DarthSidious
Search…
Cuckoo malware analysis lab
I was inspired by this great article by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.
I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
Ping me on Twitter @chryzsh if something's not working. I will update the guide.
As Rastamouse says in his article, VMWare is necessary on the physical host as because to have 64-bit VMs for the malware sandboxes we need support for VT-x/AMD-V. VMWare Workstation / Player does not have this restriction.
Box
OS
Software installed
Physical Host
Windows 10
VMWare Workstation
Virtual Cuckoo Host OS
Ubuntu Server 16.04 x64
Cuckoo & Virtualbox
Virtual Sandbox VM
W7 x64
Python with Cuckoo agent
Virtual Sandbox VM
W10 x64
Python with Cuckoo agent

Setting up VMWare

In VMWare workstation, go to Edit -> Virtual network editor and change the VMnet1 (Host-only) IP subnet to 192.168.45.0/24 and enable DHCP.
During this guide we sometimes have to change networking settings, even while VMs are running. If you do that, remember to restart the networking service in Ubuntu so config and interfaces gets updated. sudo /etc/init.d/networking restart

Configuring the Cuckoo host

I followed the wizdom of the Rasta and gave the Ubuntu server the following specs
  • 8 CPU Cores
    • Tick Enable Virtualize Intel VT-x/EPT or AMD-V/RVI
  • 4GB RAM
  • 100GB Hard Disk
  • NIC 1: Bridged (we will change it to NAT later)
  • NIC 2: Host-Only
Proceed to install Ubuntu 16.04 in VMWare workstation. Set the username to cuckoo.

Installing software

Once your Install the requirements to get Cuckoo and Virtualbox running
cd ~
sudo apt update
sudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb python-pip virtualbox tcpdump apparmor-utils
Install some additional tools
sudo apt install git vim cifs-utils smbclient terminator unzip xfce4 firefox
If you want you can now boot to the graphical user environment XFCE using startx and finish the rest of the setup from there.
Finish the rest of the setup of cuckoo
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
pip install -U pip pycrypto distorm3
git clone https://github.com/volatilityfoundation/volatility
cd ~/volatility/
sudo python setup.py install
cd ~/
virtualenv cuckoo
. cuckoo/bin/activate
pip install -U yara-python==3.6.3 cuckoo
cuckoo
exit
The install should now be finished and you have verified Cuckoo is working.
Proceed to set up a Host-only network for Virtualbox. Add a new host-only network by doing the following.
Go to Virtualbox -> File -> Preferences -> Network -> Host-only Networks -> Press the little green + icon.
Click the screwdriver icon just below it and make sure the IP subnet is set to 192.168.56.0/24 and that DHCP is disabled.
A new vboxnet0 should now appear in the list. This interface
Restart the networking service in Ubuntu and verify with ip addr that a new interface has been added.

Transfering ISOs from Windows to Ubuntu

I had some minor trouble getting the files over as file sharing between VMs can be a bit of a jerk sometimes. So I prefer using SMB for transfer. You should have a Share set up on your Windows host
Connect to your share using SMB and download whatever ISOs and software you need smbclient -U username //10.0.0.2/Downloads -m SMB3 -W win get windows7x64.iso
After this is done you can go back to the VM settings for the Ubuntu box in and change the first NIC to NAT.

Configuring the Guest VMs

Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called Win10x64 and Win7x64 respectively. They can be small VMs. So give them
  • 1 CPU
  • 512MB RAM
  • 10GB HDD
  • 1 NIC attached to vboxnet0
During installation, set the username to cuckoo for all VMs. Wait for the installation to finish.
Set a static IP in each VM
  • Win10x64 - 192.168.56.10
  • Win7x64 - 192.168.56.15
You will also want to
  • Disable the Windows Firewall
  • Disable UAC (Never Notify)
  • Disable Windows Updates (don't even bother with W10)
Download the latest Python 2.7.x for Windows to your Ubuntu server. Host the files a convenient place and fire up a simple web server cd ~/Downloads cp ~/cuckoo/agents/agent.py ~/Downloads python -m SimpleHTTPServer
Download the x64 MSI installer and the Cuckoo agent 192.168.51:8000/python-2.7.14.amd64.msi 192.168.51:8000/agent.py
Install Python manually in each VM.
Start the Cuckoo agent by opening a Command Prompt as Administrator.
Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):
VBoxManage snapshot "Win7x64" take "Win7x64_snap" --pause
VBoxManage controlvm "Win7x64" poweroff
VBoxManage snapshot "Win7x64" restorecurrent
In the GUI, they should appear as Saved

Configuring Cuckoo

vim ~/cuckoo/conf/virtualbox.conf
  • mode = headless -> mode = gui is useful for testing.
  • machines = cuckoo1 -> machines = Win1x64,Win7x64 plus any others you’ve made.
cuckoo1 is the default example. Each VM needs its own little block.
[Win10x64]
label = Win10x64
platform = windows
ip = 192.168.56.10
snapshot = Win10x64_snap
[Win7x64]
label = Win7x64
platform = windows
ip = 192.168.56.15
snapshot = Win7x64_snap
Now you should be able to run cuckoo. Start Cuckoo . cuckoo/bin/activate cuckoo
Now fire up another terminal and start the Cuckoo web GUI cuckoo web runserver 192.168.45.128:8080
You can then submit a sample and enjoy the results :)