Cuckoo Installation Guide: Malware Sandboxing - Part 1
Cuckoo is an opensource project that was a part of Google Summer Code. Now Cuckoo Sandbox 2.0.0 is out. Sandbox is an automated dynamic malware analysis system.
Earlier in January or February, I tried to implement it but it was not working well. However, my friend Ishan Bajaj was able to do so. Thus we have made this documentation which can help to Implement and Cuckoo.
----------Please follow given instruction carefully----------
DONE IN UBUNTU 16.04 WITH WINDOWS 7 ULTIMATE 32-BIT AS TESTING OS
Firstly, you must install Ubuntu 16.04; this is pretty straightforward by using Virtual Box. Once Ubuntu is installed, you must install Guest Additions to allow you to share files from your host PC to the Ubuntu VM (tutorial for how to install and troubleshoot guest additions is written at the end of this document). After you have installed the guest additions, create a shared folder from the Virtual Box settings which should contain the OS that you will use to test on. For example, Windows 7 Ultimate 32-Bit. You can also put this installation guide inside to copy and paste commands; this will make the process easier. Once that is all done, you can start.
--------------START IN UBUNTU MACHINE--------------
- sudo apt-get update
- Reboot Ubuntu
- sudo apt-get install git -y
- - sudo apt-get install python python-pip python-dev libffi-dev libssl-dev -y
- - sudo apt-get install python-virtualenv python-setuptools -y
- - sudo apt-get install libjpeg-dev zlib1g-dev swig -y
- sudo apt-get install mongodb -y
- sudo apt-get install postgresql libpq-dev -y
- Install VirtualBox (inside Ubuntu)
- - echo deb https://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
- - wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
- - sudo apt-get update
- - sudo apt-get install virtualbox-5.1 -y
- Install tcpdump
- - sudo apt-get install tcpdump apparmor-utils -y
- - sudo aa-disable /usr/sbin/tcpdump
- Install Volatility
- - sudo git clone https://github.com/volatilityfoundation/volatility
- - cd volatility
- - sudo python ./setup.py install
- - cd ..
- Install M2Crypto
- - sudo apt-get install swig
- - sudo pip install m2crypto==0.24.0
- Download & Install Cuckoo
- - sudo pip install -U pip setuptools
- - sudo pip install -U cuckoo
- - sudo pip install distorm3
- Create a Cuckoo Working Directory
- - sudo mkdir /opt/cuckoo
- - sudo chown cuckoo:cuckoo /opt/cuckoo (cuckoo:cuckoo will be replaced by username:host, for example, zerowatch:Ubuntu)
- - cuckoo --cwd /opt/cuckoo
You have now downloaded all the necessary software so it is time to move onto setting up the testing environment. You must have a copy of your chosen OS (I used Windows 7 Ultimate 32-Bit) on the Ubuntu machine. If that is done, you can continue.
1) sudo virtualbox
I assume everyone knows how to install a virtual machine within VirtualBox so please install your OS. NOTE: Name it 'cuckoo1' or else cuckoo will not recognise it when analysing!
I assigned my OS: 1.5GB of RAM, 1 CPU and a 25GB Hard Disk - Install can take a while
2) Once the install is complete, close the Virtual machine and use these following commands (in Ubuntu)
- vboxmanage hostonlyif create
- vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 <- Use this IP specifically, it doesn't need to be altered.
Use ifconfig to ensure the network adapter shows up, it should be called 'vboxnet0' as above. Change the network adapter on VirtualBox to host only and vboxnet0 and start the machine. NOTE: Before starting the machine, remember to remove the ISO from the storage settings of Virtual Box or else it will take you through the whole setup process again.
----------------MOVE TO VIRTUAL MACHINE----------------
3) Edit the network settings on your OS, disable IPv6 and use the following
Static IP - 192.168.56.101
Default Gateway - 192.168.56.1
DNS - any DNS server (I used 188.8.131.52)
----------------BACK TO UBUNTU MACHINE----------------
4) Go back to the Ubuntu machine and use the following commands
- sudo iptables -A FORWARD -o ens32 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
- sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
- sudo iptables -A POSTROUTING -t nat -j MASQUERADE
- echo 1 > /proc/sys/net/ipv4/ip_forward NOTE: it may give you permisson problems, if it does, then sudo it. if that doesn't work then use:
- sudo su
- echo 1 > /proc/sys/net/ipv4/ip_forward