Cuckoo Sandbox Install Guideline – Preparing the host (1/2)

Cuckoo Sandbox is an open source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
Cuckoo Sandbox has been recently updated to the version 2.0 and the steps to install it have changed a lot.

For this reason I’m re-writing my tutorial to explain how to install it.

It is based on my own experience and taking commands I used to setup new Cuckoo’s version.

Basic structure is based on the official Cuckoo Sandbox documentation.

Cuckoo Sandbox architecture

Host : runs the main components to manage the whole analysis process.
Analysis guest : isolated virtual environments where the samples are executed.

Preparing the host

Requirements

The following topics describes the main requirements to install Cuckoo Sandbox.

Python libraries

The following software packages from the apt repositories are required to get Cuckoo to install and run properly (currently only Python 2.7 is supported):

$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev 
$ sudo apt-get install python-virtualenv python-setuptools` 
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

In order to use the Django-based Web Interface, MongoDB is required:

$ sudo apt-get install mongodb

Yara

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. Yara is an optional package.

Yara previous requirements:

$ sudo apt-get install automake libtool make gcc libjansson-dev libmagic-dev

Currently needed (future version of cuckoo won’t need it)

$ pip install yara-python

Yara package:

$ wget https://github.com/VirusTotal/yara/archive/v3.5.0.tar.gz
$ tar -zxf yara-3.5.0.tar.gz
$ cd yara-3.5.0
$ ./bootstrap.sh 
$ ./configure --enable-cuckoo --enable-magic
$ make` `$ sudo make install

Run the test cases to make sure that everything is fine:

$ make check

Pydeep

It is a Python/C binding’s library for the Ssdeep. Pydeep is an optional package:

$ sudo apt-get install ssdeep libfuzzy-dev

Pydeep package installation:

`$ wget https://github.com/kbandla/pydeep/archive/0.2.tar.gz` 
`$ tar –zxf 0.2.tar.gz` `$ cd pydeep-0.2/` 
`$ python setup.py build` 
`$ sudo python setup.py install`

Virtualization Software

Virtualboox is the virtualization software used to allocate the isolated guests machines:

$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list 
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add – 
$ sudo apt-get update $ sudo apt-get install virtualbox-5.1

Tcpdump

Tcpdump is a network sniffer used to capture and to dump the network activity performed by the malware sample executed:

$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump

For Linux platforms with AppArmor disabled (e.g., Debian) the following command will suffice to install Tcpdump:

$ sudo apt-get install tcpdump

Due to Cuckoo must be executed as non-root user; Tcpdump must be configured to run without root privileges:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

You can verify the results of the last command:

$ getcap /usr/sbin/tcpdumpp 
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Volatility

The Volatility Framework is a collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples:

$ sudo apt-get install volatility

WeasyPrint

WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF.

It will help us generating pdf reports of the analyses.

$ sudo pip install weasyprint

Installing M2Crypto

M2Crypto is a crypto and SSL toolkit for Python. M2Crypto library is only supported when SWIG has been installed (if SWIG is present on the system, Cuckoo will automatically install the M2Crypto dependency upon installation):

$ sudo apt-get install swig

Installing Cuckoo

Create a user

To run Cuckoo as non-root user we must create a new user:

$ sudo adduser cuckoo

Make sure the new user belongs to the “vboxusers” group (or the group you used to run VirtualBox):

$ sudo usermod -a -G vboxusers cuckoo

Install Cuckoo

Cuckoo package needs to be installed in a virtual environment (virtualenv):

`$ virtualenv venv` 
`$ . venv/bin/activate` 
`(venv)$ pip install -U pip setuptools` 
`(venv)$ pip install -U cuckoo`

Host Network Routing

The following iptables rules will allow the VMs access to the Cuckoo host machine

`$ sudo iptables -t nat -A POSTROUTING -o interfaceName -s 192.168.56.0/24 -j MASQUERADE` 
`# Default drop.` `$ sudo iptables -P FORWARD DROP` 
`# Existing connections.` 
`$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT` 
`# Accept connections from vboxnet to the whole internet.` 
`$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT` 
`# Internal traffic.` 
`$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT` 
`# Log stuff that reaches this point (could be noisy).` 
`$ sudo iptables -A FORWARD -j LOG`

Modify interface name by the name obtained from the command sudo ifconfig.

For an automatic loading on every server startup, these rules must be stored.

Save the rules:

$ sudo iptables-save > /etc/firewall.conf

Open /etc/network/if-up.d/interfaces and add:

#!/bin/sh` `Iptables-restore < /etc/firewall.conf

Provide it execution privileges

$ sudo chmod +x /etc/network/if-up.d/iptables

If you need to save changes to your rules in the future, you can manually edit /etc/firewall.conf or you can adjust your rules live and run:

$ sudo iptables-save > /etc/firewall.conf

IP forwarding must be enabled in kernel configuration:

$ echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
$ sudo sysctl -w net.ipv4.ip_forward=1

Other option to make ip forwarding permanent is edit /etc/sysctl.conf and search for the following lines:

`# Uncomment the next line to enable packet forwarding for IPv4`
`#net.ipv4.ip_forward=1`

Cuckoo Working Directory All configurable components, generated data, and results of Cuckoo are stored in Cuckoo Working Directory.

By default, this directory is located at /home/cuckoo/.cuckoo as it defaults to ~/.cuckoo (CWD can be modified if needed)

Cuckoo configuration files

All documents are located in Cuckoo Working Directory $CWD/conf

cuckoo.conf

The cuckoo.conf file contains generic configuration options.

machinery in [cuckoo]:

This option defines which Machinery module you want Cuckoo to use to interact with your analysis machines.

The value must be the name of the module without extension.

machinery = virtualbox

ip and port in [resultserver]:

These define the local IP address and port that Cuckoo is going to try to bind the result server on.

Make sure this matches the network configuration of your analysis machines or they won’t be able to return any results.

`ip = 192.168.56.1`

connection in [database]:

The database connection string defines how Cuckoo will connect to the internal database.

If empty, defaults to a SQLite3 database at $CWD/cuckoo.db. (our case)

auxiliary.conf

Auxiliary modules are scripts that run concurrently with malware analysis.

Activation in [sniffer]:

Enable or disable the use of an external sniffer (tcpdump)

enabled = yes

Activation in [mitm]:

Enable man in the middle proxying (mitmdump)

Enabled = yes

virtualbox.conf

Virtualbox module is the script that define how Cuckoo should interact with your virtualization software of choice.

Mode in [Virtualbox]:

Specify which VirtualBox mode you want to run your machines on. Can be “gui” or “headless”.

mode = headless

Virtual machine config in [machineName]:

Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)

machines = Cuckoo

[Cuckoo]

Specify the label name of the current machine as specified in your VirtualBox configuration.

label = Cuckoo

Specify the operating system platform used by current machine [windows/darwin/linux].

platform = windows

Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail.

ip = 192.168.56.101

memory.conf

The memory.conf file contains the Volatility configuration.

processing.conf

This file allows you to enable, disable and configure all processing modules. These modules are located under the cuckoo processing module and define how to digest the raw data collected during the analysis.

reporting.conf

This file contains information on the reports generation.

Configuration in [mongodb]:

`enabled = yes`

Configuration in [elasticsearch]:

enabled = no

In the next article we will cover the last step of the installation.