Building a Cuckoo Sandbox

Sometimes there is a need to analyse files in a live environment where their composition and provenance may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?

This is where the Cuckoo sandbox can help in analysing files rapidly, and potentially be used to feed into other threat reporting and case work systems. In this article I will show some of the functions which can be performed with Cuckoo and a Windows 10 Virtual Machine Guest correctly configured to handle most payloads.

For this example I will be installing Cuckoo on an Ubuntu host which is actually part of an ESXI cluster – meaning I am running a virtual machine within a virtual machine…

Dependancies

There are a few requirements and I will break this down into stages to make things nice and easy.

Ubuntu Dependencies We need to install some dependencies, we take care of that through installing the following:

sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y 
sudo apt-get install python python-pip python-dev libffi-dev libssl-dev -y sudo apt-get install python-virtualenv python-setuptools -y 
sudo apt-get install virtualbox virtualbox-guest-additions-iso virtualbox-dkms -y 
sudo apt-get install libjpeg-dev zlib1g-dev sw1g ssdeep tcpdump mongodb volatility -y

TCPDump as Root

Tcpdump is required to capture VM network activity, but we will also require it to operate as root. Its permissions can be updated with the following:

setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

It is highly recommended to not operate Cuckoo as root in these environments, so making Tcpdump executable from the ‘cuckoo’ user makes sense as you will be capturing network packets as an analysis proceeds.

Installing Cuckoo

Now we need to install Cuckoo using pip:

This will install weasyprint (yes this version is required) and Cuckoo through pip. It will take a while, but once done will have all of the base packages you will require to start configuring the malware analysis environment.

pip install -U weasyprint==0.42.2 
pip install -U cuckoo

Building Analysis Machines

Downloading your Windows VMs and Importing into VirtualBox You can choose to install your own ‘gold’ images of Windows for testing against the Cuckoo, however if you are really only keen on pulling apart samples relatively quickly and easily you can spin up some prebuilt Windows test OVAs which are provided by Microsoft on a 90 day licence.

These images come pre-loaded with the Virtualbox Guest VM software already in place, which saves you the added step of installing it.

mkdir /opt/cuckoos 
mkdir /opt/cuckoos/shared 
mkdir /opt/cuckoos/ovas 
wget https://az792536.vo.msecnd.net/vms/VMBuild_20180425/VirtualBox/MSEdge/MSEdge.Win10.VirtualBox.zip -O /opt/cuckoos/ovas/Windows10.zip

Now that I have the Windows 10 OVA downloaded, we can start by importing it into VirtualBox and then preparing the network interfaces.

vboxmanage hostonlyif create 
vboxmanage hostonlyif ipconfig vboxnet0 -–ip 192.168.56.1 –-netmask 255.255.255.0

What we have done here is create a HostOnly interface and assigned an IP address to it. This is the subnet which will be used to communicate between the malware VM and the Virtualbox host.

Now we have imported the OVA as a VM into Virtualbox and assigned a network interface to it. We have also added a Shared Folder to the VM which will contain our agent and base software which will need to be installed onto the guest.

vboxmanage import Windows10.ova –vsys 0 –vmname Windows10_1 –cpus 1 –memory 2048 –unit 10 –disk /opt/cuckoos/Windows10_1.vmdk 
vboxmanage modifyvm Windows10_1 –nic1 hostonly 
vboxmanage modifyvm Windows10_1 –hostonlyadapter1 vboxnet0 
vboxmanage sharedfolder add Windows10_1 –name “Shared” –hostpath /opt/cuckoos/shared –automount cp /etc/cuckoo/agent/agent.py /opt/cuckoos/shared

Network configuration

We now need to tell the guest VM (if you want it to) how to connect to the Internet. Take care within this part to ensure your outgoing adapter is correctly named (in this case mine is eth0 – yours may be different!).

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE 
iptables -P FORWARD DROP 
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT 
iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT 
iptables -A FORWARD -j LOG 
sysctl -w net.ipv4.ip_forward=1

Starting the analysis VM

With this complete, you should now be able to start powering up your VM to get it into a ready state for analysis.

vboxmanage startvm “Windows10_1”

Starting the VM, Snapshotting, and Returning to Ready State Running the startvm command needs to be from within an Ubuntu GUI session, otherwise the output from the VM will not be visible. Once the VM is configured to the operative state, then we take a snapshot of the instance, shut it down, then restore it to the snapshot. The idea being, each time an analysis occurs, this VM will be spun up at that point for analysis.

When you are ready to start building your Cuckoo VM run the following:

Prior to snapshotting your installation and making it available to Cuckoo, you need to ensure a few capabilities are ready to roll.

This must include the following:

  • Disable Updates
  • Disable User Access Control
  • Disable Firewall
  • Disable Anti-virus
  • Assign a static IP address within the 192.168.56.0/24 range
  • The VM must be able to ping 192.168.56.1
  • Python agent.py is running in the background as Administrator

Snapshot the Analysis VM

If the above has been configured correctly, now you can snapshot your installation so it will restore from this point each time.

vboxmanage snapshot “Windows10_1” take “cuckoo-ready” –pause 
vboxmanage controlvm “Windows10_1” poweroff 
vboxmanage snapshot “Windows10_1” restorecurrent

Now we can tell Cuckoo about this virtual machine and have it added to the analysis engines.

Configuring Cuckoo

Configuring Cuckoo with your Virtual Machine Depending on where you have put the Cuckoo working directory you will find some configuration files which will require editing before you can start submitting samples.

In my example my CWD is located at /etc/cuckoo, so the files I will need to update are the following:

# /etc/cuckoo/conf/cuckoo.conf
ignore_vulnerabilities = yes # recommend setting this to no in production machinery = virtualbox 

Within the machinery configuration section we will now need to add the virtualbox Windows10_1 to the line up. We do that by modifying the following:

# /etc/cuckoo/conf/virtualbox.conf
mode = headless
machines = Windows10_1

And adding the following in place of the [cuckoo] section:

# /etc/cuckoo/conf/virtualbox.conf
[Windows10_1]
label = Windows10_1
platform = windows
ip = 192.168.56.101
snapshot =
interface = 
resultserver_ip =
resultserver_port =
tags =
options =
osprofile =

Now save this document. You should now be able to start cuckoo through the daemon flag, and see something similar to this:

Note: In my implementation I have deployed several Windows 7 VMs instead of Windows 10.

Configuring the Web UI

For the Web UI to function, the Mongo DB needs to be configured for usage. We can do this through modifying the reporting configuration file as such:

# /etc/cuckoo/conf/reporting.conf
[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
username = 
password =

Keep in mind, Mongodb will only allow you to conduct a single analysis at a time, there is no concurrent processing without moving to something such as MySQL (which I will detail in another write up).

Cuckoo should now be ready to start through the CLI by issuing the following command:

cuckoo web -p 80
Note: It is not recommended to run Cuckoo as root.

And the web UI should now be accessible from the nominated port (in my case port 80).

Happy malware analysis'ing....


Categories: Blog, Security Operations

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: