This post is a continuation to the earlier part – How To Install and Get Cuckoo Sandbox Working Perfectly – Part 1 (Setting Up Host Machine).
In the earlier part of the post, we had set up the host machine. I highly recommend you to go through the first part before proceeding to the second one. In this part, we will be focusing on getting our guest machine ready for our analysis purposes.
Getting Virtual Machine Ready
We will begin with the installation of Virtual Box where we will be installing and setting up our machines for analysis.
echo deb https://download.virtualbox.org/virtualbox/debian <mydist> contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - sudo apt-get update sudo apt-get install virtualbox-6.0
For the above command, you have to change the <mydist>. Since I am using Ubuntu 18.04, the Codename for that version is “bionic“. Hence, I will be replacing <mydist> to bionic in the above command.
Here’s how you can check yours with the command below
And in case you are using a different version of Linux, you have to change the distribution name according to that.
For Ubuntu 18.10 ("cosmic") deb https://download.virtualbox.org/virtualbox/debian cosmic contrib For Ubuntu 18.04 ("bionic") deb https://download.virtualbox.org/virtualbox/debian bionic contrib For Ubuntu 17.04 ("Zesty") deb https://download.virtualbox.org/virtualbox/debian zesty contrib For Ubuntu 16.04 ("Xenial") deb https://download.virtualbox.org/virtualbox/debian xenial contrib For Ubuntu 14.04 ("Trusty") deb https://download.virtualbox.org/virtualbox/debian trusty contrib For Ubuntu 12.04 LTS ("Precise Pangolin") deb https://download.virtualbox.org/virtualbox/debian precise contrib
Once the installation is complete you can confirm it by switching yourself to superuser and typing virtualbox in terminal. It will then open up a virtualbox window.
Creation of the Virtual Machine
For the creation, we will be installing a Windows 7 64 bit version on Virtual Box. I am assuming that you are already having a copy of Windows with you. If not then the easiest way is to get a trial copy from Microsoft.
Here we will be assigning 4 GB of RAM and around 50 GB hard disk space. However, keep a note of what name you give to your machine as we will be using it during the configuration of our Cuckoo Sandbox. In this case, I have given the name of VM as “sandbox-win7-01“.
While installing choose a custom Windows install and click Next.
After the Installation of Window, create a username and computer name that is fictitious and leave the password field blank.
When you see the below screen that says “Help protect your computer and improve Windows automatically“, choose the option “Ask me later” as we intentionally want to keep our machine vulnerable.
After full installation, you will see a window like below.
NOTE:- Do not install Virtual Box Guest Additions as most of the malware has a capability to detect whether they are being run in a Sandbox machine and terminate itself from further working. For this, we will be setting up an FTP server in order to share the samples from host to guest machine.
Now take a snapshot of your Windows machine and save it as something reasonable like “clean-install“.
Configuring the VM
Power on your virtual machine and when you are at your desktop:-
- Set theme to Classic
- Set the screen resolution to 1024 x 768.
By this the VM will consume less resources and it will be easier to work.
We need to configure the host machine and the virtual machine in such a way that both communicates properly with each other.
sudo vboxmanage hostonlyif create sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 sudo vboxmanage modifyvm windows7 --hostonlyadapter1 vboxnet0 sudo vboxmanage modifyvm windows7 --nic1 hostonly
Do an “ifconfig” on your terminal and observe the results of it. You should see the “vboxnet0” adapter would appear along with the other networks.
Next, proceed with the steps of setting up a static IP in your Windows virtual machine.
- Open the Network and Sharing Center, located in the control panel.
- Click on the Local Area Connection
- Click Proprieties
- Double click on the IPv4 protocol
- IP Address: 192.168.56.101
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.56.1
- Primary DNS: 22.214.171.124
- Secondary DNS: 126.96.36.199
On the Ubuntu host machine, open up another terminal, switch to superuser and type in the following commands but make sure to change the adapter name to what you see in your machine. In my case, the wireless adapter was named as “wlp3s0“. And I’ll be using the same in below code.
iptables -A FORWARD -o wlp3s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Press OK on the Windows virtual machine for the settings. If the connection was successful, you should see the connectivity dialogue in your screen. Then click Cancel.
To further check whether the connectivity you can also ping 192.168.56.101 (VM’s IP) from your host machine. If you are getting the reply then the connection is established otherwise carefully follow the steps again.
Now, to make sure the rules remain consistent in the system even after a system reboot, we will be installing the iptables-persistent.
sudo apt-get install iptables-persistent
Next, make sure the Windows Updates are completely disabled. Grab a copy of Windows Office and activate it. And remember to disable all the updates when Office installation prompts you about it.
Now, at this point take a snapshot of your VM. Snapshots are a good way to revert back to the image you created in case you mess your VM. Take a snapshot by navigating to the tab Machine -> Take Snapshot or hit Host+T (where Host is configured to be set as Right Ctrl button in VirtualBox) and name it as something reasonable like “Initial Clean Install“.
Now start the VM and use the registry file in this zip file to disable the security features and noisy network services that will interfere with the analysis. Run the registry files for your Windows and Office version and then restart your VM.
In order to work with Cuckoo properly, the sandbox VM will need the following installed on it.
For convenience, all the setup files that are listed below are bundled in one zip file, organized by guest OS version, and common files required on all guests.
- Python 2.7.x 32-bit (Even if it is 64-bit OS version)
- Pillow 32-bit (Even if it is 64-bit OS version)
Install all of the latest supported Microsoft Visual C++ Redistributables (both x86 and x64 if your using a 64-bit OS)
To analyze the files that use a newer .NET framework, install the Microsoft .NET framework 4.5.1.
To analyze the files other than PE (Portable Executable), following software also need to be installed (older versions are preferred for exploitability and corporate realism):-
- Adobe Flash Player (An old version)
- Adobe Reader (An old version)
- Java Runtime Environment (An old version e.g. v7 u17)
As you install each of these programs. change their configuration to disable update checks which can create noisy PCAPs.
Next, copy the agent.pyw script from the shared folder to the Windows Startup folder, which can be found by navigating to the Start Menu, under All programs. Rename it to something else other than an agent, so that the malware will less likely to notice and find it.
Click Start and type msconfig, and press enter. Disable all the items in the Startup tab, except your agent file. In the Services tab, uncheck “Hide all Microsoft services” and disable all of the 3rd party update services.
Restart the system when it prompts you to do so.
You should now see the “pythonw.exe” in the list of processes in the task manager.
Now, shut down your VM.
In this stage we will be configuring the settings for our Sandbox machine. These configuration files are located in “./cuckoo/conf” folder. Follow below the changes that needs to be performed. Changes are highlighted in each screenshot.
Starting Up Services
Now once everything is done, we have to start several services so that our Sandbox machine works perfectly.
Before every other command you type make sure you make yourself as a root. Follow the command below:-
sudo su VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 cuckoo
Once, you are done with the above steps you will see a message in the terminal stating “INFO: Waiting for analysis tasks.“
NOTE:- Don’t close the terminal otherwise it will hamper the functioning of the Sandbox machine.
Next, open up another terminal and proceed with the commands mentioned below
sudo su cd /root/.cuckoo sudo service mongodb start cuckoo webrunserver 0.0.0.0:8080
Now navigate to the URL “http://0.0.0.0:8080” in your browser and can start using sandbox machine for analysis.
In future posts, we will be writing an article on VM hardening and will try to explain some VM detection countermeasures.