Open in app

Sign in

Write

Sign in

Setting up Cuckoo Sandbox Step by Step Guide(Malware Analysis Tool)

Lahiru Oshara Hinguruduwa
6 min readMar 10, 2020

--

Introduction

I thought of writing this article because the setup process of Cuckoo is complex and it took me a lot of time to set up it. And wanted to help others avoid these problems because there aren’t many guides that are accurate and up to date.

Cuckoo is an open-source automated malware analysis tool, which gives allows you to analyze many different malicious files that affect different operating systems such as Windows, Linux, macOS, and Android.

As some of you know, there are two types of Malware analysis,

1. Static malware analysis — Analyzing malware without actually running it. Will consider features such as file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.

2. Dynamic malware analysis — Analyzing malware by actually running it, and analyzing its behaviors such as API calls, memory usages, network traffic, etc.(Cuckoo is a dynamic malware analysis tool)

What is Sandboxing?

In computer security, we run unknown, untested or untrusted programs or code, programs in virtual environments without putting our host machine or operating system at risk. This is called sandboxing. Cuckoo gives us the facility to run an unknown and untrusted application or file inside an isolated environment and analyze its behavior.

Setting up the host machine

My host machine is Ubuntu 18.04 with 16GB of RAM. I strongly advise you to use a Linux machine as the host machine. Before installing Cuckoo in our host machine, it is required to install some python libraries and software packages. Also, take into note that python 2.7 is required to run Cuckoo. (Cuckoo does not support older versions of python or python 3).

  • Update the package information and download available updates.
    sudo apt-get update
    sudo apt-get upgrade
  • Next, install python dependencies required for Cuckoo:
    sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
    sudo apt-get install python-virtualenv python-setuptools
    sudo apt-get install libjpeg-dev zlib1g-dev swig
  • In order to use the Django-based Web Interface, MongoDB is required:
    sudo apt-get install mongodb
  • In order to use PostgreSQL as database PostgreSQL will have to be installed as well:
    sudo apt-get install postgresql libpq-dev

Next step is to Install the Virtual Machine software in your host machine. Cuckoo recommends using VirtualBox as the VM software. It is recommended to Install the VirtualBox version 5.2. You can find the distribution on this website here or you can install it via Ubuntu Software application.

  • Install tcpdump to dump the network activity performed during the malware execution.sudo apt-get install tcpdump
  • Install M2Crypto. If you already have swig installed, running the second command is sufficient.
    sudo apt-get install swig
    sudo pip install m2crypto==0.24.0

After installing these packages, now you can install Cuckoo on your system. To install run the following commands. Or you can simply download the zip file.

sudo pip install -U pip setuptools
sudo pip install -U cuckoo

After installing Cuckoo, you have to correctly set up the VirtualBox and its networking.

  • You can create “Host-Only Adapter” by running the following command:
    vboxmanage hostonlyif create

This command will create the host interface vboxnet0.

  • Set the IP address for the vboxnet0 interface which you created before.

vboxmanage hostonlyif ipconfig vboxnet0 — ip 192.168.56.1

Next, you can create your virtual machine in VirtualBox and install the OS. Windows 7 is recommended. After installing the OS, you have to configure the VM network adapter to “Host Only Adapter”. Which is easy by doing it from the GUI,

Setting “Host-only Adapter” in VirtualBox VM settings

After that, you need to configure IP forwarding so an internet connection gets routed from the host machine to the guest VM. Here the interface assigned to our VM is vboxnet0 and the ip address of the VM is 192.168.56.101 which is on the subnet of 192.168.56.0/24. And the outgoing interface which is connected to the internet is eth0. It can change in situations like when you are connected to the internet via wifi. You can find the interface which is connected to the internet by this command, ifconfig. Here I’m assuming the interface connected to the internet is eth0,

sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state — state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -j LOG

After executing these commands you have to enable IP forwarding in the kernel. To that, you have to execute the following commands:

echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1

These rules will only be valid until the next reboot. To check whether you have set up the rules correctly, you can run this command:

sudo iptables -L

Setting up the Guest machine

Now you can start setting up the guest machine which has installed windows7. First, configure the Network Adapter setting as following,

IP Address — 192.168.56.101 (VM IP address)
Subnet Mask — 255.255.255.0
Default Gateway — 192.168.56.1 (Internet accessing interface)
DNS Servers — 8.8.8.8/8.8.4.4

  • After changing the network configurations, you have to do the following customizations to the VM.
  1. Disable Windows Update and Windows Firewall. (Image)

2. Change User Account Control Settings. (Image)

3. Install your preferred versions of Adobe Reader, Adobe Flash Player, Microsoft Office, and Java. (optional)

4. Install python 2.7 for Windows — You can download python 2.7 from here.

5. Upload the agent.py file from your host machine which can be found in the ~/.cuckoo/agent directory. Put it to the windows startup folder located in “C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup”. After rebooting the VM you will be able to see a terminal opened in the VM. (You can enable drag and drop in VirtualBox settings. Enable only to Drag and Drop from host to guest).

Change Cuckoo Software Configuration

The cuckoo configuration files are located in the ~/.cuckoo/conf directory. You can open those files in gedit using this command:

sudo gedit cuckoo.conf

Do the following changes in the conf files.

cuckoo.conf

auxiliary.conf

virtualbox.conf

Change the parameter name to your VM name. The default name set is ‘cuckoo1’.

processing.conf

reporting.conf

Now you have finished configuring, you can start Cuckoo .

Analyzing using Cuckoo

Run following commands to start Cuckoo and the Cuckoo web interface. Run those in two separate terminal windows.
Terminal #1: cuckoo
Terminal #2: cuckoo web runserver

Then you can access the web interface by going to this address in your favorite web browser:
goto: localhost:8000

The web interface will look similar to this when loaded:

References

[1] https://cuckoo.sh/docs/installation/index.html

Cuckoo
Malware Analysis
Cuckoo Sandbox
Introduction To Cuckoo
Malware

--

--

Lahiru Oshara Hinguruduwa

Written by Lahiru Oshara Hinguruduwa

112 Followers

Senior Software Engineer at Sysco LABS | AWS Certified Solutions Architect Associate | Remote Contributor @DBpedia

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams