Cuckoo malware analysis lab
I was inspired by this great article by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.
I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
As Rastamouse says in his article, VMWare is necessary on the physical host as because to have 64-bit VMs for the malware sandboxes we need support for VT-x/AMD-V. VMWare Workstation / Player does not have this restriction.
In VMWare workstation, go to Edit -> Virtual network editor and change the VMnet1 (Host-only) IP subnet to 192.168.45.0/24 and enable DHCP.
During this guide we sometimes have to change networking settings, even while VMs are running. If you do that, remember to restart the networking service in Ubuntu so config and interfaces gets updated.
sudo /etc/init.d/networking restart
I followed the wizdom of the Rasta and gave the Ubuntu server the following specs
- 8 CPU Cores
Enable Virtualize Intel VT-x/EPT or AMD-V/RVI
- 4GB RAM
- 100GB Hard Disk
- NIC 1: Bridged (we will change it to NAT later)
- NIC 2: Host-Only
Once your Install the requirements to get Cuckoo and Virtualbox running
sudo apt update
sudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb python-pip virtualbox tcpdump apparmor-utils
Install some additional tools
sudo apt install git vim cifs-utils smbclient terminator unzip xfce4 firefox
If you want you can now boot to the graphical user environment XFCE using
startxand finish the rest of the setup from there.
Finish the rest of the setup of cuckoo
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
pip install -U pip pycrypto distorm3
git clone https://github.com/volatilityfoundation/volatility
sudo python setup.py install
pip install -U yara-python==3.6.3 cuckoo
The install should now be finished and you have verified Cuckoo is working.
Proceed to set up a Host-only network for Virtualbox. Add a new host-only network by doing the following.
Go to Virtualbox -> File -> Preferences -> Network -> Host-only Networks -> Press the little green + icon.
Click the screwdriver icon just below it and make sure the IP subnet is set to 192.168.56.0/24 and that DHCP is disabled.
vboxnet0should now appear in the list. This interface
Restart the networking service in Ubuntu and verify with
ip addrthat a new interface has been added.
I had some minor trouble getting the files over as file sharing between VMs can be a bit of a jerk sometimes. So I prefer using SMB for transfer. You should have a Share set up on your Windows host
Connect to your share using SMB and download whatever ISOs and software you need
smbclient -U username //10.0.0.2/Downloads -m SMB3 -W win
After this is done you can go back to the VM settings for the Ubuntu box in and change the first NIC to NAT.
Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called Win10x64 and Win7x64 respectively. They can be small VMs. So give them
- 1 CPU
- 512MB RAM
- 10GB HDD
- 1 NIC attached to vboxnet0
During installation, set the username to cuckoo for all VMs. Wait for the installation to finish.
Set a static IP in each VM
- Win10x64 - 192.168.56.10
- Win7x64 - 192.168.56.15
You will also want to
- Disable the Windows Firewall
- Disable UAC (Never Notify)
- Disable Windows Updates (don't even bother with W10)
Download the latest Python 2.7.x for Windows to your Ubuntu server. Host the files a convenient place and fire up a simple web server
cp ~/cuckoo/agents/agent.py ~/Downloads
python -m SimpleHTTPServer
Download the x64 MSI installer and the Cuckoo agent
Install Python manually in each VM.
Start the Cuckoo agent by opening a
Command Prompt as Administrator.
Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):
VBoxManage snapshot "Win7x64" take "Win7x64_snap" --pause
VBoxManage controlvm "Win7x64" poweroff
VBoxManage snapshot "Win7x64" restorecurrent
In the GUI, they should appear as
mode = headless->
mode = guiis useful for testing.
machines = cuckoo1->
machines = Win1x64,Win7x64plus any others you’ve made.
cuckoo1is the default example. Each VM needs its own little block.
label = Win10x64
platform = windows
ip = 192.168.56.10
snapshot = Win10x64_snap
label = Win7x64
platform = windows
ip = 192.168.56.15
snapshot = Win7x64_snap
Now you should be able to run cuckoo. Start Cuckoo
Now fire up another terminal and start the Cuckoo web GUI
cuckoo web runserver 192.168.45.128:8080
You can then submit a sample and enjoy the results :)