I’m Cuckoo for Malware (Malware Analysis Tutorial)

July 3, 2015 | Views: 12559

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Recently in my internship, I was posed with a significant problem. One of the PCs at the company where I work was hit with a new kind of malware that got past all of our threat detection software.

A user complained that our threat detection software was blocking every application like IE and Word, which the individual needed to complete their work. The on-duty technician went to inspect it, thought that our threat detection software was malfunctioning, and allowed the IE process to execute. We then saw a BUNCH of network traffic going out to various websites from that computer, and we immediately quarantined it.

A piece malware had hooked itself into legitimate processes after it got into our system. This malware was very sophisticated, and hard to catch because it constantly dropped new files that were named similar to legitimate file names such as GoogleUpdateOnDemand, and api-ms-win, etc. I was responsible for analyzing this piece of malware and writing the report to be sent to law enforcement entities.

My problem was that there was no readily available way to analyze the malware after we had been hit. Yes, we had a simple setup where we could test the malware, but we didn’t have a way to actually see everything that happened.

To try to conquer this problem, I set up a couple VMs that could be restored to previous snapshots, and loaded software on them such as Immunity Debugger, Wireshark, FakeNet, and other analytic software. While this told me a lot about what the malware was doing, there were still many pieces missing. Then, I found Cuckoo.

Cuckoo is a free, open source automated malware analysis sandbox. What this means is that it launches a virtual machine, runs the malware, and reports back everything that the piece of malware did in a nice, readable HTML report.

Before I start, a little bit about me. I am a Computer Security student at the Rochester Institute of Technology in Rochester, NY. I am on my 3rd internship dealing with technology, currently working for the Massachusetts Port Authority as a Cyber Security intern. I have a strong interest in the Cyber Security field, and an even stronger background.

I’ve been working with computers ever since the fifth grade, creating things, and then seeing how to hack into them. I have a passion for seeing how things work, how to break them, and ultimately how to make them more secure. I also just got Security+ certified over the weekend, and I plan to pursue my CEH or CHFI certification within the next month or two.

 

Today, I’m going to go over how to set Cuckoo up, and how to get started with malware analysis with Cuckoo.

INSTALLATION

First of all, you need to be on a Linux host. I’m using Linux Mint 17.1 for this tutorial. Before we install Cuckoo, we need to install a lot of dependencies on our machine. Use the following command to install all the necessary Python dependencies:

sudo apt-get install python-sqlalchemy python-dpkt python-bson python-chardet python-jinja2 python-magic python-libvirt python-bottle python-pefile python-pip python-dev

 

Next, we install the libraries with:

sudo apt-get install libxml2-dev libxslt-dev and sudo pip install cybox django MAEC ssdeep libfuzzy-dev

Yara is optional, so I won’t install it here. But, there are many other tutorials for that.

 

Install git with sudo apt-get install git and then git clone: https://github.com/kbandla/pydeep.git

cd pydeep

sudo python setup.py build

sudo python setup.py install

 

Then, after that, we Install MongoDB with:

sudo apt-get install mongodb python-pymongo

 

Download Cuckoo on the Linux host:

sudo git clone https://github.com/cuckoobox/cuckoo.git

 

Create a VM named cuckoo1 with any version of Windows. Write down the IP address. Download Python 2.7, Python Imaging Library and Adobe Reader. I used version 9.0. Reader, which allows you to analyze pdf files as well as executables. You can also install MS Word if you want to analyze .doc files.

Copy the agent.py file form the /cuckoo/agent folder to the Windows machine and set it to run at startup. Take a snapshot of the VM and name it cuckoo1.

Back on the Linux host, open up /cuckoo/conf/cuckoo.conf and change the resultserver IP address to that of your Linux host. Change the interface to the one you’re using for VMware or Virtualbox. (Usually vmnet0 for VMware and vboxnet0 for Virtualbox)

Next, edit your appropriate virtualization software .conf file – such as vmware or virtualbox. In the .conf file, change the IP to that of the Windows host and verify that all the info about the VM is correct.

One last thing before you begin, edit the reporting.conf and enable mongodb.

 

RUNNING CUCKOO

Open up a terminal and type:

python /home/YOUR USERNAME/cuckoo/cuckoo.py

This will launch Cuckoo. Make sure there are no errors, and then start the web interface under the utils folder like this: python /home/YOUR USERNAME/cuckoo/utils/web.py

Browse to localhost:8080 in your favorite web browser and submit the file to be analyzed. Your VM will then open up and it will analyze the malware. After 10 or so minutes, your malware will be analyzed and it will give you a link to the nice looking report of the malware with all the malicious activity that occurred.

 

I hope this helps you guys. If not, let me know in the comments. Thanks for reading!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
21 Comments
  1. can i install cukoo in Windows suppoting PC?

  2. Good article. I am currently getting (work related), hands-on training with Malware Analysis and it is completely mind-blowing.

  3. Currently i am learning about Malware Analysis ,Studying Master of Information Security.I will need litle of support if confused on running.thanks

  4. I am not sure what you mean by

    change the interface to the one you are using for VMware or Virtualbox. (Usually vmnet0 for VMware and vboxnet0 for Virtualbox)

    How do you do this?

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel