This post is a continuation to the earlier part – How To Install and Get Cuckoo Sandbox Working Perfectly – Part 1 (Setting Up Host Machine).
In the earlier part of the post, we had set up the host machine. I highly recommend you to go through the first part before proceeding to the second one.
In this part, we will be focusing on getting our guest machine ready for our analysis purposes.
Specification of Guest Machine For Cuckoo:
- Windows 7 Professional 64 bit
- An old vulnerable version of Microsoft Office, Adobe Reader, Flash Player, Java, etc..
Will get into more details about the software when we will install these in the vulnerable machine. In this article, I will be focusing on getting the host machine ready so that Cuckoo Sandbox doesn’t give any issues in a future installation.
Getting Virtual Machine Ready
We will begin with the installation of a virtualization software (VirtualBox) where we will install and configure guest machine for Cuckoo so that we can analyze malware here.
echo deb https://download.virtualbox.org/virtualbox/debian <mydist> contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
sudo apt-get update
sudo apt-get install virtualbox-6.0
For the above command, you have to change the <mydist>. Since, I am using Ubuntu 18.04, the Codename for that version is “bionic“. Hence, I will be replacing <mydist> to bionic in the above command.
Here’s how you can check yours with the command below
And in case you are using a different version of Linux, you have to change the distribution name according to that.
For Ubuntu 18.10 ("cosmic")
deb https://download.virtualbox.org/virtualbox/debian cosmic contrib
For Ubuntu 18.04 ("bionic")
deb https://download.virtualbox.org/virtualbox/debian bionic contrib
For Ubuntu 17.04 ("Zesty")
deb https://download.virtualbox.org/virtualbox/debian zesty contrib
For Ubuntu 16.04 ("Xenial")
deb https://download.virtualbox.org/virtualbox/debian xenial contrib
For Ubuntu 14.04 ("Trusty")
deb https://download.virtualbox.org/virtualbox/debian trusty contrib
For Ubuntu 12.04 LTS ("Precise Pangolin")
deb https://download.virtualbox.org/virtualbox/debian precise contrib
Once the installation is complete you can confirm it by switching yourself to superuser and typing virtualbox in terminal. It will then open up a virtualbox window.
Creation of the Guest Machine For Cuckoo
For the creation, we will be installing a Windows 7 64 bit version on VirtualBox. I am assuming that you are already having a copy of Windows with you. If not then the easiest way is to get a trial copy from Microsoft.
Here we will be assigning 4 GB of RAM and around 50 GB hard disk space. However, keep a note of what name you give to your machine as we will be using it during the configuration of our Cuckoo Sandbox. In this case, I have given the name of VM as “sandbox-win7-01“.
While installing choose a custom Windows install and click Next.
After the Installation of Window, create a username and computer name that is fictitious and leave the password field blank.
When you see the below screen that says “Help protect your computer and improve Windows automatically“, choose the option “Ask me later” as we intentionally want to keep our machine vulnerable.
After full installation, you will see a window like below.
NOTE: Do not install VirtualBox Guest Additions as most of the malware has a capability to detect whether they are being run in a Sandbox machine and terminate itself from further working. For this, we will be setting up an FTP server in order to share the samples from host to guest machine.
Now, take a snapshot of your Windows machine and save it as something reasonable like “clean-install“.
Configuring the Guest Machine
Power on your virtual machine and when you are at your desktop:-
- Set theme to Classic
- Set the screen resolution to 1024 x 768.
By this the VM will consume less resources and it will be easier to work.
We need to configure the host machine and the virtual machine in such a way that both communicates properly with each other.
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
sudo vboxmanage modifyvm windows7 --hostonlyadapter1 vboxnet0
sudo vboxmanage modifyvm windows7 --nic1 hostonly
Do an “ifconfig” on your terminal and observe the results of it. You should see the “vboxnet0” adapter would appear along with the other networks.
Next, proceed with the steps of setting up a static IP in your Windows virtual machine.
- Open the Network and Sharing Center, located in the control panel.
- Click on the Local Area Connection
- Click Proprieties
- Double click on the IPv4 protocol
- IP Address: 192.168.56.101
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.56.1
- Primary DNS: 126.96.36.199
- Secondary DNS: 188.8.131.52
On the Ubuntu host machine, open up another terminal, switch to superuser and type in the following commands but make sure to change the adapter name to what you see in your machine. In my case, the wireless adapter was named as “wlp3s0“. And I’ll be using the same in below code.
iptables -A FORWARD -o wlp3s0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Press OK on the Windows virtual machine for the settings. If the connection was successful, you should see the connectivity dialogue in your screen. Then click Cancel.
To further check whether the connectivity you can also ping 192.168.56.101 (VM’s IP) from your host machine. If you are getting the reply then the connection is established otherwise carefully follow the steps again.
Now, to make sure the rules remain consistent in the system even after a system reboot, we will be installing the iptables-persistent.
sudo apt-get install iptables-persistent
Next, make sure the Windows Updates are completely disabled. Grab a copy of Windows Office and activate it. And remember to disable all the updates when Office installation prompts you about it.
Now, at this point take a snapshot of your VM. Snapshots are a good way to revert back to the image you created in case you mess your VM. Take a snapshot by navigating to the tab Machine -> Take Snapshot or hit Host+T (where Host is configured to be set as Right Ctrl button in VirtualBox) and name it as something reasonable like “Initial Clean Install“.
Now start the VM and use the registry file in this zip file to disable the security features and noisy network services that will interfere with the analysis. Run the registry files for your Windows and Office version and then restart your VM.
In order to work with Cuckoo properly, the sandbox VM will need the following installed on it.
For convenience, all the setup files that are listed below are bundled in one zip file, organized by guest OS version, and common files required on all guests.
- Python 2.7.x 32-bit (Even if it is 64-bit OS version)
- Pillow 32-bit (Even if it is 64-bit OS version)
Install all of the latest supported Microsoft Visual C++ Redistributables (both x86 and x64 if your using a 64-bit OS)
To analyze the files that use a newer .NET framework, install the Microsoft .NET framework 4.5.1.
To analyze the files other than PE (Portable Executable), following software also need to be installed (older versions are preferred for exploitability and corporate realism):-
- Adobe Flash Player (An old version)
- Adobe Reader (An old version)
- Java Runtime Environment (An old version e.g. v7 u17)
As you install each of these programs. change their configuration to disable update checks which can create noisy PCAPs.
Next, copy the agent.pyw script from the shared folder to the Windows Startup folder, which can be found by navigating to the Start Menu, under All programs. Rename it to something else other than an agent, so that the malware will less likely to notice and find it.
Click Start and type msconfig, and press enter. Disable all the items in the Startup tab, except your agent file. In the Services tab, uncheck “Hide all Microsoft services” and disable all of the 3rd party update services.
Restart the system when it prompts you to do so.
You should now see the “pythonw.exe” in the list of processes in the task manager.
Now, shut down your VM.
In this stage we will be configuring the settings for our Cuckoo Sandbox machine. These configuration files are located in “./cuckoo/conf” folder. Follow below the changes that needs to be performed. Changes are highlighted in each screenshot.
Starting Cuckoo Services
Now once everything is done, we have to start several services so that our Sandbox machine works perfectly.
Before every other command you type make sure you make yourself as a root. Follow the command below:-
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
Once, you are done with the above steps you will see a message in the terminal stating “INFO: Waiting for analysis tasks.“
NOTE:- Don’t close the terminal otherwise it will hamper the functioning of the Sandbox machine.
Next, open up another terminal and proceed with the commands mentioned below
sudo service mongodb start
cuckoo webrunserver 0.0.0.0:8080
Now navigate to the URL “http://0.0.0.0:8080” in your browser and can start using sandbox machine for analysis.
Installing and Configuring a guest machine for Cuckoo Sandbox takes a lot of steps to perform and due to this it sometimes become an intimidating task. Also, there are high chances that one can run into an error if the mentioned steps are not performed in a right manner.
Hence, I have tried explaining everything single step right from installing a virtualization software to configuring a guest machine in a very simple manner. Hope this will help a lot of security folks who run into an error or issues while configuring a guest machine for Cuckoo.
Let me know what you think about this guide? Is it helpful?
And if you have anything to add or discuss on this topic, let me know in the comment below.