I have written this guide a few times in the past, but here is a revised version with some notable inclusions based on more recent experiences with Cuckoo. I have some Github repositories too which aim to expedite the process, but have a read nonetheless and see just how easy and quick it can be to deploy your own semi-automated malware analysis rig.
I have installed, reinstalled, broken and reinstalled Cuckoo a considerable amount of times over the last 12 months, and each time I have tried to incorporate another element which seeks to meet one of personal interests or professional requirements.
For this post I will be discussing my current build order for Cuckoo (in a single analysis environment based on Windows 7).
Table of Contents
Installing from Ubuntu Repositories
Installation of Cuckoo is relatively painless and generally quite bulletproof, the below code block will walk you through a relatively simple deployment for single analysis.
cuckoo@cuckoo:~$ sudo apt update -y cuckoo@cuckoo:~$ sudo apt upgrade -y cuckoo@cuckoo:~$ sudo apt install python python-pip python-dev libffi-dev libssl-dev virtualbox virtualbox-guest-additions-iso virtualbox-dkms libjpeg-dev zlib1g-dev swig ssdeep tcpdump mongodb volatility -y cuckoo@cuckoo:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump cuckoo@cuckoo:~$ sudo pip install -U weasyprint==0.42.2 cuckoo@cuckoo:~$ sudo pip install -U cuckoo cuckoo@cuckoo:~$ mkdir /etc/cuckoo cuckoo@cuckoo:~$ chmod 750 /etc/cuckoo cuckoo@cuckoo:~$ cuckoo --cwd /etc/cuckoo cuckoo@cuckoo:~$ echo "export CUCKOO=/etc/cuckoo" >> ~/.bashrc
That is the basic guts of installing Cuckoo, however the real work is in building and configuring the malware analysis VMs, and then tuning Cuckoo for it’s analysis.
I will discuss the configuration of the analysis VMs in a separate post (it can be quite lengthy) so I will move right onto registering your analysis VM with cuckoo, and having cuckoo configured to start and operate like a system service.
Creating analysis VMs through Vboxmanage
Creating VMs through Virtualbox is pretty simple, but first we need to generate the host only network interface between the Cuckoo host and the analysis VMs.
cuckoo@cuckoo:~$ sudo vboxmanage hostonlyif create cuckoo@cuckoo:~$ sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
Why the host only interface? This method creates a network segregation between the malware analysis machines and your local network, and by extension potential connection to external networks.
A quick note on network connections…
Before we go much further though, you really do need to understand your requirements. Do you really need your malware machine to connect to the Internet? Or do you just need it to analyse in a bubble?
If your answer is the latter, you may not need to bother with the iptables part of this procedure. But it will mean there are some limitations when it comes to detonating live samples.
Alternatively, if you want to detonate with a live connection, you can also force all traffic through TOR, thereby obscuring the source if the malware author is watching.
I am going to be building these VMs from an OVA available from Microsoft for the purposes of testing Operating Systems, so in my case the VM is named Windows7.ova
cuckoo@cuckoo:~$ sudo vboxmanage import Windows7.ova --vsys 0 --vmname Windows7 --cpus 1 --memory 1024 --unit 10 --disk /opt/cuckoos/Windows7.vmdk cuckoo@cuckoo:~$ sudo vboxmanage modifyvm Windows7--nic1 hostonly cuckoo@cuckoo:~$ sudo vboxmanage modifyvm Windows7--hostonlyadapter1 vboxnet0 cuckoo@cuckoo:~$ sudo vboxmanage sharedfolder add Windows7--name "Shared" --hostpath /opt/cuckoos/shared --automount
Now that the VM is created, we can boot it through the command line and then set it up for analysis. This part of configuring for analysis is discussed in a separate post, this may be a bit too lengthy for inclusion in this post.
Adding a route to the Internet
You will need to add a route to the Internet from the host only interface if you want to enable internet routing of your VM traffic (If you decided above to not allow external access, skip this part).
I will discuss this more in future posts where I discuss the use of Tor to cover your malware analysis.
cuckoo@cuckoo:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE cuckoo@cuckoo:~$ sudo iptables -P FORWARD DROP cuckoo@cuckoo:~$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT cuckoo@cuckoo:~$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT cuckoo@cuckoo:~$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT cuckoo@cuckoo:~$ sudo iptables -A FORWARD -j LOG cuckoo@cuckoo:~$ sudo iptables-save cuckoo@cuckoo:~$ sudo sysctl -w net.ipv4.ip_forward=1
Assuming we have an operating VM running at the time, you should see the VM get a route to the Internet (if you have configured the network adapter correctly).
Your guest VM also needs to be configured with a static address within 192.168.56.0/24. If you decided run more than one malware analysis box simultaneously, if suggest making each box a sequential value, and unique.
Installing Python and PIL
Your malware guest VMs need to expose the Cuckoo agent on port 8000 of each of their respective VMs. To enable this we need to install Python and the Python Imaging Library on our analysis machines.
These two installations in combination with the agent will allow Cuckoo to listen for the VM when it is snapshot restored, process commands to the VM and take screenshots as execution occurs, and as significant events occur within the analysis VMs.
A trick to note here, the Python agent for cuckoo needs to be running as System Administrator, and this is due to its reliance on dropping files into the OS which a Limited User cannot do.
You don’t need to drop the agent file into startup, but it does need to running and the Cuckoo host have TCP communications with the analysis VM before snapshotting it in a running state.
So just run it from Command Line, validate the network connection, minimise the command line window and proceed to the next step.
Snapshot a completed analysis VM
Once a VM is operating as you expect it, and the python agent is running in the background, we need to snapshot the VM so that when further analysis jobs are created we will resume the VM at the snapshot time and state.
cuckoo@cuckoo:~$ sudo vboxmanage snapshot "Windows7" take "ready-state" --pause cuckoo@cuckoo:~$ sudo vboxmanage controlvm "Windows7" poweroff cuckoo@cuckoo:~$ sudo vboxmanage snapshot "Windows7" restorecurrent
The VMs are now ready for usage, so now we need to tell Cuckoo about them to start analysing samples.
At a minimum you will need to update the relevant configuration for virtualbox. If you’re using vmware there are alternate configuration files you will need to consider as well.
Additionally the reporting and cuckoo configuration files will need to be updated to reflect your capability desires.
In my example I will be using VirusTotal as a lookup for file hashes, but I am opting to not send original files for analysis automatically. This is due to my own desire to limit unauthorised submission of PII or corporate sensitive data which could be downloaded by an unauthorised external party with access to VT samples.
Using VirusTotal in this manner also means we can look up external reports already in existence on VT, and potentially skip the time required to perform the same analysis.
Firing up Cuckoo for the first time
Cuckoo has two methods of submitting analysis tasks, the API and the GUI. Both of these methods require the daemon to be running so either can start processing tasks.
Starting the daemon is relatively simple, and is achievable from the terminal window.
cuckoo@cuckoo:~$ sudo cuckoo -d
The backend of Cuckoo will now start up, and you should see the virtual machines becoming available. Once the Cuckoo service is operating in the backend, we can load the API and the Web GUI through a combination of commands.
Starting the API is possible through executing the below:
cuckoo@cuckoo:~$ sudo cuckoo api -H 127.0.0.0 -p 8001
This will present the API on 127.0.0.1:8001, whereas if you required the Web GUI it can be started through the following:
cuckoo@cuckoo:~$ sudo cuckoo web -H 127.0.0.1 -p 8000
This will present the Web GUI on 127.0.0.1:8000