Playing with Cuckoo
It’s something I’ve always had an interest in, but have never taken the time to indulge.
The Cuckoo Documentation is very well written and will honestly get someone 95% towards getting a working instance setup. I had a few niggling issues that I don’t think are covered within the docs (I could be wrong, correct me if so). This post is a quick whistle-stop tour of how I went about getting it working.
Note: I didn’t follow all the best practices and this is not a guide to setting up a complete, proper and scalable solution. It assumes you don’t have a dedicated server and are just looking to experiment with Cuckoo on an existing desktop/laptop.
There are lots of virtualisation technologies that Cuckoo is compatible with - from VirtualBox, ESXi, KVM and so on. I’m running Windows 10 on my desktop, so I initially wanted to run Cuckoo in a VM within VirtualBox and have futher VirtualBox VMs inside that Cuckoo VM. Nested hypervisors doesn’t sound very efficient but with relatively mature VT-x and AMD-V technology, the performance impact seems rather negligible.
I ran into my first frustration with VirtualBox, as it doesn’t pass VT-x/AMD-V through to its guest VMs. The upshot of this is that if you run Cuckoo inside VirtualBox on your host, you then can’t have 64-bit VMs for the malware sandboxes. VMware Workstation Player doesn’t have this restriction, so I opted to use this instead of VirtualBox on my host.
You will obviously need to decide if this is an issue for you based on your planned usage.
The architecture that we are going to setup, looks as follows:
So that’s a bunch of VirtualBox VMs running inside a VMware VM :)
Configuring the Cuckoo Host
I’m using Ubuntu Server 16.04.2 64-bit. You will need enough resources for it to run itself and at least 1 concurrent VM inside; and a sh*t tonne of storage if you want to do full memory dumps.
I gave mine:
- 8 CPU Cores
Enable Virtualize Intel VT-x/EPT or AMD-V/RVI
- 4GB RAM
- 100GB Hard Disk
- NIC 1: NAT
- NIC 2: Host-Only
[email protected]:~$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list [email protected]:~$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - [email protected]:~$ sudo apt-get update [email protected]:~$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb xfce4 virtualbox-5.1 tcpdump apparmor-utils [email protected]:~$ sudo aa-disable /usr/sbin/tcpdump [email protected]:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump [email protected]:~$ git clone https://github.com/volatilityfoundation/volatility.git [email protected]:~$ pip install -U pip pycrypto distorm3 [email protected]:~$ cd volatility/ [email protected]:~/volatility$ sudo python setup.py install [email protected]:~$ virtualenv cuckoo [email protected]:~$ . cuckoo/bin/activate (cuckoo) [email protected]:~$ pip install -U yara-python cuckoo (cuckoo) [email protected]:~$ cuckoo _ _ _ _ _ _ /\ \ /\_\ /\ \ /\_\ /\ \ /\ \ / \ \ / / / _ / \ \ / / / _ / \ \ / \ \ / /\ \ \ \ \ \__ /\_\ / /\ \ \ / / / /\_\ / /\ \ \ / /\ \ \ / / /\ \ \ \ \___\ / / // / /\ \ \ / / /__/ / / / / /\ \ \ / / /\ \ \ / / / \ \_\ \__ / / / // / / \ \_\ / /\_____/ / / / / \ \_\ / / / \ \_\ / / / \/_/ / / / / / // / / \/_/ / /\_______/ / / / / / // / / / / / / / / / / / / / // / / / / /\ \ \ / / / / / // / / / / / / / /________ / / /___/ / // / /________ / / / \ \ \ / / /___/ / // / /___/ / / / / /_________\/ / /____\/ // / /_________\/ / / \ \ \ / / /____\/ // / /____\/ / \/____________/\/_________/ \/____________/\/_/ \_\_\\/_________/ \/_________/ Cuckoo Sandbox 2.0.2 www.cuckoosandbox.org Copyright (c) 2010-2017 ======================================================================= Welcome to Cuckoo Sandbox, this appears to be your first run! We will now set you up with our default configuration. You will be able to see and modify the Cuckoo configuration, Yara rules, Cuckoo Signatures, and much more to your likings by exploring the /home/cuckoo/.cuckoo directory. Among other configurable items of most interest is the new location for your Cuckoo configuration: /home/cuckoo/.cuckoo/conf ======================================================================= Cuckoo has finished setting up the default configuration. Please modify the default settings where required and start Cuckoo again (by running `cuckoo` or `cuckoo -d`).
Configuring the Guest VMs
Hop into the GUI by running
startx. Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called
Win7x64 respectively. They small VMs with 1 CPU, 512MB RAM, 10GB HDD and 1 NIC attached to
Set a static IP in each VM.
- Win7x86 - 192.168.56.10
- Win7x64 - 192.168.56.15
You will also want to:
- Disable the Windows Firewall
- Disable UAC (Never Notify)
- Disable Windows Updates
Download the latest Python 2.7.x for Windows and place them in a convenient location on the Cuckoo VM (I got both the 32 and 64-bit versions). You should also grab any additional software you may want, depending on the samples you want to submit (e.g. Office, Adobe Reader etc).
[email protected]:~/Downloads$ ll -rw-rw-r-- 1 cuckoo cuckoo 20082688 May 18 19:22 python-2.7.13.amd64.msi -rw-rw-r-- 1 cuckoo cuckoo 19161088 May 18 19:22 python-2.7.13.msi [email protected]:~/Downloads$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...
On each VM, open
Internet Explorer and navigate to
http://192.168.56.1:8000, download the relevant Python package then install it.
Use the same method to transfer the Cuckoo Agent (to somewhere easy like the Desktop).
[email protected]:~/Downloads$ cd ../.cuckoo/agent/ [email protected]:~/.cuckoo/agent$ ll -rw-rw-r-- 1 cuckoo cuckoo 12307 May 18 18:15 agent.py -rwxrwxr-x 1 cuckoo cuckoo 386 May 18 18:15 agent.sh* [email protected]:~/.cuckoo/agent$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...
Start the agent by opening a
Command Prompt as Administrator.
You won’t see any output, just minimise the window and leave it running.
Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):
[email protected]:~$ VBoxManage snapshot "Win7x86" take "Win7x86_snap" --pause 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% Snapshot taken. UUID: 4ef19a21-25c8-4ddf-81b2-4a65ce2b5278 [email protected]:~$ VBoxManage controlvm "Win7x86" poweroff 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% [email protected]:~$ VBoxManage snapshot "Win7x86" restorecurrent Restoring snapshot 4ef19a21-25c8-4ddf-81b2-4a65ce2b5278 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
In the GUI, they should appear as
(cuckoo) [email protected]:~$ vim .cuckoo/conf/virtualbox.conf
mode = headless->
mode = guiis useful for testing.
machines = cuckoo1->
machines = Win7x86,Win7x64plus any others you’ve made.
cuckoo1 is the default example. Each VM needs its own little block.
[Win7x86] label = Win7x86 platform = windows ip = 192.168.56.10 snapshot = Win7x86_snap [Win7x64] label = Win7x64 platform = windows ip = 192.168.56.15 snapshot = Win7x64_snap
Now you should be able to run
(cuckoo) [email protected]:~$ cuckoo .: :: .-. , : .-. ;;.-. .-. .-. ; ; ; ; ;; .' ; ;'; ;' `;;;;'.'`..:;._`;;;;'_.'` `.`;;' `;;' Cuckoo Sandbox 2.0.2 www.cuckoosandbox.org Copyright (c) 2010-2017 Checking for updates... You're good to go! 2017-05-18 19:56:34,318 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2017-05-18 19:56:34,928 [cuckoo.core.scheduler] INFO: Loaded 2 machine/s 2017-05-18 19:56:34,933 [cuckoo.core.scheduler] WARNING: As you've configured Cuckoo to execute parallel analyses, we recommend you to switch to a MySQL ora PostgreSQL database as SQLite might cause some issues. 2017-05-18 19:56:34,941 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
To start the web GUI:
(cuckoo) [email protected]:~$ vim .cuckoo/conf/reporting.conf
enabled = no ->
enabled = yes.
(cuckoo) [email protected]:~$ cuckoo web runserver 192.168.45.128:8080 Performing system checks... System check identified no issues (0 silenced). May 18, 2017 - 20:00:31 Django version 1.8.4, using settings 'cuckoo.web.web.settings' Starting development server at http://192.168.45.128:8080/ Quit the server with CONTROL-C.
You can then submit a sample and enjoy the results :)
recrudesce for his helpful tips.