Sometimes there is a need to analyse files in a live environment where their composition and provenance may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?
This is where the Cuckoo sandbox can help in analysing files rapidly, and potentially be used to feed into other threat reporting and case work systems. In this article I will show some of the functions which can be performed with Cuckoo and a Windows 10 Virtual Machine Guest correctly configured to handle most payloads.
For this example I will be installing Cuckoo on an Ubuntu host which is actually part of an ESXI cluster – meaning I am running a virtual machine within a virtual machine…
There are a few requirements and I will break this down into stages to make things nice and easy.
Ubuntu Dependencies We need to install some dependencies, we take care of that through installing the following:
sudo apt-get update -y sudo apt-get upgrade -y sudo apt-get dist-upgrade -y sudo apt-get install python python-pip python-dev libffi-dev libssl-dev -y sudo apt-get install python-virtualenv python-setuptools -y sudo apt-get install virtualbox virtualbox-guest-additions-iso virtualbox-dkms -y sudo apt-get install libjpeg-dev zlib1g-dev sw1g ssdeep tcpdump mongodb volatility -y
TCPDump as Root
Tcpdump is required to capture VM network activity, but we will also require it to operate as root. Its permissions can be updated with the following:
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
It is highly recommended to not operate Cuckoo as root in these environments, so making Tcpdump executable from the ‘cuckoo’ user makes sense as you will be capturing network packets as an analysis proceeds.
Now we need to install Cuckoo using pip:
This will install weasyprint (yes this version is required) and Cuckoo through pip. It will take a while, but once done will have all of the base packages you will require to start configuring the malware analysis environment.
pip install -U weasyprint==0.42.2 pip install -U cuckoo
Building Analysis Machines
Downloading your Windows VMs and Importing into VirtualBox You can choose to install your own ‘gold’ images of Windows for testing against the Cuckoo, however if you are really only keen on pulling apart samples relatively quickly and easily you can spin up some prebuilt Windows test OVAs which are provided by Microsoft on a 90 day licence.
These images come pre-loaded with the Virtualbox Guest VM software already in place, which saves you the added step of installing it.
mkdir /opt/cuckoos mkdir /opt/cuckoos/shared mkdir /opt/cuckoos/ovas wget https://az792536.vo.msecnd.net/vms/VMBuild_20180425/VirtualBox/MSEdge/MSEdge.Win10.VirtualBox.zip -O /opt/cuckoos/ovas/Windows10.zip
Now that I have the Windows 10 OVA downloaded, we can start by importing it into VirtualBox and then preparing the network interfaces.
vboxmanage hostonlyif create vboxmanage hostonlyif ipconfig vboxnet0 -–ip 192.168.56.1 –-netmask 255.255.255.0
What we have done here is create a HostOnly interface and assigned an IP address to it. This is the subnet which will be used to communicate between the malware VM and the Virtualbox host.
Now we have imported the OVA as a VM into Virtualbox and assigned a network interface to it. We have also added a Shared Folder to the VM which will contain our agent and base software which will need to be installed onto the guest.
vboxmanage import Windows10.ova –vsys 0 –vmname Windows10_1 –cpus 1 –memory 2048 –unit 10 –disk /opt/cuckoos/Windows10_1.vmdk vboxmanage modifyvm Windows10_1 –nic1 hostonly vboxmanage modifyvm Windows10_1 –hostonlyadapter1 vboxnet0 vboxmanage sharedfolder add Windows10_1 –name “Shared” –hostpath /opt/cuckoos/shared –automount cp /etc/cuckoo/agent/agent.py /opt/cuckoos/shared
We now need to tell the guest VM (if you want it to) how to connect to the Internet. Take care within this part to ensure your outgoing adapter is correctly named (in this case mine is eth0 – yours may be different!).
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE iptables -P FORWARD DROP iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT iptables -A FORWARD -j LOG sysctl -w net.ipv4.ip_forward=1
Starting the analysis VM
With this complete, you should now be able to start powering up your VM to get it into a ready state for analysis.
vboxmanage startvm “Windows10_1”
Starting the VM, Snapshotting, and Returning to Ready State Running the startvm command needs to be from within an Ubuntu GUI session, otherwise the output from the VM will not be visible. Once the VM is configured to the operative state, then we take a snapshot of the instance, shut it down, then restore it to the snapshot. The idea being, each time an analysis occurs, this VM will be spun up at that point for analysis.
When you are ready to start building your Cuckoo VM run the following:
Prior to snapshotting your installation and making it available to Cuckoo, you need to ensure a few capabilities are ready to roll.
This must include the following:
- Disable Updates
- Disable User Access Control
- Disable Firewall
- Disable Anti-virus
- Assign a static IP address within the 192.168.56.0/24 range
- The VM must be able to ping 192.168.56.1
- Python agent.py is running in the background as Administrator
Snapshot the Analysis VM
If the above has been configured correctly, now you can snapshot your installation so it will restore from this point each time.
vboxmanage snapshot “Windows10_1” take “cuckoo-ready” –pause vboxmanage controlvm “Windows10_1” poweroff vboxmanage snapshot “Windows10_1” restorecurrent
Now we can tell Cuckoo about this virtual machine and have it added to the analysis engines.
Configuring Cuckoo with your Virtual Machine Depending on where you have put the Cuckoo working directory you will find some configuration files which will require editing before you can start submitting samples.
In my example my CWD is located at /etc/cuckoo, so the files I will need to update are the following:
# /etc/cuckoo/conf/cuckoo.conf ignore_vulnerabilities = yes # recommend setting this to no in production machinery = virtualbox
Within the machinery configuration section we will now need to add the virtualbox Windows10_1 to the line up. We do that by modifying the following:
# /etc/cuckoo/conf/virtualbox.conf mode = headless machines = Windows10_1
And adding the following in place of the [cuckoo] section:
# /etc/cuckoo/conf/virtualbox.conf [Windows10_1] label = Windows10_1 platform = windows ip = 192.168.56.101 snapshot = interface = resultserver_ip = resultserver_port = tags = options = osprofile =
Now save this document. You should now be able to start cuckoo through the daemon flag, and see something similar to this:
Configuring the Web UI
For the Web UI to function, the Mongo DB needs to be configured for usage. We can do this through modifying the reporting configuration file as such:
# /etc/cuckoo/conf/reporting.conf [mongodb] enabled = yes host = 127.0.0.1 port = 27017 db = cuckoo store_memdump = yes paginate = 100 username = password =
Keep in mind, Mongodb will only allow you to conduct a single analysis at a time, there is no concurrent processing without moving to something such as MySQL (which I will detail in another write up).
Cuckoo should now be ready to start through the CLI by issuing the following command:
cuckoo web -p 80
And the web UI should now be accessible from the nominated port (in my case port 80).
Happy malware analysis'ing....
Categories: Blue Team