Cuckoo malware analysis lab

I was inspired by this great article by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.

I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.

Ping me on Twitter @chryzsh if something's not working. I will update the guide.

As Rastamouse says in his article, VMWare is necessary on the physical host as because to have 64-bit VMs for the malware sandboxes we need support for VT-x/AMD-V. VMWare Workstation / Player does not have this restriction.

Box

OS

Software installed

Physical Host

Windows 10

VMWare Workstation

Virtual Cuckoo Host OS

Ubuntu Server 16.04 x64

Cuckoo & Virtualbox

Virtual Sandbox VM

W7 x64

Python with Cuckoo agent

Virtual Sandbox VM

W10 x64

Python with Cuckoo agent

Setting up VMWare

In VMWare workstation, go to Edit -> Virtual network editor and change the VMnet1 (Host-only) IP subnet to 192.168.45.0/24 and enable DHCP.

During this guide we sometimes have to change networking settings, even while VMs are running. If you do that, remember to restart the networking service in Ubuntu so config and interfaces gets updated. sudo /etc/init.d/networking restart

Configuring the Cuckoo host

I followed the wizdom of the Rasta and gave the Ubuntu server the following specs

  • 8 CPU Cores

    • Tick Enable Virtualize Intel VT-x/EPT or AMD-V/RVI

  • 4GB RAM

  • 100GB Hard Disk

  • NIC 1: Bridged (we will change it to NAT later)

  • NIC 2: Host-Only

Proceed to install Ubuntu 16.04 in VMWare workstation. Set the username to cuckoo.

Installing software

Once your Install the requirements to get Cuckoo and Virtualbox running

cd ~
sudo apt update
sudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb python-pip virtualbox tcpdump apparmor-utils

Install some additional tools

sudo apt install git vim cifs-utils smbclient terminator unzip xfce4 firefox

If you want you can now boot to the graphical user environment XFCE using startx and finish the rest of the setup from there.

Finish the rest of the setup of cuckoo

sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
pip install -U pip pycrypto distorm3
git clone https://github.com/volatilityfoundation/volatility
cd ~/volatility/
sudo python setup.py install
cd ~/
virtualenv cuckoo
. cuckoo/bin/activate
pip install -U yara-python==3.6.3 cuckoo
cuckoo
exit

The install should now be finished and you have verified Cuckoo is working.

Proceed to set up a Host-only network for Virtualbox. Add a new host-only network by doing the following.

Go to Virtualbox -> File -> Preferences -> Network -> Host-only Networks -> Press the little green + icon.
Click the screwdriver icon just below it and make sure the IP subnet is set to 192.168.56.0/24 and that DHCP is disabled.

A new vboxnet0 should now appear in the list. This interface

Restart the networking service in Ubuntu and verify with ip addr that a new interface has been added.

Transfering ISOs from Windows to Ubuntu

I had some minor trouble getting the files over as file sharing between VMs can be a bit of a jerk sometimes. So I prefer using SMB for transfer. You should have a Share set up on your Windows host

Connect to your share using SMB and download whatever ISOs and software you need smbclient -U username //10.0.0.2/Downloads -m SMB3 -W win get windows7x64.iso

After this is done you can go back to the VM settings for the Ubuntu box in and change the first NIC to NAT.

Configuring the Guest VMs

Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called Win10x64 and Win7x64 respectively. They can be small VMs. So give them

  • 1 CPU

  • 512MB RAM

  • 10GB HDD

  • 1 NIC attached to vboxnet0

During installation, set the username to cuckoo for all VMs. Wait for the installation to finish.

Set a static IP in each VM

  • Win10x64 - 192.168.56.10

  • Win7x64 - 192.168.56.15

You will also want to

  • Disable the Windows Firewall

  • Disable UAC (Never Notify)

  • Disable Windows Updates (don't even bother with W10)

Download the latest Python 2.7.x for Windows to your Ubuntu server. Host the files a convenient place and fire up a simple web server cd ~/Downloads cp ~/cuckoo/agents/agent.py ~/Downloads python -m SimpleHTTPServer

Download the x64 MSI installer and the Cuckoo agent 192.168.51:8000/python-2.7.14.amd64.msi 192.168.51:8000/agent.py

Install Python manually in each VM.

Start the Cuckoo agent by opening a Command Prompt as Administrator.

Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):

VBoxManage snapshot "Win7x64" take "Win7x64_snap" --pause
VBoxManage controlvm "Win7x64" poweroff
VBoxManage snapshot "Win7x64" restorecurrent

In the GUI, they should appear as Saved

Configuring Cuckoo

vim ~/cuckoo/conf/virtualbox.conf

  • mode = headless -> mode = gui is useful for testing.

  • machines = cuckoo1 -> machines = Win1x64,Win7x64 plus any others you’ve made.

cuckoo1 is the default example. Each VM needs its own little block.

[Win10x64]
label = Win10x64
platform = windows
ip = 192.168.56.10
snapshot = Win10x64_snap
[Win7x64]
label = Win7x64
platform = windows
ip = 192.168.56.15
snapshot = Win7x64_snap

Now you should be able to run cuckoo. Start Cuckoo . cuckoo/bin/activate cuckoo

Now fire up another terminal and start the Cuckoo web GUI cuckoo web runserver 192.168.45.128:8080

You can then submit a sample and enjoy the results :)