CUCKOO SANDBOX
- An open source automated malware analysis system.
- Throw any suspicious file at it and get a detailed report outlining the behavior of the file.
Requirements
Since Cuckoo is written in python you need the following python libraries for proper installation.
sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install python-virtualenv python-setuptools
(if any error occurs try -
sudo apt-get install python3-virtualenv
sudo apt-get install python3-virtualenv)
For Django-based Web Interface, MongoDB is required:
sudo apt-get install mongodb
If error — https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/sudo apt-get install postgresql libpq-dev
A Virtualization Software of your choice- Virtualbox/VMware.
Installing Tcpdump
To dump the network activity performed by the malware, install tcpdump.
sudo apt-get install tcpdump
sudo groupadd pcap
sudo usermod -a -G pcap $USER
sudo chgrp pcap /usr/sbin/tcpdump
sudo apt-get install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpInstalling Volatility
To do forensic analysis on memory dumps created by cuckoo.
sudo apt install volatilityInstalling M2Crypto
sudo apt-get install swigsudo pip install m2crypto==0.24.0 --error
Installing Cuckooooooo…..
sudo pip install -U pip setuptools
sudo pip install -U cuckoo
Follow this only if you face an error while installing cuckoo.
You might encounter an error because of python version mismatch, recommendation for installing cuckoo is python2.
Install pip2 — https://bootstrap.pypa.io/get-pip.py
python2 get-pip.py
sudo pip2 install -U cuckooIf pillow throws an error, resolve it by running the following command and then try again.
sudo apt-get install libtiff5-dev libjpeg8-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.6-dev tk8.6-dev python-tkConfiguring Cuckoo files
Cuckoo will behave according to the values in the configuration files. These are present in ~/.cuckoo by default.
- cuckoo.conf:for configuring general behavior and analysis options.
Modify the machinery field accordingly-vmware/virtualbox
Enter your host IP address in the “ip” field.
To use volatility enable memory_dump in $CWD/conf/cuckoo.conf
- virtualbox.conf: for defining the options for virtualization software
“vboxnet0” is the interface that you will create in virtualbox (Hop to “Creating an Interface” section).
In “label” field, enter the name of your virtual machine instance in virtualbox and in “ip” field, enter the ip address of guest OS.
- processing.conf: for enabling and configuring processing modules.
Enable memory dump to use volatility.
Creating an Interface
- Create an interface through which the guest and host will communicate with each other. Open virtualbox -> File -> Host Network Manager -> Create.
Preparing the Guest OS
- Install python 2.7
- Disable antivirus and updates
- Configure the IP address
Installing the Agent
agent.py: handles the communication and the exchange of data with the Host.
In $CWD/agent/ directory you will find the agent.py file.
Copy “agent.py” to your guest OS and run it.
After running “agent.py”, take the snapshot and power off the machine.
Running Cuckoo
To use web-based interface.
sudo service mongod start
cuckoo
cuckoo web
Results
Here you can see all the findings related to analysis.
Happy Analyzing :)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Reference: https://cuckoo.sh/docs/index.html
