January 21, 2020

Cuckoo Installation Guide: Malware Sandboxing - Part 1

kunalgupta007
Share

Cuckoo is an opensource project that was a part of Google Summer Code. Now Cuckoo Sandbox 2.0.0 is out. Sandbox is an automated dynamic malware analysis system.

Earlier in January or February, I tried to implement it but it was not working well. However, my friend Ishan Bajaj was able to do so. Thus we have made this documentation which can help to Implement and Cuckoo.

----------Please follow given instruction carefully----------

DONE IN UBUNTU 16.04 WITH WINDOWS 7 ULTIMATE 32-BIT AS TESTING OS

Installation Guide

Firstly, you must install Ubuntu 16.04; this is pretty straightforward by using Virtual Box. Once Ubuntu is installed, you must install Guest Additions to allow you to share files from your host PC to the Ubuntu VM (tutorial for how to install and troubleshoot guest additions is written at the end of this document). After you have installed the guest additions, create a shared folder from the Virtual Box settings which should contain the OS that you will use to test on. For example, Windows 7 Ultimate 32-Bit. You can also put this installation guide inside to copy and paste commands; this will make the process easier. Once that is all done, you can start.

--------------START IN UBUNTU MACHINE--------------

  1. sudo apt-get update
  2. Reboot Ubuntu
  3. sudo apt-get install git -y
  4. Requirements
  5. - sudo apt-get install python python-pip python-dev libffi-dev libssl-dev -y
  6. - sudo apt-get install python-virtualenv python-setuptools -y
  7. - sudo apt-get install libjpeg-dev zlib1g-dev swig -y
  8. sudo apt-get install mongodb -y
  9. sudo apt-get install postgresql libpq-dev -y
  10. Install VirtualBox (inside Ubuntu)
  11. - echo deb https://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
  12. - wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
  13. - sudo apt-get update
  14. - sudo apt-get install virtualbox-5.1 -y
  15. Install tcpdump
  16. - sudo apt-get install tcpdump apparmor-utils -y
  17. - sudo aa-disable /usr/sbin/tcpdump
  18. Install Volatility
  19. - sudo git clone https://github.com/volatilityfoundation/volatility
  20. - cd volatility
  21. - sudo python ./setup.py install
  22. - cd ..
  23. Install M2Crypto
  24. - sudo apt-get install swig
  25. - sudo pip install m2crypto==0.24.0
  26. Download & Install Cuckoo
  27. - sudo pip install -U pip setuptools
  28. - sudo pip install -U cuckoo
  29. - sudo pip install distorm3
  30. Create a Cuckoo Working Directory
  31. - sudo mkdir /opt/cuckoo
  32. - sudo chown cuckoo:cuckoo /opt/cuckoo (cuckoo:cuckoo will be replaced by username:host, for example, zerowatch:Ubuntu)
  33. - cuckoo --cwd /opt/cuckoo

You have now downloaded all the necessary software so it is time to move onto setting up the testing environment. You must have a copy of your chosen OS (I used Windows 7 Ultimate 32-Bit) on the Ubuntu machine. If that is done, you can continue.

1) sudo virtualbox

I assume everyone knows how to install a virtual machine within VirtualBox so please install your OS. NOTE: Name it 'cuckoo1' or else cuckoo will not recognise it when analysing!

I assigned my OS: 1.5GB of RAM, 1 CPU and a 25GB Hard Disk - Install can take a while

2) Once the install is complete, close the Virtual machine and use these following commands (in Ubuntu)

- vboxmanage hostonlyif create

- vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 <- Use this IP specifically, it doesn't need to be altered.

Use ifconfig to ensure the network adapter shows up, it should be called 'vboxnet0' as above. Change the network adapter on VirtualBox to host only and vboxnet0 and start the machine. NOTE: Before starting the machine, remember to remove the ISO from the storage settings of Virtual Box or else it will take you through the whole setup process again.

----------------MOVE TO VIRTUAL MACHINE----------------

3) Edit the network settings on your OS, disable IPv6 and use the following

Static IP - 192.168.56.101

Default Gateway - 192.168.56.1

DNS - any DNS server (I used 8.8.8.8)

----------------BACK TO UBUNTU MACHINE----------------

4) Go back to the Ubuntu machine and use the following commands

- sudo iptables -A FORWARD -o ens32 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT

- sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT

- sudo iptables -A POSTROUTING -t nat -j MASQUERADE

- echo 1 > /proc/sys/net/ipv4/ip_forward NOTE: it may give you permisson problems, if it does, then sudo it. if that doesn't work then use:

- sudo su

- echo 1 > /proc/sys/net/ipv4/ip_forward

Cuckoo Installation, Part 2 >>

Additional resources:

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More