How to deploy Cuckoo Sandbox

Cuckoo Sandbox is the best open source alternative to have a malware sandbox system.

That’s the architecture for Cuckoo Sandbox:

Cuckoo Sandbox architecture

For this article, this will be our hardware and software configuration, choose whatever you feel comfortable:

Host software:

Ubuntu 18.04 Server

Remember, enable VT-x flag in the BIOS, to run virtualization in the host

Host hardware:

  • 8 cores
  • 16 GB of RAM
  • 250 HD
  • KVM as a hypervisor

With this hardware configuration, we will be capable to run some VMs in parallel and process enough samples to have a good test of Cuckoo Sandbox.

Single Server or a Distributed setup:

Cuckoo Sandbox allows to configure the sandbox system in two ways:

Depending on your needs, you will have to choose one of both available options to deploy the system.

Preparing the host:

To deploy the host we will have to do the following steps:

  • Deploy a naked Ubuntu Server 18.04 LTS, only with SSH installed.
  • Update the system
  • Create a dedicated user for Cuckoo Sandbox
  • Deploy Cuckoo Sandbox
  • Configure Guest VMs
  • Configure Cuckoo Sandbox
  • VMs fine tuning to fight with evasive samples
  • Run our first sample

Updating the system:

To deploy the latest packages on your Ubuntu system we will have to run the following one-liner:

sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade -y && sudo apt autoremove -y

Create a user for Cuckoo Sandbox

As a best practice is better to have a dedicated user for the sandbox, so let’s go to create our user:

sudo adduser cuckoo

We will add the user cuckoo into the sudo group:

sudo adduser cuckoo sudo

Deploy Cuckoo Sandbox

To deploy the sandbox, we will have to install packages in the system.

We will have to add trepositories to our system to deploy all the required packages.

Adding support to MongoDB:

sudo apt-key adv -keyserver keyserver.ubuntu.com -recv-keys 68818C72E52529D4

Adding the repository

echo “deb [arch=amd64] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/development multiverse” | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list

Before installing them, we have to enable the universe and multiverse repository:

sudo nano /etc/apt/sources.list

We have to add universe multiverse, save the file, and update the system again:

sudo apt update

Ubuntu source list after running that operation, we have to install those packages:

sudo apt install git mongodb-org-unstable python python-dev python-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils ssdeep libfuzzy-dev exiftool curl openjdk-11-jre-headless xfce4 xfce4-goodies postgresql postgresql-contrib libpq-dev wkhtmltopdf xvfb xfonts-100dpi tcpdump libcap2-bin clamav clamav-daemon clamav-freshclam python-pil suricata libboost-all-dev qemu-kvm libvirt-clients libvirt-daemon virt-manager htop tmux gdebi-core tor privoxy libssl-dev libjansson-dev libmagic-dev automake apparmor-utils -y

We will install using pip, some required packages too:

sudo -H pip install psycopg2 distorm3 pycrypto openpyxl

sudo -H pip install git+https://github.com/kbandla/pydeep.git

sudo -H pip install git+https://github.com/volatilityfoundation/volatility.git

sudo -H pip install pyopenssl -U

With the dependencies, we will install XFCE as a Desktop system too :-)!

After install all the dependencies is necessary to add our user to the KVM and libvirt group:

sudo usermod -a -G kvm $USER && sudo usermod -a -G libvirt $USER

To enable packet capture in our VMs, we have to apply some changes in our system:

sudo aa-disable /usr/sbin/tcpdump

sudo groupadd pcap

sudo usermod -a -G pcap cuckoo

sudo chgrp pcap /usr/sbin/tcpdump

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

We have all the dependencies in place, so we can install Cuckoo Sandbox with a single pip command:

sudo pip install cuckoo==2.0.6.2

Note: To check the latest version, we can visit this link

Yeah! Cuckoo is installed in our system!

Creating a database for Cuckoo Sandbox

We installed PostgreSQL during our deploy, so now we will create a database for our Cuckoo Node.

sudo su postgres

To enter into the psql shell:

psql

Create a user into the DB:

CREATE USER cuckoo WITH PASSWORD ‘somePassword’;

Create the database cuckoo:

CREATE DATABASE cuckoo;

Grant privileges on the database for the user cuckoo:

GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;

Adding YARA support:

With the Cuckoo install we already deploy yara-python, but let’s go to add YARA support to the system, we have to follow these steps to deploy the latest yara stable package:

wget https://github.com/VirusTotal/yara/archive/v3.8.1.zip && unzip v* && cd yara* && ./bootstrap.sh && ./configure — enable-cuckoo — enable-magic — enable-dotnet && make && sudo make install

Cuckoo Sandbox first run

We have to create the default files for Cuckoo, so in our terminal we have to type:

cuckoo

Executing Cuckoo Sandbox, first, run

Cuckoo will create the cuckoo folder structure under our user

Before start to configure the Guest VMs, let’s go to download the cuckoo signatures:

cuckoo community

Downloading signatures

We have now all the signatures in place!

Configure Guest VMs

Let’s go to configure our first guest virtual machine.

The most used OS for malware sandboxing is Windows 7, so let’s go to configure a Windows 7 virtual machine with KVM.

On Ubuntu, we have to open the Virtual machine manager. We have an alternative to do the same stuff with virsh

These are the steps to create a virtual machine with the Virtual Machine Manager:

Virtual Machine Manager

The red box is the action button to create a new Guest VM.

Virtual Machine Manager

As we have an ISO file, we select the first option

Virtual Machine Manager

We click on Browse:

Virtual Machine Manager

As we don’t have an ISO DataStore or similar, we have to click on “Browse Local” and search for the Windows ISO in our system:

Virtual Machine Manager

The next step is to configure the RAM and vCPU for this Guest VM:

Virtual Machine Manager

The recommended values here are:

  • 2024 GB RAM
  • 2 vCPU

Let’s go to configure now the Hard Drive Space:

Virtual Machine Manager

The recommended value is 80 GB, don’t worry if it’s too much assigned because the space used in the system will be only the space used in the Guest VM.

We have to do that due some malware samples are checking the space assigned in the system.

Virtual Machine Manager

We have to choose a name for the Guest VM and create it!

Virtual Machine Manager

After creating the Guest VM with the Virtual Machine Manager, we can deploy Windows on it.

Virtual Machine Manager

Install the basic software into the Guest VM:

In order to deploy the basic software in the Guest VM, we can use one of both software executables:

In my case, I will use Ninite to deploy certain software in the Guest VM:

Ninite deploy

Basic changes to apply in the Guest VM:

We have to make some basic changes in the Windows Guest VM to use it with Cuckoo Sandbox.

These are the minimal changes to apply:

  • Disable UAC
  • Disable Windows Firewall
  • Disable Windows Defender
  • Install Python 2.7 x86 (Note: Add Python to the Windows PATH during the install)
  • Install Python Image Library
  • Reduce security in certain applications (We will cover that in future updates.)

Connecting the Guest VM with the Cuckoo Sandbox system:

In order to connect the Guest VM with Cuckoo, we have to let running the Cuckoo Agent in the system.

The agent is located in:

/home/cuckoo/.cuckoo/agent

We have to copy the agent.py into the Windows Guest VM and copy the file in the Windows Startup folder.

Startup folder

Note: Instead to save the file as:

agent.py

Change the file name to:

myagent.pyw

Changing the extension to pyw, will avoid the agent windows during the analysis.

After reboot the Guest VM. Cuckoo Sandbox and the virtual machine will be connected.

This guide highlighted how to install Cuckoo Sandbox and prepare one basic Guest VM.

I will be updating the guide including extra stuff.

Troubleshooting

This section will contain certain troubleshooting for some stuff regarding Cuckoo:

YARA:

To check if YARA works, we can execute:

yara -h

If the YARA help appears on your terminal all is ok ;-) !

Note: If you get an error like:

yara: error while loading shared libraries: libyara.so.3: cannot open shared object file: No such file or directory

You can fix the error doing:

sudo echo “/usr/local/lib” >> /etc/ld.so.conf
sudo ldconfig

Marc Rivero López - @seifreed

Written by

Threat Researcher

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade