Cuckoo Sandbox is the best open source alternative to have a malware sandbox system.
That’s the architecture for Cuckoo Sandbox:
For this article, this will be our hardware and software configuration, choose whatever you feel comfortable:
Remember, enable VT-x flag in the BIOS, to run virtualization in the host
- 8 cores
- 16 GB of RAM
- 250 HD
- KVM as a hypervisor
With this hardware configuration, we will be capable to run some VMs in parallel and process enough samples to have a good test of Cuckoo Sandbox.
Single Server or a Distributed setup:
Cuckoo Sandbox allows to configure the sandbox system in two ways:
- Single Server
- Distributed Setup
Depending on your needs, you will have to choose one of both available options to deploy the system.
Preparing the host:
To deploy the host we will have to do the following steps:
- Deploy a naked Ubuntu Server 18.04 LTS, only with SSH installed.
- Update the system
- Create a dedicated user for Cuckoo Sandbox
- Deploy Cuckoo Sandbox
- Configure Guest VMs
- Configure Cuckoo Sandbox
- VMs fine tuning to fight with evasive samples
- Run our first sample
Updating the system:
To deploy the latest packages on your Ubuntu system we will have to run the following one-liner:
sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade -y && sudo apt autoremove -y
Create a user for Cuckoo Sandbox
As a best practice is better to have a dedicated user for the sandbox, so let’s go to create our user:
sudo adduser cuckoo
We will add the user cuckoo into the sudo group:
sudo adduser cuckoo sudo
Deploy Cuckoo Sandbox
To deploy the sandbox, we will have to install packages in the system.
We will have to add trepositories to our system to deploy all the required packages.
Adding support to MongoDB:
sudo apt-key adv -keyserver keyserver.ubuntu.com -recv-keys 68818C72E52529D4
Adding the repository
echo “deb [arch=amd64] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/development multiverse” | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
Before installing them, we have to enable the universe and multiverse repository:
sudo nano /etc/apt/sources.list
We have to add universe multiverse, save the file, and update the system again:
sudo apt update
Ubuntu source list after running that operation, we have to install those packages:
sudo apt install git mongodb-org-unstable python python-dev python-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils ssdeep libfuzzy-dev exiftool curl openjdk-11-jre-headless xfce4 xfce4-goodies postgresql postgresql-contrib libpq-dev wkhtmltopdf xvfb xfonts-100dpi tcpdump libcap2-bin clamav clamav-daemon clamav-freshclam python-pil suricata libboost-all-dev qemu-kvm libvirt-clients libvirt-daemon virt-manager htop tmux gdebi-core tor privoxy libssl-dev libjansson-dev libmagic-dev automake apparmor-utils -y
We will install using pip, some required packages too:
sudo -H pip install psycopg2 distorm3 pycrypto openpyxl
sudo -H pip install git+https://github.com/kbandla/pydeep.git
sudo -H pip install git+https://github.com/volatilityfoundation/volatility.git
sudo -H pip install pyopenssl -U
With the dependencies, we will install XFCE as a Desktop system too :-)!
After install all the dependencies is necessary to add our user to the KVM and libvirt group:
sudo usermod -a -G kvm $USER && sudo usermod -a -G libvirt $USER
To enable packet capture in our VMs, we have to apply some changes in our system:
sudo aa-disable /usr/sbin/tcpdump
sudo groupadd pcap
sudo usermod -a -G pcap cuckoo
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
We have all the dependencies in place, so we can install Cuckoo Sandbox with a single pip command:
sudo pip install cuckoo==18.104.22.168
Note: To check the latest version, we can visit this link
Yeah! Cuckoo is installed in our system!
Creating a database for Cuckoo Sandbox
We installed PostgreSQL during our deploy, so now we will create a database for our Cuckoo Node.
sudo su postgres
To enter into the psql shell:
Create a user into the DB:
CREATE USER cuckoo WITH PASSWORD ‘somePassword’;
Create the database cuckoo:
CREATE DATABASE cuckoo;
Grant privileges on the database for the user cuckoo:
GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;
Adding YARA support:
With the Cuckoo install we already deploy yara-python, but let’s go to add YARA support to the system, we have to follow these steps to deploy the latest yara stable package:
wget https://github.com/VirusTotal/yara/archive/v3.8.1.zip && unzip v* && cd yara* && ./bootstrap.sh && ./configure — enable-cuckoo — enable-magic — enable-dotnet && make && sudo make install
Cuckoo Sandbox first run
We have to create the default files for Cuckoo, so in our terminal we have to type:
Cuckoo will create the cuckoo folder structure under our user
Before start to configure the Guest VMs, let’s go to download the cuckoo signatures:
We have now all the signatures in place!
Configure Guest VMs
Let’s go to configure our first guest virtual machine.
The most used OS for malware sandboxing is Windows 7, so let’s go to configure a Windows 7 virtual machine with KVM.
On Ubuntu, we have to open the Virtual machine manager. We have an alternative to do the same stuff with virsh
These are the steps to create a virtual machine with the Virtual Machine Manager:
The red box is the action button to create a new Guest VM.
As we have an ISO file, we select the first option
We click on Browse:
As we don’t have an ISO DataStore or similar, we have to click on “Browse Local” and search for the Windows ISO in our system:
The next step is to configure the RAM and vCPU for this Guest VM:
The recommended values here are:
- 2024 GB RAM
- 2 vCPU
Let’s go to configure now the Hard Drive Space:
The recommended value is 80 GB, don’t worry if it’s too much assigned because the space used in the system will be only the space used in the Guest VM.
We have to do that due some malware samples are checking the space assigned in the system.
We have to choose a name for the Guest VM and create it!
After creating the Guest VM with the Virtual Machine Manager, we can deploy Windows on it.
Install the basic software into the Guest VM:
In order to deploy the basic software in the Guest VM, we can use one of both software executables:
In my case, I will use Ninite to deploy certain software in the Guest VM:
Basic changes to apply in the Guest VM:
We have to make some basic changes in the Windows Guest VM to use it with Cuckoo Sandbox.
These are the minimal changes to apply:
- Disable UAC
- Disable Windows Firewall
- Disable Windows Defender
- Install Python 2.7 x86 (Note: Add Python to the Windows PATH during the install)
- Install Python Image Library
- Reduce security in certain applications (We will cover that in future updates.)
Connecting the Guest VM with the Cuckoo Sandbox system:
In order to connect the Guest VM with Cuckoo, we have to let running the Cuckoo Agent in the system.
The agent is located in:
We have to copy the agent.py into the Windows Guest VM and copy the file in the Windows Startup folder.
Note: Instead to save the file as:
Change the file name to:
Changing the extension to pyw, will avoid the agent windows during the analysis.
After reboot the Guest VM. Cuckoo Sandbox and the virtual machine will be connected.
This guide highlighted how to install Cuckoo Sandbox and prepare one basic Guest VM.
I will be updating the guide including extra stuff.
This section will contain certain troubleshooting for some stuff regarding Cuckoo:
To check if YARA works, we can execute:
If the YARA help appears on your terminal all is ok ;-) !
Note: If you get an error like:
yara: error while loading shared libraries: libyara.so.3: cannot open shared object file: No such file or directory
You can fix the error doing:
sudo echo “/usr/local/lib” >> /etc/ld.so.conf