CUCKOO SANDBOX

  • An open source automated malware analysis system.
  • Throw any suspicious file at it and get a detailed report outlining the behavior of the file.

Requirements

Since Cuckoo is written in python you need the following python libraries for proper installation.

sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install python-virtualenv python-setuptools
(if any error occurs try -
sudo apt-get install python3-virtualenv
sudo apt-get install python3-virtualenv)

For Django-based Web Interface, MongoDB is required:

sudo apt-get install mongodb
If error — https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/
sudo apt-get install postgresql libpq-dev

A Virtualization Software of your choice- Virtualbox/VMware.

Installing Tcpdump

To dump the network activity performed by the malware, install tcpdump.

sudo apt-get install tcpdump
sudo groupadd pcap
sudo usermod -a -G pcap $USER
sudo chgrp pcap /usr/sbin/tcpdump
sudo apt-get install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Installing Volatility

To do forensic analysis on memory dumps created by cuckoo.

sudo apt install volatility

Installing M2Crypto

sudo apt-get install swigsudo pip install m2crypto==0.24.0 --error

Installing Cuckooooooo…..

sudo pip install -U pip setuptools
sudo pip install -U cuckoo

Follow this only if you face an error while installing cuckoo.

You might encounter an error because of python version mismatch, recommendation for installing cuckoo is python2.

Install pip2 — https://bootstrap.pypa.io/get-pip.py

python2 get-pip.py

sudo pip2 install -U cuckoo

If pillow throws an error, resolve it by running the following command and then try again.

sudo apt-get install libtiff5-dev libjpeg8-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.6-dev tk8.6-dev python-tk

Configuring Cuckoo files

Cuckoo will behave according to the values in the configuration files. These are present in ~/.cuckoo by default.

  • cuckoo.conf:for configuring general behavior and analysis options.

Modify the machinery field accordingly-vmware/virtualbox

Enter your host IP address in the “ip” field.

To use volatility enable memory_dump in $CWD/conf/cuckoo.conf

“vboxnet0” is the interface that you will create in virtualbox (Hop to “Creating an Interface” section).

In “label” field, enter the name of your virtual machine instance in virtualbox and in “ip” field, enter the ip address of guest OS.

Enable memory dump to use volatility.

Creating an Interface

  • Create an interface through which the guest and host will communicate with each other. Open virtualbox -> File -> Host Network Manager -> Create.

Preparing the Guest OS

  • Install python 2.7
  • Disable antivirus and updates
  • Configure the IP address

Installing the Agent

agent.py: handles the communication and the exchange of data with the Host.

In $CWD/agent/ directory you will find the agent.py file.

Copy “agent.py” to your guest OS and run it.

After running “agent.py”, take the snapshot and power off the machine.

Running Cuckoo

To use web-based interface.

sudo service mongod start
cuckoo
cuckoo web

Results

Here you can see all the findings related to analysis.

Happy Analyzing :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Reference: https://cuckoo.sh/docs/index.html

--

--

--

Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Let Take it Easy on Those Who Are Struggling to Smile Right Now

I wrote Gocache: a complete and extensible Go cache library

Postman File Upload (Image & Video)

ASA Programming Language

For Absolute Web Beginners

How to Collect Google Trends Data in Python With the Pytrends API

Cool things you can do with Google BigQuery

An Invitation Letter of Apache DolphinScheduler Meetup 2021 From the Community PMC Chair

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Preet kamal

Preet kamal

Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

More from Medium

HTB Cyber Apocalypse ’22 — Android-In-The-Middle Write Up

Honeypot project

Origin DNS error |

MITRE ATT&CK Evals: Getting 100% Coverage Is Not As Great As Your Vendor Says It Is