How to set up Cuckoo Sandbox
Setup
To be able to analyze malware, you need to be able to detonate it in a safe environment without further propagating the malware. This type of environment is called a sandbox. I will be using Cuckoo sandbox.
When analyzing malware, it is usually safer to use a spare computer, but if you don’t have one that’s alright. Provided you configure your environment properly there’s nothing to fear.
I am going to use a virtualization environment, In my case, I’m using Virtualbox. I will create a host VM(Ubuntu 20.04) which will have a guest VM(Windows 7). Give them reasonable resources to mimic a real computer because some malware has sandbox detection, meaning that if the malware thinks it’s in a sandbox it will simply not perform its function.
Host VM — Ubuntu 20.04(about 7G ram with 100Gb storage) with Cuckoo and other plugins installed
Guest VM — Windows 7(2G ram) made intentionally vulnerable.
After setting up the host VM, I have to move on to setting up the cuckoo sandbox on the host VM.
Installation
The first step is to set up a VM that would be used to host another VM, I will be using Ubuntu 20 for this purpose.
Update the packages and repo:
sudo apt-get update && sudo apt-get upgrade -yCreate another user, In my case it would be “cuckoo”:
sudo adduser cuckooAdd the user to sudo:
sudo adduser cuckoo sudoInstall curl, download python-pip, install python(2.7), and install python-pip:
sudo apt-get install curl
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
sudo apt-get install python
sudo python get-pip.pyNow to install a lot of dependencies. These are needed for Virtualbox and Cuckoo to work properly:
sudo apt-get install -y python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev git python-setuptools libjpeg-dev zlib1g-dev swigNow we need to install MongoDB and Postgresql:
sudo apt-get install -y mongodb postgresql libpq-devNow we need to install the hypervisor — Virtualbox:
sudo apt-get install -y virtualboxCuckoo is an open source tool and can use a lot of plugins to increase functionality. Let’s change the directory to theDownloads folder:
curl http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zipUnzip and change into directory to view contents.
Go back to the parent folder — Downloads:
sudo -H pip install distorm3==3.4.4 yara-python==3.6.3Install Ssdeep:
sudo apt-get install -y ssdeepNow to install some other dependencies:
sudo -H pip install pydeep openpyxl ujson jupyterInstalling TCPDump and setting it up for network capture analysis:
sudo apt-get install tcpdump && sudo apt-get install libcap2-bin && sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump && getcap /usr/sbin/tcpdumpNow install Apparmor and disable tcpdump from loaded on Apparmour startup:
sudo apt-get install -y apparmor-utils && sudo aa-disable /usr/sbin/tcpdumpInstall Cuckoo:
pip install -U pip setuptools
sudo -H pip install -U cuckooNow to create the default directory for Cuckoo:
cuckoo
Now for a bit of networking, Let’s see the current setup.
Let’s create a host-only network adapter and give it an IP address:
vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1Now we want this change to be persistent upon reboot:
sudo mkdir /opt/systemd/
sudo nano /opt/systemd/vboxhostonlyType in the following text:
!/bin/bash
hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1Now make the file executable:
sudo chmod a+x /opt/systemd/vboxhostonlyNow let’s create a service:
sudo nano /etc/systemd/system/vboxhostonlynic.serviceType in the following text:
Description=Setup VirtualBox Hostonly Adapter
After=vboxdrv.service
[Service]
Type=oneshot
ExecStart=/opt/systemd/vboxhostonly
[Install]
WantedBy=multi-user.target
Installing the service and enabling it to run at boot time:
sudo systemctl daemon-reload
sudo systemctl enable vboxhostonlynic.serviceNow for the Guest Machine(Windows 7)
We need to make it intentionally vulnerable.
Simply follow this straightforward video — https://www.youtube.com/watch?v=lKWAr8fy9pk
or
From the Windows menu, type group and click on edit group policy
Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Scroll down to the User Account Control options. Select Elevate without prompting
Still, on User Account Control options, click Detect application installations and prompt for elevation and disable it.
Still, on User Account Control options, click Run all administrators in Admin Approval Mode and disable it.
Now we need to remove the Windows protection from the network. Turn off both private and public firewalls.
Next, let’s turn off Windows defender.
Then turn off automatic updates,
Now for the cuckoo agent, we need to install python 2.7 https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi & Python Pillow https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi
Install applications that might be interesting to the malware, I only installed Adobe Reader in my case.
Next, we need to move the cuckoo agent over to the Windows machine for monitoring. Change the directory to the ~/.cuckoo/agent folder. Copy the agent.py file and place it in C:\Users*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup this will then start the agent.py on boot up of the Virtual Machine. To see Appdata on Windows 7, we must enable "Show hidden directories".
All set, next thing is to restart the Windows 7 VM. Upon restart, you should see a blank Python shell. This means the agent is running.
Now we need to set up a sandbox network for the Windows 7 VM, Select Host-only Adapter & vboxnet0
The final set of configurations, from the Ubuntu Host VM.
Change directory to ~/.cuckoo/conf and edit the cuckoo.conf file. Make sure to set these:
machinery = virtualbox
memory_dump = yes
ip = 192.168.56.1Edit the auxiliary.conf file, set the sniffer to enabled:
enabled = yesEdit the virtualbox.conf file:
mode = gui
machines = win7
label = win7
platform = windows
ip = 192.168.56.101
snapshot = win7_vulnEdit the processing.conf file, set the memory to enabled:
enabled = yesEdit the memory.conf file:
guest_profile = Win7SP1x86Edit the reporting.conf file:
also set the MongoDB session to
enabled = yesReboot the Ubuntu machine, then open the Windows machine too.
The next thing is to update Cuckoo so that it can analyze and score signatures properly:
cuckoo communityStart cuckoo
Start the webserver that hosts Cuckoo:
cuckoo web runserver 0.0.0.0:8000
