Install Cuckoo Sandbox For Real-Time Malware Analysis [Part 1]

steps to install cuckoo sandbox

For the past couple of months, I thought of implementing an internal Sandbox (Cuckoo Sandbox) for my organization as you cannot rely totally on other community-based sandboxes available on the internet like Hybrid Analysis, Joe Sandbox, Reverse It, etc.

What is Cuckoo Sandbox?

Cuckoo sandbox is an open source automated malware analysis system which is used to test a malware in a secure and isolated environment.

As the third-party sandboxes give you the best results, the need arises to have an internal sandbox in your organization as you don’t want to expose any internal organization documents or data while analyzing the file through any community-based sandboxes where the results are saved on their databases and anyone with the analysis link can have access to that report.

However, in our case, the results will be stored in our local database.

So in this post, I will install cuckoo sandbox and try to help out those who are trying to do the same or at least feel the same need or even for their own learning purpose.

This post will be divided into several parts of the installation and configuration to make it perfectly work for you.

While doing some research I found several posts regarding the installation of Cuckoo Sandbox but I haven’t found a detailed post yet that provides everything from installation to configuration and troubleshooting of Cuckoo Sandbox modules so as to achieve desired results without any issue.

And this is what I am trying to achieve here.

Read More: How To Configure Guest Machine For Cuckoo? [Part 2]

Cuckoo Sandbox Host Installation

Disclaimer: Setting up a Cuckoo Sandbox is not an easy task as it doesn’t come in one complete package. It requires installing several modules separately to make it work perfectly. You might break something while installing. Proper care of the instruction is required while performing an installation.

Cuckoo Sandbox works around the concept of having a vulnerable guest machine(s) for analysis inside the Virtual Machine (VM), installed on your host machine. So, it requires a host and a guest machine for it to work properly.

Specification of Host Machine For Cuckoo:

  • Ubuntu Desktop 18.04 (latest version recommended)
  • 16Gb of RAM or higher
  • 500 Gb hard disk (SSD for better processing)
  • Virtual Box v5.2 (latest version)
  • Cuckoo Sandbox v2.0.6 (latest version at the time of writing this post)

NOTE: It has come to my notice that many of you are facing issues while setting up Cuckoo Sandbox. I highly urge you to install v2.0.6 and it will work seamlessly. Installing the latest version which is v2.0.7 may lead you to some issues as this post may not be compatible with it. Also, I may not be able to help people who have installed the latest version unless I try it out myself.

Specification of Guest Machine For Cuckoo:

  • Windows 7 Professional 64 bit
  • An old vulnerable version of Microsoft Office, Adobe Reader, Flash Player, Java, etc..

Will get into more details about the software when we will install these in the vulnerable machine. In this article, I will be focusing on getting the host machine ready so that Cuckoo Sandbox doesn’t give any issues in a future installation.

Getting Your Host Machine Ready

After having a fresh install of Ubuntu’s latest version, it is recommended to perform a full update of your system and upgrade your Linux kernels (if any available).

Open up a terminal and hit the commands mentioned below:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y

Cuckoo Sandbox requires several packages and libraries to be installed before installing it. Without these dependencies, you will run into an issue. Proceed with the steps below to install the required dependencies.

sudo apt-get install python python-pip python-dev libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev
Host Dependencies 1
sudo apt-get install python-virtualenv python-setuptools
Host Dependencies 2
sudo apt-get install libjpeg-dev zlib1g-dev
Host Dependencies 3
sudo apt-get install libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev libtool libpcre++-dev g++
Host Dependencies 4
sudo apt-get install git automake dkms unzip wget python-sqlalchemy python-bson python-dpkt python-jinja2
Host Dependencies 5
sudo apt-get install python-magic python-mysqldb python-gridfs python-bottle python-pefile python-chardet
Host Dependencies 6

Installing Python 3

Before we proceed with the newer version of Python installation, let’s just check which version is already installed. You can do that by typing “python -v” in a terminal. If version 2.7 is what you see then proceed further with the installation.

Python 3 is required for the installation of mitmproxy which we will cover in later steps of installation, As mitmproxy no longer supports Python 2, it requires v3.5 or above.

To begin the installation, navigate to the “src” folder and follow the below steps.

cd /usr/src
sudo wget https://www.python.org/ftp/python/3.7.1/Python-3.7.1.tgz
sudo tar -xvf Python-3-7.1.tgz
cd Python-3-7.1

Now to proceed with the installation you have to be a superuser. Type “sudo su” and type in your password.

./configure
sudo make && make install
python3 --version (to check Python3 version)

Next, we need a Pillow to be installed in our host machine. But before we do that let’s just first upgrade the version of pip as we will be installing pillow through pip.

pip install --upgrade pip
sudo -H pip install pillow

If you want to use a Django-based Web interface, MongoDB is required. We will be downloading everything in the downloads folder and proceeding with the installation there.

sudo apt-get install mongodb
Host Dependencies 7

Cuckoo by default uses SQLite database for tracking analysis tasks which work perfectly but is not as robust as PostgreSQL database. The only drawback with SQLite is that when an analysis task is deleted, task IDs are recycled which leads to confusion when a new analysis task exists at the same location, possibly for a different malware sample.

To install PostgreSQL, type

sudo apt-get install postgresql libpq-dev
Host Dependencies 8

Installing tcpdump

tcpdump is a common packet analyzer that captures the network traffic being transmitted or received over a network. This would be helpful to us in analyzing the network activity performed by the malware.

sudo apt-get install tcpdump apparmor-utils
Host Dependencies 9
sudo aa-disable /usr/sbin/tcpdump
Host Dependencies 10
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump

Result will be (/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip)

Host Dependencies 11 1
sudo -H pip install lxml
sudo -H pip install cybox==2.0.1.4    
sudo -H pip install maec==4.0.1.0
sudo -H pip install "Django<2"
Host Dependencies 12

Now restart your system so that all the new installation settings can be applied and navigate to the Downloads folder again as we will be downloading more software.

sudo apt-get install ssdeep python-pyrex subversion libfuzzy-dev
Host Dependencies 13

Installing M2Crypto

M2Crypto is a complete Python wrapper of OpenSSL that features RSA, DA, DH, EC, HMACs, and more. We will be installing M2Crypto for adding cryptographic support and security to your Python applications.

Currently, the M2Crypto library is only supported when SWIG has been installed. To install SWIG, type:

sudo apt-get install swig
Host Dependencies 14

If SWIG is already installed on your system like in my case as well, we can now go ahead and install M2Crypto. Here, I have installed the latest version i.e 0.31.0.

sudo -H pip install m2crypto==0.31.0
Host Dependencies 15

Installing Volatility

Now we will be installing Volatility as we want our Cuckoo Sandbox to also perform forensic analysis on memory dumps of the given sample. It can automatically provide additional visibility into deep modifications in the operating system as well as to detect the presence of rootkit technology that escaped the monitoring domain of Cuckoo’s analyzer.

git clone https://github.com/volatilityfoundation/volatility.git
Host Dependencies 16

Navigate to the folder that you have just cloned and run the command:

sudo python setup.py install

Installing Distorm

diStorm3 is a decomposer, which means it takes instruction and returns a binary structure that describes it rather than static text, which is great for advanced binary code analysis.

Download the latest version of distorm from the given link:
https://github.com/gdabah/distorm/releases

Host Dependencies 17 1
tar -zxvf distorm-3.4.1.tar.gz

Now navigate to the extracted folder and run the below command

sudo python setup.py install
sudo apt-get install libjansson-dev libmagic-dev
sudo apt-get install libtool-bin

Installing PyCrypto

PyCrypto actually stands for Python Cryptography toolkit and is a collection of both secure hash functions and various encryption algorithms.

sudo -H pip install pycrypto
sudo -H pip install ansible --upgrade
Host Dependencies 18
sudo -H pip install IPython==5.0
sudo -H pip install jupyter
sudo -H pip install openpyxl
sudo -H pip install ujson

Installing YARA

YARA is a tool that helps malware researchers identify and classify malware samples. With YARA we can create descriptions of malware families based on textual or binary patterns.

Now with this tool, we will be able to identify the type of malware when our sample is analyzed.

Download the latest version of YARA from the link: https://github.com/VirusTotal/yara/releases

Host Dependencies 19
sudo tar -zxvf yara-3.8.1.tar.gz 

Navigate inside the YARA folder and type the below commands:

sudo ./bootstrap.sh
Host Dependencies 20
sudo ./configure --with-crypto --enable-magic –enable-cuckoo
Host Dependencies 21
sudo make
Host Dependencies 22
sudo make install
Host Dependencies 23
sudo -H pip install yara-python
Host Dependencies 24

Create user “Cuckoo”

Next, we have to create a new user named “cuckoo” on your machine. This user will be used to run several services that Cuckoo needs.

$ sudo adduser cuckoo
$ sudo usermod -L cuckoo

Add the cuckoo user to the correct group so that it can manage VMs

$ sudo usermod -a -G kvm cuckoo
$ sudo usermod -a -G libvirt cuckoo

Next, we will install and configure tcpdump so that it can generate PCAP files.

$ sudo apt-get install tcpdump libcap2-bin apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump

Finally, assign correct permissions to the user cuckoo, so that it can be used to run tcpdump without root privileges

$ sudo groupadd pcap
$ sudo usermod -a -G pcap cuckoo
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Installing FTP Server

Now we will be installing an anonymous FTP server called vsftpd. This is the simplest way to share files between the Virtual machines and your host machine.

First, we have to create a publicly accessible folder. Follow the commands below:

$ sudo mkdir -p /home/<replace_your_username>/vmshared/pub
$ sudo chown -R cuckoo:cuckoo /home/<replace_your_username>
$ sudo chmod -R ug=rwX,o=rX /home/<replace_your_username>/vmshared/
$ sudo chmod -R ugo=rwX /home/<replace_your_username>/vmshared/pub

Then install vsftpd:

$ sudo apt-get install vsftpd

Now after installing, edit the vsftpd.conf file:

$ sudo nano /etc/vsftpd.conf
  • Change listen to YES
  • Change listen_ipv6 to NO
  • Change anonymous_enable to YES

Now, uncomment the following lines:

write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES

And add the following lines at the bottom:

listen_address=192.168.100.1
listen_port=2121
anon_root=/home/cuckoo/vmshared
anon_umask=000
chown_upload_mode=0666
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100

Restart the service:

$ sudo service vsftpd restart

Now the VMs can read /home/<your-username>/vmshared and can write to /home/<your-username>/vmshared/pub

We can now access the FTP server from the Windows VM by typing in ftp://192.168.56.1:2121 into any explorer window.

Install Cuckoo Sandbox

Before installing Cuckoo module, make sure you are currently set as a superuser. Once done proceed with the following commands mentions below:

virtualenv venv
sudo su
. venv/bin/activate    
sudo pip install -U pip setuptools
sudo pip install -U cuckoo
cuckoo sandbox

After successful installation of Cuckoo, we will first check whether it is perfectly installed by first starting Cuckoo with the following command

cuckoo -d
install cuckoo sandbox

If you see the same in your system as above then Cuckoo has been successfully installed.

Now copy the Cuckoo agent to the vmshared directory which we created earlier.

$ cp /home/cuckoo/.cuckoo/agent/agent.py /home/<replace_your_username>/vmshared/agent.pyw

Next is to start the Cuckoo Web Server. But before that make sure you are still set as a superuser and type the commands provided below.

cd /root/.cuckoo
sudo service mongodb start

The above command will start the MongoDB service. But it is currently disabled for Cuckoo. So, we have to enable the MongoDB service in one of the Cuckoo’s configuration files i.e. reporting.conf. Proceed by typing.

nano /root/.cuckoo/conf/reporting.conf

Under [mongodb], change the value of enabled to yes.

Cuckoo 3

Save the file by hitting “ctrl+o” and enter and exit out of the editor by pressing “ctrl+x“.

Finally, we will start the cuckoo webserver to check whether everything is working fine. Type the command:

cuckoo web runserver

If everything goes fine then you will see the Cuckoo Sandbox Webpage in your browser. The location of your Cuckoo would be mentioned in your terminal with the port number specified.

In my case, it was “http://127.0.0.1/8000/”.

In the next few posts, we will be setting up a guest machine(s) for Cuckoo Sandbox and some additional steps where we will be hardening our VM so that the malware couldn’t bypass it.

Read More: How To Configure Guest Machine For Cuckoo? [Part 2]

Conclusion

Phew! That’s it. You have your own cuckoo sandbox now.

Installation of Cuckoo sandbox is a hectic task and one has to perform several steps in an order to have a perfectly running Cuckoo sandbox.

As Cuckoo doesn’t come in a single package, all the libraries and dependencies have to be installed prior to installing Cuckoo.

How was your experience installing Cuckoo Sandbox? Was it easy? Or encountered an issue while performing steps?

Let me know in the comment section below.

24 comments
  1. sudo make shows

    make: *** No targets specified and no makefile found. Stop.

    I had followed the steps correctly. What should we do?

      1. actually before make command there is a command -enable-cuckoo which should b –enable-cuckoo … that’s why sudo make gives error: no target specified and no make file found

        1. Ok. As version 2.0.7 is not compatible with the our version of Cuckoo i.e. v2.0.6… you are getting version error. Try using v2.0.6 and check. Latest version has gone through major changes. Hope this helps. You can contact reach me at zealots[.]tech@gmail[.]com.

  2. i think problem is with virtualbox i m using virtualbox 6 ..anyways thanks for providing such a clear guidance to install cuckoo

      1. 6 is specified ..m just following ur steps nothing else .. but now i have changed my os from ubuntu 18.4.3 LTS coz i was facing issue with wi fi ..no m installing the same set up in linux mint ..hope it will succed

  3. Hello sir i got problem at step

    sudo pip install -U cuckoo
    More over after doing these steps I am not able to login ubuntu using my admin account. I am only able to login using cuckoo account . Plz help me with that

    1. Hi Meena

      The Cuckoo version installed was v2.0.6 during writing of this post. However, when you doing sudo pip install -U cuckoo it will install the latest version i.e. v2.0.7. And since Cuckoo has changed a lot in their recent upgrade. Try installing the earlier version and it should run fine.

    2. Hi Meena

      The Cuckoo version installed was v2.0.6 during writing of this post. However, when you doing sudo pip install -U cuckoo it will install the latest version i.e. v2.0.7. And since Cuckoo has changed a lot in their recent upgrade. Try installing the earlier version and it should run fine.

  4. Hi Satya,

    Thank you for the helpful guide.
    Upon installing Cuckoo, which installed 2.0.7, cuckoo -d does not work.
    What does this mean? Does this mean that cuckoo is not installed?
    I’ve checked the latest docs and they also use the same command for 2.0.7.
    Please help!

    Thanks

    1. Hi Shreez, While writing this post, the latest version available for Cuckoo was v2.0.6. And a lot has been changed in v2.0.7. I feel there’s some extra packages which needs to be installed for v2.0.7 which throws out error. Can you share a screenshot or tell exactly as to what error you are receiving when running that command.

      1. Hi Satya,

        Many thanks for the quick response.
        This happens after installing cuckoo – pip install -U cuckoo, and attempting cuckoo -d to start it up.
        The error I get is cuckoo: command not found. This means that it doesn’t even appear to be installed.
        Upon rebooting my VM (after asking this question) I was unable to login to it anymore as the chown commands earlier have broken my access to login.

        Any ideas?

        1. Did Cuckoo installed successfully after running command pip install -U cuckoo? If it has then the command cuckoo -d should have recognized it. Try running these commands again:-

          virtualenv venv
          sudo su
          . venv/bin/activate
          sudo pip install -U pip setuptools
          sudo pip install -U cuckoo

          1. Hi Satya.

            I tried but I was unable to find any Cuckoo files.
            I’ve tried repeating the commands above several times…. with the same result.

          2. Then I would suggest you to manually download the Cuckoo v2.0.6 executable file from the official website and install it. This would do.

  5. Hi,

    sudo chown -R cuckoo:cuckoo /home/
    at this point do we have to install cuckoo user..or its the same as your username. If you follow your tutorial line by line at this point it will give error as cuckoo user not found or not exist

    1. Hello Abid,

      Sorry for the late reply. As I am not having access to this machine currently due to COVID-19 WFH. I am not able to personally check this. But I remember setting up FTP is an optional step and is not a mandatory to have it for Cuckoo sandbox installation. I had set up FTP server so as to easily have the malicious files on my vulnerable VM. One can do it with USB drive as well.

      You can skip this part for now and complete rest of the steps that is required for Cuckoo to function properly. I am not sure when I’ll be able to personally look into the Cuckoo machine due to the complete lockdown. But I believe in this code “sudo chown -R cuckoo:cuckoo /home/” you can try replacing cuckoo with your host machine’s username and check whether FTP server works or not. It was a typo on my part it seems.

      Thanks for notifying it to me.

    2. Hello Abid,

      Sorry for the late reply. As I am not having access to this machine currently due to COVID-19 WFH. I am not able to personally check this. But I remember setting up FTP is an optional step and is not a mandatory to have it for Cuckoo sandbox installation. I had set up FTP server so as to easily have the malicious files on my vulnerable VM. One can do it with USB drive as well.

      You can skip this part for now and complete rest of the steps that is required for Cuckoo to function properly. I am not sure when I’ll be able to personally look into the Cuckoo machine due to the complete lockdown. But I believe in this code “sudo chown -R cuckoo:cuckoo /home/” you can try replacing cuckoo with your host machine’s username and check whether FTP server works or not. It was a typo on my part it seems.

      Thanks for notifying it to me.

      1. Hi Satya,
        I checked it, if you create cuckoo user and run next commands to change permission , it will create a lot of problems and next time you wont be able to log in .
        one mus replace it with machine username or the other option it to create separate directory such as /opt/cuckoo
        I am able to install it , but i didn’t run cuckoo in virtual environment and its working good.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like