Cuckoo Sandbox Guideline – Preparing the guest (2/2)

This is the second and the last blog post of a whole article to explain how to install Cuckoo Sandbox.

If you haven’t read first article yet please read it first here.

Preparing the guest:

Creation of the Virtual Machine

Once you have properly installed your virtualization software, you can proceed on creating all the virtual machines you need to execute the samples.

Requirements:

Install Python

Python is a strict requirement for the Cuckoo guest component (analyzer) in order to run properly.
Python version 2.7 must be downloaded: https://www.python.org/downloads/

Python Pillow

It is used for taking screenshots of the Windows desktop during the analysis.

Additional Software

Depending on the files to analyze, other software needs to be installed:

  • Microsoft Office
  • Pdf reader
  • Other browsers
  • PowerShell

Network Configuration

Windows SettingsIn order to work properly the Windows virtual machine needs all security controls deactivated nor automatic software updates:

  • Disable updates
  • Disable firewall
  • Disable Windows User Access Control (UAC)
  • Virtual Networking


**Configure network interface**

VirtualBox configured as host-only and using vboxnet0

Installing the Agent

In the $CWD/agent/ directory you will find the agent.py file.
Copy this file to the Guest operating system startup folder.

If you want to hide the agent’s window, you can rename the file from agent.py to agent.pyw that will prevent the console window from spawning.

Saving the Virtual Machine

$ VBoxManage snapshot "Win7" take "Win7_snapshot" –pause
$ VBoxManage controlvm "Win7" poweroff
$ VBoxManage snapshot "Win7" restorecurrent

Add the snapshot name into the virtualbox.conf configuration file:

# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = Name of snapshot

Web InterfaceTo be able to use the Cuckoo Sandbox interface we need some extra package requirements.

Installation

$ sudo apt-get install uwsgi uwsgi-plugin-python nginx apache2-utils

Create an uWSGI configuration file at /etc/uwsgi/apps-available/cuckoo-web.ini that contains the actual configuration as reported by the cuckoo web –uwsgi

Enable the app configuration and start the server.

$ sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/
$ sudo service uwsgi start cuckoo-web # or reload, if already running

Keep in mind that logs for the application are found in the standard directory for distribution app instances, i.e., /var/log/uwsgi/app/cuckoo-web.log

Create a nginx configuration file at /etc/nginx/sites-available/cuckoo-web that contains the actual configuration as reported by the cuckoo web –nginx command.

$ sudo adduser www-data cuckoo
$ sudo ln -s /etc/nginx/sites-available/cuckoo-web /etc/nginx/sites-enabled/
$ sudo service nginx start # or reload, if already running

Nginx server shall listen in port 8000.

Modify cuckoo web service previously created in order to configure it. (Add it in the server section)

`$ sudo vim /etc/nginx/sites-available/cuckoo-web`

The correct value to add is: listen 8000.

Setup basic authentication

Cuckoo’s web interface has no authentication mechanism of its own, so we will use nginx’s basic auth.

To create a user, use:

$ sudo htpasswd -c /etc/nginx/htpasswd exampleuser

If htpasswd file is already created, do not use –c option or the file will be regenerated every time.

Where exampleuser is the name of the user you want to add.

Secure the permissions of the httpasswd file:

$ sudo chown root:www-data /etc/nginx/htpasswd
$ sudo chmod u=rw,g=r,o= /etc/nginx/htpasswd

To modify the user’s password type:

# htpasswd /etc/nginx/htpasswd userid

Restart nginx:

$ sudo service nginx restart

This tutorial will be on ongoing updating.

So stay tuned.