Building a Cuckoo Sandbox

Building a Cuckoo Sandbox

Sometimes there is a need to analyse files in a live environment where their composition and provenance may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?

Note: I have updated this article to reflect the current installation requirements for Cuckoo on Ubuntu 18.04 (as at 22nd Feb 2021).

This is where the Cuckoo sandbox can help in analysing files rapidly, and potentially be used to feed into other threat reporting and case work systems. In this article I will show some of the functions which can be performed with Cuckoo and a Windows 10 Virtual Machine Guest correctly configured to handle most payloads.

As an alternative to reading all of the below, you could also just clone my Github Repo for Cuckoo and install it from a single shell file:

git clone https://github.com/adammchugh/MaleficentLab-MalwareAnalysis-Cuckoo/
cd /MaleficentLab-MalwareAnalysis-Cuckoo/
bash install_cuckoo_ubuntu_1804.sh

For this example I will be installing Cuckoo on an Ubuntu host which is actually part of an ESXI cluster – meaning I am running a virtual machine within a virtual machine…

Installing Dependencies

Cuckoo has a few requirements, and for the Ubuntu OS side of things these are all taken care of in the below statement. Whilst I have included Python3 in this code block, Cuckoo requires Python 2.7, but there are some integrations which may require Python3.

sudo apt update -y
sudo apt upgrade -y
sudo apt install python3 python3-pip python3-dev python python-pip libffi-dev libssl-dev  -y
sudo apt install virtualbox virtualbox-guest-additions-iso virtualbox-dkms -y
sudo apt install libjpeg-dev zlib1g-dev swig ssdeep tcpdump mongodb volatility -y
sudo apt install unzip -y

Allow TCP Dump to be run

For PCAP files to be generated as part of the dynamic analysis, we need to have TCPDump permitted to be executed on the host. We do that by running the below:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Configure memory and file limits

Cuckoo may need to open a lot of files as part of the analysis, so it is usually a good idea to boost these values up.

echo 'fs.file-max = 100000' | sudo tee -a /etc/sysctl.conf
sudo sysctl -w fs.file-max=100000
sudo sysctl -p

Create OPT directories

Outside of /etc/cuckoo, an /opt/ directory will be required to store the OVAs we are going to download, and the shared software which will be presented to the Analysis VM.

mkdir /opt/cuckoos
mkdir /opt/cuckoos/shared
mkdir /opt/cuckoos/ovas

Download Windows Virtual Machines

If you already have a Windows ISO you can use that instead, however I have included a download for the Windows 10 OVA from the Microsoft site here as a starter, however I would suggest installation from an OEM source over the OVA as there are less markers in the OEM which would give away the Virtual Machine.

wget -O /opt/cuckoos/ovas/Windows10.zip https://az792536.vo.msecnd.net/vms/VMBuild_20190311/VirtualBox/MSEdge/MSEdge.Win10.VirtualBox.zip
unzip /opt/cuckoos/ovas/Windows10.zip -d /opt/cuckoos/ovas/
mv /opt/cuckoos/ovas/MSEdge\ -\ Win10.ova /opt/cuckoos/ovas/Windows10.ova
rm -f /opt/cuckoos/ovas/Windows10.zip

Download Shared Files for Analysis VMs

The analysis VM will require Python 2.7.11 and PIL to enable the agent and allow for screenshot generation. I have also included PatchMyPC which will allow you to install a number of productivity and office applications to make the VM look a bit lived in.

wget https://www.python.org/ftp/python/2.7.11/python-2.7.11.amd64.msi -O /opt/cuckoos/shared/python-2.7.11.amd64.msi
wget https://github.com/lightkeeper/lswindows-lib/raw/master/amd64/python/PIL-1.1.7.win-amd64-py2.7.exe -O /opt/cuckoos/shared/PIL-1.1.7.amd64-py2.7.exe
wget https://patchmypc.com/freeupdater/PatchMyPC.exe -O /opt/cuckoos/shared/PatchMyPC.exe

Configure Network Interfaces and IPTables

We need to now create the network interface for the Analysis VMs, and then create a network route between the vboxnet0 network range, and the external adapter. This will allow the Analysis VMs to talk out to the Internet.

vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
NETWORKINTERFACE=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}')
sudo iptables -t nat -A POSTROUTING -o "$NETWORKINTERFACE" -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -j LOG
sudo iptables-save > /etc/network/iptables.rules
sysctl -w net.ipv4.ip_forward=1
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

Create Analysis VM

Now we can deploy the OVA to Virtualbox and assign some resources. I have also included in here some options which aim to reduce the detection rate for anti-VM malware techniques.

vboxmanage import /opt/cuckoos/ovas/Windows10.ova --vsys 0 --vmname Windows10 --cpus 2 --memory 4096 --unit 10 --disk /opt/cuckoos/Windows10.vmdk
vboxmanage modifyvm Windows10 --nic1 hostonly
vboxmanage modifyvm Windows10 --hostonlyadapter1 vboxnet0
vboxmanage modifyvm Windows10 --ioapic off
vboxmanage modifyvm Windows10 --paravirtprovider none
vboxmanage sharedfolder add Windows10 --name "Shared" --hostpath /opt/cuckoos/shared --automount

Install Cuckoo

Now we get the fun part, installing Cuckoo. Now that we have the dependencies covered, we can now install a couple of support Python libraries, and then overlay that with Cuckoo.

sudo python -m pip install -U pip
sudo pip2 install -U weasyprint==0.42.2
sudo pip2 install -U pyrsistent==0.16.1
sudo pip2 install -U cryptography==3.2.0
sudo pip2 install -U cuckoo
sudo mkdir /etc/cuckoo
sudo chmod 750 /etc/cuckoo
sudo chown -R $(whoami):$(whoami) /etc/cuckoo
echo "export CUCKOO=/etc/cuckoo" >> ~/.bashrc
export CUCKOO=/etc/cuckoo
cuckoo --cwd /etc/cuckoo
cuckoo --cwd /etc/cuckoo community

Starting the analysis VM

With this complete, you should now be able to start powering up your VM to get it into a ready state for analysis.

vboxmanage startvm “Windows10”

Starting the VM, Snapshotting, and Returning to Ready State Running the startvm command needs to be from within an Ubuntu GUI session, otherwise the output from the VM will not be visible. Once the VM is configured to the operative state, then we take a snapshot of the instance, shut it down, then restore it to the snapshot. The idea being, each time an analysis occurs, this VM will be spun up at that point for analysis.

When you are ready to start building your Cuckoo VM run the following:

Prior to snapshotting your installation and making it available to Cuckoo, you need to ensure a few capabilities are ready to roll.

This must include the following:

  • Disable Updates
  • Disable User Access Control
  • Disable Firewall
  • Disable Anti-virus
  • Assign a static IP address within the 192.168.56.0/24 range
  • The VM must be able to ping 192.168.56.1
  • Python agent.py is running in the background as Administrator

Snapshot the Analysis VM

If the above has been configured correctly, now you can snapshot your installation so it will restore from this point each time.

vboxmanage snapshot “Windows10” take “cuckoo-ready” –pause 
vboxmanage controlvm “Windows10” poweroff 
vboxmanage snapshot “Windows10” restorecurrent

Now we can tell Cuckoo about this virtual machine and have it added to the analysis engines.

Configuring Cuckoo

Configuring Cuckoo with your Virtual Machine Depending on where you have put the Cuckoo working directory you will find some configuration files which will require editing before you can start submitting samples.

In my example my CWD is located at /etc/cuckoo, so the files I will need to update are the following:

# /etc/cuckoo/conf/cuckoo.conf
ignore_vulnerabilities = yes # recommend setting this to no in production machinery = virtualbox 

Within the machinery configuration section we will now need to add the virtualbox Windows10_1 to the line up. We do that by modifying the following:

# /etc/cuckoo/conf/virtualbox.conf
mode = headless
machines = Windows10

And adding the following in place of the [cuckoo] section:

# /etc/cuckoo/conf/virtualbox.conf
[Windows10_1]
label = Windows10
platform = windows
ip = 192.168.56.101
snapshot =
interface = 
resultserver_ip =
resultserver_port =
tags =
options =
osprofile =

Now save this document. You should now be able to start cuckoo through the daemon flag, and see something similar to this:

Note: In my implementation I have deployed several Windows 7 VMs instead of Windows 10.

Configuring the Web UI

For the Web UI to function, the Mongo DB needs to be configured for usage. We can do this through modifying the reporting configuration file as such:

# /etc/cuckoo/conf/reporting.conf
[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
username = 
password =

Keep in mind, Mongodb will only allow you to conduct a single analysis at a time, there is no concurrent processing without moving to something such as MySQL (which I will detail in another write up).

Cuckoo should now be ready to start through the CLI by issuing the following command:

cuckoo web -p 80
Note: It is not recommended to run Cuckoo as root.

And the web UI should now be accessible from the nominated port (in my case port 80).

Happy malware analysis'ing....

1 comment so far

Building a parallel-analysis Cuckoo server – McHugh Security Posted on9:00 pm - February 27, 2021

[…] previous posts I have discussed the building of Cuckoo as a semi-automated malware analysis environment for the […]

Leave a Reply

three × 3 =