Building a Cuckoo Malware Analysis Server

Building a Cuckoo Malware Analysis Server

I have written this guide a few times in the past, but here is a revised version with some notable inclusions based on more recent experiences with Cuckoo. I have some Github repositories too which aim to expedite the process, but have a read nonetheless and see just how easy and quick it can be to deploy your own semi-automated malware analysis rig.

I have installed, reinstalled, broken and reinstalled Cuckoo a considerable amount of times over the last 12 months, and each time I have tried to incorporate another element which seeks to meet one of personal interests or professional requirements.
For this post I will be discussing my current build order for Cuckoo (in a single analysis environment based on Windows 7).

Installing from Ubuntu Repositories

Installation of Cuckoo is relatively painless and generally quite bulletproof, the below code block will walk you through a relatively simple deployment for single analysis.

[email protected]:~$ sudo apt update -y
[email protected]:~$ sudo apt upgrade -y
[email protected]:~$ sudo apt install python python-pip python-dev libffi-dev libssl-dev virtualbox virtualbox-guest-additions-iso virtualbox-dkms libjpeg-dev zlib1g-dev swig ssdeep tcpdump mongodb volatility -y
[email protected]:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
[email protected]:~$ sudo pip install -U weasyprint==0.42.2
[email protected]:~$ sudo pip install -U cuckoo
[email protected]:~$ mkdir /etc/cuckoo
[email protected]:~$ chmod 750 /etc/cuckoo
[email protected]:~$ cuckoo --cwd /etc/cuckoo
[email protected]:~$ echo "export CUCKOO=/etc/cuckoo" >> ~/.bashrc

That is the basic guts of installing Cuckoo, however the real work is in building and configuring the malware analysis VMs, and then tuning Cuckoo for it’s analysis.

I will discuss the configuration of the analysis VMs in a separate post (it can be quite lengthy) so I will move right onto registering your analysis VM with cuckoo, and having cuckoo configured to start and operate like a system service.

Creating analysis VMs through Vboxmanage

Creating VMs through Virtualbox is pretty simple, but first we need to generate the host only network interface between the Cuckoo host and the analysis VMs.

[email protected]:~$ sudo vboxmanage hostonlyif create
[email protected]:~$ sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Why the host only interface? This method creates a network segregation between the malware analysis machines and your local network, and by extension potential connection to external networks.

A quick note on network connections…

Before we go much further though, you really do need to understand your requirements. Do you really need your malware machine to connect to the Internet? Or do you just need it to analyse in a bubble?

If your answer is the latter, you may not need to bother with the iptables part of this procedure. But it will mean there are some limitations when it comes to detonating live samples.

Alternatively, if you want to detonate with a live connection, you can also force all traffic through TOR, thereby obscuring the source if the malware author is watching.

Building VMs

I am going to be building these VMs from an OVA available from Microsoft for the purposes of testing Operating Systems, so in my case the VM is named Windows7.ova

[email protected]:~$ sudo vboxmanage import Windows7.ova --vsys 0 --vmname Windows7 --cpus 1 --memory 1024 --unit 10 --disk /opt/cuckoos/Windows7.vmdk
[email protected]:~$ sudo vboxmanage modifyvm Windows7--nic1 hostonly
[email protected]:~$ sudo vboxmanage modifyvm Windows7--hostonlyadapter1 vboxnet0
[email protected]:~$ sudo vboxmanage sharedfolder add Windows7--name "Shared" --hostpath /opt/cuckoos/shared --automount

Now that the VM is created, we can boot it through the command line and then set it up for analysis. This part of configuring for analysis is discussed in a separate post, this may be a bit too lengthy for inclusion in this post.

Adding a route to the Internet

You will need to add a route to the Internet from the host only interface if you want to enable internet routing of your VM traffic (If you decided above to not allow external access, skip this part).

I will discuss this more in future posts where I discuss the use of Tor to cover your malware analysis.

[email protected]:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
[email protected]:~$ sudo iptables -P FORWARD DROP
[email protected]:~$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[email protected]:~$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
[email protected]:~$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
[email protected]:~$ sudo iptables -A FORWARD -j LOG
[email protected]:~$ sudo iptables-save
[email protected]:~$ sudo sysctl -w net.ipv4.ip_forward=1

Assuming we have an operating VM running at the time, you should see the VM get a route to the Internet (if you have configured the network adapter correctly).

Your guest VM also needs to be configured with a static address within 192.168.56.0/24. If you decided run more than one malware analysis box simultaneously, if suggest making each box a sequential value, and unique.

Installing Python and PIL

Your malware guest VMs need to expose the Cuckoo agent on port 8000 of each of their respective VMs. To enable this we need to install Python and the Python Imaging Library on our analysis machines.

These two installations in combination with the agent will allow Cuckoo to listen for the VM when it is snapshot restored, process commands to the VM and take screenshots as execution occurs, and as significant events occur within the analysis VMs.

A trick to note here, the Python agent for cuckoo needs to be running as System Administrator, and this is due to its reliance on dropping files into the OS which a Limited User cannot do.

You don’t need to drop the agent file into startup, but it does need to running and the Cuckoo host have TCP communications with the analysis VM before snapshotting it in a running state.

So just run it from Command Line, validate the network connection, minimise the command line window and proceed to the next step.

Snapshot a completed analysis VM

Once a VM is operating as you expect it, and the python agent is running in the background, we need to snapshot the VM so that when further analysis jobs are created we will resume the VM at the snapshot time and state.

[email protected]:~$ sudo vboxmanage snapshot "Windows7" take "ready-state" --pause
[email protected]:~$ sudo vboxmanage controlvm "Windows7" poweroff
[email protected]:~$ sudo vboxmanage snapshot "Windows7" restorecurrent

The VMs are now ready for usage, so now we need to tell Cuckoo about them to start analysing samples.

Configuring Cuckoo

At a minimum you will need to update the relevant configuration for virtualbox. If you’re using vmware there are alternate configuration files you will need to consider as well.

Additionally the reporting and cuckoo configuration files will need to be updated to reflect your capability desires.

In my example I will be using VirusTotal as a lookup for file hashes, but I am opting to not send original files for analysis automatically. This is due to my own desire to limit unauthorised submission of PII or corporate sensitive data which could be downloaded by an unauthorised external party with access to VT samples.

Using VirusTotal in this manner also means we can look up external reports already in existence on VT, and potentially skip the time required to perform the same analysis.

Firing up Cuckoo for the first time

Cuckoo has two methods of submitting analysis tasks, the API and the GUI. Both of these methods require the daemon to be running so either can start processing tasks.

Starting the daemon is relatively simple, and is achievable from the terminal window.

[email protected]:~$ sudo cuckoo -d

The backend of Cuckoo will now start up, and you should see the virtual machines becoming available. Once the Cuckoo service is operating in the backend, we can load the API and the Web GUI through a combination of commands.

Starting the API is possible through executing the below:

[email protected]:~$ sudo cuckoo api -H 127.0.0.0 -p 8001

This will present the API on 127.0.0.1:8001, whereas if you required the Web GUI it can be started through the following:

[email protected]:~$ sudo cuckoo web -H 127.0.0.1 -p 8000

This will present the Web GUI on 127.0.0.1:8000

Leave a Reply

2 × 3 =