Will get into more details about the software when we will install these in the vulnerable machine. In this article, I will be focusing on getting the host machine ready so that Cuckoo Sandbox doesn’t give any issues in a future installation.
Getting Virtual Machine Ready
We will begin with the installation of a virtualization software (VirtualBox) where we will install and configure guest machine for Cuckoo so that we can analyze malware here.
echo deb https://download.virtualbox.org/virtualbox/debian <mydist> contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
sudo apt-get update
sudo apt-get install virtualbox-6.0
For the above command, you have to change the <mydist>. Since, I am using Ubuntu 18.04, the Codename for that version is “bionic“. Hence, I will be replacing <mydist> to bionic in the above command.
Here’s how you can check yours with the command below
lsb_release -a
And in case you are using a different version of Linux, you have to change the distribution name according to that.
For Ubuntu 18.10 ("cosmic")
deb https://download.virtualbox.org/virtualbox/debian cosmic contrib
For Ubuntu 18.04 ("bionic")
deb https://download.virtualbox.org/virtualbox/debian bionic contrib
For Ubuntu 17.04 ("Zesty")
deb https://download.virtualbox.org/virtualbox/debian zesty contrib
For Ubuntu 16.04 ("Xenial")
deb https://download.virtualbox.org/virtualbox/debian xenial contrib
For Ubuntu 14.04 ("Trusty")
deb https://download.virtualbox.org/virtualbox/debian trusty contrib
For Ubuntu 12.04 LTS ("Precise Pangolin")
deb https://download.virtualbox.org/virtualbox/debian precise contrib
Once the installation is complete you can confirm it by switching yourself to superuser and typing virtualbox in terminal. It will then open up a virtualbox window.
Creation of the Guest Machine For Cuckoo
For the creation, we will be installing a Windows 7 64 bit version on VirtualBox. I am assuming that you are already having a copy of Windows with you. If not then the easiest way is to get a trial copy from Microsoft.
Here we will be assigning 4 GB of RAM and around 50 GB hard disk space. However, keep a note of what name you give to your machine as we will be using it during the configuration of our Cuckoo Sandbox. In this case, I have given the name of VM as “sandbox-win7-01“.
While installing choose a custom Windows install and click Next.
After the Installation of Window, create a username and computer name that is fictitious and leave the password field blank.
When you see the below screen that says “Help protect your computer and improve Windows automatically“, choose the option “Ask me later” as we intentionally want to keep our machine vulnerable.
After full installation, you will see a window like below.
NOTE: Do not install VirtualBox Guest Additions as most of the malware has a capability to detect whether they are being run in a Sandbox machine and terminate itself from further working. For this, we will be setting up an FTP server in order to share the samples from host to guest machine.
Now, take a snapshot of your Windows machine and save it as something reasonable like “clean-install“.
Configuring the Guest Machine
Power on your virtual machine and when you are at your desktop:-
- Set theme to Classic
- Set the screen resolution to 1024 x 768.
By this the VM will consume less resources and it will be easier to work.
Network Configuration
We need to configure the host machine and the virtual machine in such a way that both communicates properly with each other.
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
sudo vboxmanage modifyvm windows7 --hostonlyadapter1 vboxnet0
sudo vboxmanage modifyvm windows7 --nic1 hostonly
Do an “ifconfig” on your terminal and observe the results of it. You should see the “vboxnet0” adapter would appear along with the other networks.
Next, proceed with the steps of setting up a static IP in your Windows virtual machine.
- Open the Network and Sharing Center, located in the control panel.
- Click on the Local Area Connection
- Click Proprieties
- Double click on the IPv4 protocol
Configure:-
- IP Address: 192.168.56.101
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.56.1
- Primary DNS: 1.1.1.1
- Secondary DNS: 1.0.0.1
On the Ubuntu host machine, open up another terminal, switch to superuser and type in the following commands but make sure to change the adapter name to what you see in your machine. In my case, the wireless adapter was named as “wlp3s0“. And I’ll be using the same in below code.
iptables -A FORWARD -o wlp3s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Press OK on the Windows virtual machine for the settings. If the connection was successful, you should see the connectivity dialogue in your screen. Then click Cancel.
To further check whether the connectivity you can also ping 192.168.56.101 (VM’s IP) from your host machine. If you are getting the reply then the connection is established otherwise carefully follow the steps again.
Now, to make sure the rules remain consistent in the system even after a system reboot, we will be installing the iptables-persistent.
sudo apt-get install iptables-persistent
Next, make sure the Windows Updates are completely disabled. Grab a copy of Windows Office and activate it. And remember to disable all the updates when Office installation prompts you about it.
Now, at this point take a snapshot of your VM. Snapshots are a good way to revert back to the image you created in case you mess your VM. Take a snapshot by navigating to the tab Machine -> Take Snapshot or hit Host+T (where Host is configured to be set as Right Ctrl button in VirtualBox) and name it as something reasonable like “Initial Clean Install“.
Now start the VM and use the registry file in this zip file to disable the security features and noisy network services that will interfere with the analysis. Run the registry files for your Windows and Office version and then restart your VM.
In order to work with Cuckoo properly, the sandbox VM will need the following installed on it.
For convenience, all the setup files that are listed below are bundled in one zip file, organized by guest OS version, and common files required on all guests.
- Python 2.7.x 32-bit (Even if it is 64-bit OS version)
- Pillow 32-bit (Even if it is 64-bit OS version)
Install all of the latest supported Microsoft Visual C++ Redistributables (both x86 and x64 if your using a 64-bit OS)
To analyze the files that use a newer .NET framework, install the Microsoft .NET framework 4.5.1.
To analyze the files other than PE (Portable Executable), following software also need to be installed (older versions are preferred for exploitability and corporate realism):-
- Adobe Flash Player (An old version)
- Adobe Reader (An old version)
- Java Runtime Environment (An old version e.g. v7 u17)
As you install each of these programs. change their configuration to disable update checks which can create noisy PCAPs.
Next, copy the agent.pyw script from the shared folder to the Windows Startup folder, which can be found by navigating to the Start Menu, under All programs. Rename it to something else other than an agent, so that the malware will less likely to notice and find it.
Click Start and type msconfig, and press enter. Disable all the items in the Startup tab, except your agent file. In the Services tab, uncheck “Hide all Microsoft services” and disable all of the 3rd party update services.
Restart the system when it prompts you to do so.
You should now see the “pythonw.exe” in the list of processes in the task manager.
Now, shut down your VM.
Cuckoo Configuration
In this stage we will be configuring the settings for our Cuckoo Sandbox machine. These configuration files are located in “./cuckoo/conf” folder. Follow below the changes that needs to be performed. Changes are highlighted in each screenshot.
cuckoo.conf
nano /root/.cuckoo/conf/cuckoo.conf
virtualbox.conf
nano /root/.cuckoo/conf/virtualbox.conf
memory.conf
nano /root/.cuckoo/conf/memory.conf
processing.conf
nano /root/.cuckoo/conf/processing.conf
reporting.conf
nano /root/.cuckoo/conf/reporting.conf
Starting Cuckoo Services
Now once everything is done, we have to start several services so that our Sandbox machine works perfectly.
Before every other command you type make sure you make yourself as a root. Follow the command below:-
sudo su
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
cuckoo
Once, you are done with the above steps you will see a message in the terminal stating “INFO: Waiting for analysis tasks.“
NOTE:- Don’t close the terminal otherwise it will hamper the functioning of the Sandbox machine.
Next, open up another terminal and proceed with the commands mentioned below
sudo su
cd /root/.cuckoo
sudo service mongodb start
cuckoo webrunserver 0.0.0.0:8080
Now navigate to the URL “http://0.0.0.0:8080” in your browser and can start using sandbox machine for analysis.
References:
Conclusion
Installing and Configuring a guest machine for Cuckoo Sandbox takes a lot of steps to perform and due to this it sometimes become an intimidating task. Also, there are high chances that one can run into an error if the mentioned steps are not performed in a right manner.
Hence, I have tried explaining everything single step right from installing a virtualization software to configuring a guest machine in a very simple manner. Hope this will help a lot of security folks who run into an error or issues while configuring a guest machine for Cuckoo.
Let me know what you think about this guide? Is it helpful?
And if you have anything to add or discuss on this topic, let me know in the comment below.
19 comments
Sir could you tell me how to configure the IP in the VM. Should I take into account the IP of the host system. Or can I give the IP given by you ie 192.168.56.0 and 192.168.56.101. Have you configured it after checking the host IP address.
Yah configure the same IP that I have mentioned. That would do.
Sir you have not mentioned anything about transferring the cuckoo agent to the Virtual machine. Is that optional?
Hey Manu, No, its not optional. Its very much required. I guess I forgot to add those steps in the previous post. Thanks for letting me know. I will be adding it in few days as the weekend is here and that configuration is in my office machine.
Hi Manu, Kindly follow the steps for installing FTP server in 1st part of the post and follow along. Also, I have added a step on how you can add a cuckoo agent to the VM in the 2nd part of the post. For, any issue kindly let me know.
Sir is the ftp server necessary for cuckoo to work. Or is it configured just to tranfer the agent to the virtual machine. I had uploaded agent.py onto google drive and copied it onto the virtualmachine.
Yes, this is required as we don’t want to install any VMware Tools or VBox GuestAdditions and we will be transferring other files with the help of FTP. Nowadays, malware have a capability to find whether they are being run inside the sandbox. And this is one of the step to fool malware by not installing any VMware Tools or VBox Guest additions as malware can list out the process related to these and can terminate its functioning. You can also do that by uploading to the Google drive but main motive is to avoid installing VMware Tools or VBox Guest Additions.
Sir what if I dont have a wireless adapter. i am setting cuckoo up on my PC. What should we give here
iptables -A FORWARD -o wlp3s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack –ctstate NEW -j ACCEPT
Instead of wlp3s0
You can achieve the same with ethernet adapter. Just change “wlp3s0” with your ethernet adapter. Let me know if that worked.
https://uploads.disquscdn.com/images/41fd1d90d9724c6d6b4dd3898cb14c7dba1ab6cf09e00ba75da8b41c9e704223.png
Sir i get this no attribute errno error. What is the issue? Shoud I configure any result server in the configuration files?
Hi Satya,
Please do you have configuration steps for VM workstation rather than vbox?
Hi David,
I never tried with VMware as VirtualBox was working perfectly. But I believe it would be the same steps only as the steps performed for VirtualBox. You can give it a try. However, In the future posts I might write up on this and upgrading it to the latest version as well.
Thanks Satya
Every time I run the command below, I lose network connectivity to my Host (Ubuntu) but my guess (Windows7) still can connect to the internet. Is it by design or I’m I doing something wrong? Please advise.
iptables -A FORWARD -o wlp3s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack –ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Hi David, Did you checked the adapter name in your machine? I think it is because the wrong adapter name or the misconfigured IP address. Kindly double check the adapter name and IP address once.
Hi Satya,
Yes, I configured the right network adapter. In my case it is ens160 (Ethernet). Please see attached.
I lose network connectivity to the Host and I’m unable to proceed in installing iptables-persistent. I’m using Ubuntu Desktop 18.04. Thanks for your help.
https://uploads.disquscdn.com/images/74c77292c6cbdd18fe1bdd0414328472a1789b7e357303a0fb2f558baa67bc3f.jpg
Hi David,
This means your firewall (iptables) rules are not configured properly. Try clearing the iptables rules which you had set earlier. With this you would be able to get back your connectivity. You can follow this link hxxps://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules on how to unset these rules.
Secondly, note down the IP address of your VM and check whether it is in a /24 subnet and also note the outgoing interface connected to the Internet. And change the network interface and IP address accordingly in the below commands.
##### Global Routing Rules #####
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
# Default drop.
$ sudo iptables -P FORWARD DROP
# Existing connections.
$ sudo iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
# Accept connections from vboxnet to the whole internet.
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
# Internal traffic.
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
# Log stuff that reaches this point (could be noisy).
$ sudo iptables -A FORWARD -j LOG
##### Packet Forwarding #####
$ echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
$ sudo sysctl -w net.ipv4.ip_forward=1
Let me know whether this worked or not?
chown: invalid user: ‘cuckoo:cuckoo’ getting this error. Any idea what I should do? Any help would be appreciated
Hi @francisuzo:disqus
Kindly follow this section Create user “Cuckoo”.
It seems this got missed somehow due to post update.