Cuckoo Sandbox Setup Tutorial

The Cuckoo Sandbox is an automated malware analysis sandbox where malware can be safely run to study its behavior. The benefits of setting up a Cuckoo Sandbox is immense. Having a private and an open source malware sandbox means that you can run any suspicious file without worrying about sensitive data being leaked to a public forum such as VirusTotal. Plus, this malware sandbox can be tailored toward your business security needs and tools. This guide will provide you with a basic installed and configured Cuckoo Sandbox to begin dynamically analyzing malware in a safe environment.

  1. Cuckoo Sandbox prerequisite software setup
    1. Preferred operating system for Cuckoo Sandbox is Linux: install the latest version of Ubuntu
    2. Complete a full machine update: sudo apt-get update && sudo apt-get dist-upgrade -y
  2. Software dependencies setup
    1.  Install a bunch of Linux packages for software:  sudo apt-get install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb libcap2-bin libfuzzy-dev virtualbox curl -y
    2. Install python installer package: pip install pip
    3. Install tcpdump, network sniffer tool:
    4.  sudo apt-get install tcpdump apparmor-utils -y
      1. sudo aa-disable /usr/sbin/tcpdump
      2. sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
      3. getcap /usr/sbin/tcpdump –> proper output from command: /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
    5. Install yara, open source malware signature tool:
      1. sudo apt-get install automake libtool make gcc flex bison
        libjansson-dev libmagic-dev -y
      2. wget https://github.com/VirusTotal/yara/tree/3.6/yara-3.6.zip
      3. mv yara-3.6.2.zip /home/<user>/
      4. unzip yara-3.6.zip
      5. cd yara-3.6.2
      6. ./bootstrap.sh
      7. ./configure –enable-cuckoo –enable-magic –enable-dotnet
      8. make
      9. sudo make install
      10. make check
      11. sudo pip install yara-python
    6. Install ssdeep and pydeep, tools for piecewise hashes:
      1. sudo apt-get install ssdeep python-ssdeep -y
      2. sudo pip install pydeep
    7. Install the python PDF report software:
      1. sudo pip install “weasyprint==0.39”
  3. Cuckoo Sandbox software installation
    1. Set up file directories:
      1. sudo adduser cuckoo
      2. sudo usermod -a -G vboxusers cuckoo
    2. Increase open file limit:
      1. sudo vim  /etc/security/limits.conf
      2. paste this stuff below at the end of the file marker
    3. Set up python environment:
      1. install virtualenv
      2.  . venv/bin/activate
    4. Download Cuckoo Sandbox software:
      1. sudo pip install -U pip setuptools
      2. sudo pip install -U cuckoo
      3. cuckoo -d
      4. cuckoo community
  4. Guest machine setup (VM that runs the malware sample)
    1. Create a VM with an all-lowercase name in VirtualBox
    2. Install a windows 7×64 iso (recommended) or another operating system iso
    3. Download and install python 2.7.13
    4. Pip install Pillow
    5. Turn off everything for Windows Update, Windows Defender, and any software updates
    6. Turn UAC (User Access Control) to low
    7. Download any necessary software for testing (recommended Office 2013, Adobe Reader, Adobe Player, Java,  Firefox)
    8. Set up networking:
      • (VirtualBox console version before 5.1): in VirtualBox “Preferences” choose host-only networks and create new host-only network: vboxnet0
      • (VirtualBox console version after 5.2): in VirtualBox “Host Network Manager”  click on the create button and give the network name: vboxnet0
      • Turn off DHCP Server in VirtualBox preferences on the checkbox
      • Set a static IP address 192.168.56.101 in the VM
    9. Cuckoo Sandbox python agent, tool allowing Cuckoo and VM to talk:
      1. Move the agent into the guest machine (the setup of a sftp server is recommended for this operation- https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-16-04)
      2. Move the agent into the Windows startup folder
    10. Creation of VM snapshot (every ran analysis, Cuckoo Sandbox boots up a fresh VM):
      1. Start the VM
      2. Click on the ‘machine’ setting at the top and select ‘take snapshot’
  5. Cuckoo Sandbox configuration files setup

modify virtualbox.conf file:

nano .cuckoo/virtualbox.conf filechange machines =  cuckoo1 to the name of guest machine’s name change header [cuckoo1] to the name of the guest machine; change label = cuckoo1 to the name of guest machine’s name

 modify virtualbox.conf file:

change the IP = 192.168.56.101 if the guest machine does not use default IP address

modify reporting.conf file:

nano .cuckoo/reporting.config [mongodb], change enabled = no to yes

modify processing.conf:

nano .cuckoo/processing.config [screenshot] change enabled = no to yes

in [baseline] change enabled = no to yes

in [virustotal] change enabled no to yes

 

modify cuckoo.conf:

nano .cuckoo/cuckoo.conf change memory_dump = no to yes

modify auxiliary.conf:

nano .cuckoo/auxiliary.config in [services] change enabled = no to yes

For further resources on setting up Cuckoo Sandbox, please check out these links below:

Documentation: https://cuckoo.sh/docs/

Assistance: https://cuckoosandbox.org/discussion