By: Alan Raff
July 3, 2015
I'm Cuckoo for Malware (Malware Analysis Tutorial)
By: Alan Raff
July 3, 2015
Recently in my internship, I was posed with a significant problem. One of the PCs at the company where I work was hit with a new kind of malware that got past all of our threat detection software.
A user complained that our threat detection software was blocking every application like IE and Word, which the individual needed to complete their work. The on-duty technician went to inspect it, thought that our threat detection software was malfunctioning, and allowed the IE process to execute. We then saw a BUNCH of network traffic going out to various websites from that computer, and we immediately quarantined it.
A piece malware had hooked itself into legitimate processes after it got into our system. This malware was very sophisticated, and hard to catch because it constantly dropped new files that were named similar to legitimate file names such as GoogleUpdateOnDemand, and api-ms-win, etc. I was responsible for analyzing this piece of malware and writing the report to be sent to law enforcement entities.My problem was that there was no readily available way to analyze the malware after we had been hit. Yes, we had a simple setup where we could test the malware, but we didn't have a way to actually see everything that happened.To try to conquer this problem, I set up a couple VMs that could be restored to previous snapshots, and loaded software on them such as Immunity Debugger, Wireshark, FakeNet, and other analytic software. While this told me a lot about what the malware was doing, there were still many pieces missing. Then, I found Cuckoo.Cuckoo is a free, open source automated malware analysis sandbox. What this means is that it launches a virtual machine, runs the malware, and reports back everything that the piece of malware did in a nice, readable HTML report.Before I start, a little bit about me. I am a Computer Security student at the Rochester Institute of Technology in Rochester, NY. I am on my 3rd internship dealing with technology, currently working for the Massachusetts Port Authority as a Cyber Security intern. I have a strong interest in the Cyber Security field, and an even stronger background.I've been working with computers ever since the fifth grade, creating things, and then seeing how to hack into them. I have a passion for seeing how things work, how to break them, and ultimately how to make them more secure. I also just got Security+ certified over the weekend, and I plan to pursue my CEH or CHFI certification within the next month or two. Today, I’m going to go over how to set Cuckoo up, and how to get started with malware analysis with Cuckoo.INSTALLATIONFirst of all, you need to be on a Linux host. I'm using Linux Mint 17.1 for this tutorial. Before we install Cuckoo, we need to install a lot of dependencies on our machine. Use the following command to install all the necessary Python dependencies:
sudo apt-get install python-sqlalchemy python-dpkt python-bson python-chardet python-jinja2 python-magic python-libvirt python-bottle python-pefile python-pip python-devNext, we install the libraries with:
sudo apt-get install libxml2-dev libxslt-dev and sudo pip install cybox django MAEC ssdeep libfuzzy-devYara is optional, so I won't install it here. But, there are many other tutorials for that. Install git with sudo apt-get install git and then git clone: https://github.com/kbandla/pydeep.git
sudo python setup.py build
sudo python setup.py installThen, after that, we Install MongoDB with:
sudo apt-get install mongodb python-pymongoDownload Cuckoo on the Linux host:
sudo git clone https://github.com/cuckoobox/cuckoo.gitCreate a VM named cuckoo1 with any version of Windows. Write down the IP address. Download Python 2.7, Python Imaging Library and Adobe Reader. I used version 9.0. Reader, which allows you to analyze pdf files as well as executables. You can also install MS Word if you want to analyze .doc files.Copy the agent.py file form the /cuckoo/agent folder to the Windows machine and set it to run at startup. Take a snapshot of the VM and name it cuckoo1.Back on the Linux host, open up /cuckoo/conf/cuckoo.conf and change the resultserver IP address to that of your Linux host. Change the interface to the one you're using for VMware or Virtualbox. (Usually vmnet0 for VMware and vboxnet0 for Virtualbox)Next, edit your appropriate virtualization software .conf file - such as vmware or virtualbox. In the .conf file, change the IP to that of the Windows host and verify that all the info about the VM is correct.One last thing before you begin, edit the reporting.conf and enable mongodb. RUNNING CUCKOO
Open up a terminal and type:
python /home/YOUR USERNAME/cuckoo/cuckoo.pyThis will launch Cuckoo. Make sure there are no errors, and then start the web interface under the utils folder like this: python /home/YOUR USERNAME/cuckoo/utils/web.pyBrowse to localhost:8080 in your favorite web browser and submit the file to be analyzed. Your VM will then open up and it will analyze the malware. After 10 or so minutes, your malware will be analyzed and it will give you a link to the nice looking report of the malware with all the malicious activity that occurred. I hope this helps you guys. If not, let me know in the comments. Thanks for reading!