CUCKOO SANDBOX

Preet kamal
4 min readDec 1, 2020

--

  • An open source automated malware analysis system.
  • Throw any suspicious file at it and get a detailed report outlining the behavior of the file.

Requirements

Since Cuckoo is written in python you need the following python libraries for proper installation.

sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install python-virtualenv python-setuptools
(if any error occurs try -
sudo apt-get install python3-virtualenv
sudo apt-get install python3-virtualenv)

For Django-based Web Interface, MongoDB is required:

sudo apt-get install mongodb
If error — https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/
sudo apt-get install postgresql libpq-dev

A Virtualization Software of your choice- Virtualbox/VMware.

Installing Tcpdump

To dump the network activity performed by the malware, install tcpdump.

sudo apt-get install tcpdump
sudo groupadd pcap
sudo usermod -a -G pcap $USER
sudo chgrp pcap /usr/sbin/tcpdump
sudo apt-get install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Installing Volatility

To do forensic analysis on memory dumps created by cuckoo.

sudo apt install volatility

Installing M2Crypto

sudo apt-get install swigsudo pip install m2crypto==0.24.0 --error

Installing Cuckooooooo…..

sudo pip install -U pip setuptools
sudo pip install -U cuckoo

Follow this only if you face an error while installing cuckoo.

You might encounter an error because of python version mismatch, recommendation for installing cuckoo is python2.

Install pip2 — https://bootstrap.pypa.io/get-pip.py

python2 get-pip.py

sudo pip2 install -U cuckoo

If pillow throws an error, resolve it by running the following command and then try again.

sudo apt-get install libtiff5-dev libjpeg8-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.6-dev tk8.6-dev python-tk

Configuring Cuckoo files

Cuckoo will behave according to the values in the configuration files. These are present in ~/.cuckoo by default.

  • cuckoo.conf:for configuring general behavior and analysis options.

Modify the machinery field accordingly-vmware/virtualbox

Enter your host IP address in the “ip” field.

To use volatility enable memory_dump in $CWD/conf/cuckoo.conf

“vboxnet0” is the interface that you will create in virtualbox (Hop to “Creating an Interface” section).

In “label” field, enter the name of your virtual machine instance in virtualbox and in “ip” field, enter the ip address of guest OS.

Enable memory dump to use volatility.

Creating an Interface

  • Create an interface through which the guest and host will communicate with each other. Open virtualbox -> File -> Host Network Manager -> Create.

Preparing the Guest OS

  • Install python 2.7
  • Disable antivirus and updates
  • Configure the IP address

Installing the Agent

agent.py: handles the communication and the exchange of data with the Host.

In $CWD/agent/ directory you will find the agent.py file.

Copy “agent.py” to your guest OS and run it.

After running “agent.py”, take the snapshot and power off the machine.

Running Cuckoo

To use web-based interface.

sudo service mongod start
cuckoo
cuckoo web

Results

Here you can see all the findings related to analysis.

Happy Analyzing :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Reference: https://cuckoo.sh/docs/index.html

--

--