Cuckoo malware analysis lab
Last updated
Last updated
I was inspired by this great article by Rastamouse and decided to build an identical lab. It may seem slightly out of scope for this book, but you have to consider that if you develop your own payloads and tools you must test them before you put them into a production environment.
I got it set up with some minor issues that I worked it. So in this guide I try to address some of the things that didn't work perfectly when setting this up to make it as smooth as possible. The result is approximately the same as rasta's lab so you can refer to his figures if you need to visualize this.
Ping me on Twitter @chryzsh if something's not working. I will update the guide.
As Rastamouse says in his article, VMWare is necessary on the physical host as because to have 64-bit VMs for the malware sandboxes we need support for VT-x/AMD-V. VMWare Workstation / Player does not have this restriction.
Box
OS
Software installed
Physical Host
Windows 10
VMWare Workstation
Virtual Cuckoo Host OS
Ubuntu Server 16.04 x64
Cuckoo & Virtualbox
Virtual Sandbox VM
W7 x64
Python with Cuckoo agent
Virtual Sandbox VM
W10 x64
Python with Cuckoo agent
In VMWare workstation, go to Edit -> Virtual network editor and change the VMnet1 (Host-only) IP subnet to 192.168.45.0/24 and enable DHCP.
During this guide we sometimes have to change networking settings, even while VMs are running. If you do that, remember to restart the networking service in Ubuntu so config and interfaces gets updated. sudo /etc/init.d/networking restart
I followed the wizdom of the Rasta and gave the Ubuntu server the following specs
8 CPU Cores
Tick Enable Virtualize Intel VT-x/EPT or AMD-V/RVI
4GB RAM
100GB Hard Disk
NIC 1: Bridged (we will change it to NAT later)
NIC 2: Host-Only
Proceed to install Ubuntu 16.04 in VMWare workstation. Set the username to cuckoo.
Once your Install the requirements to get Cuckoo and Virtualbox running
Install some additional tools
If you want you can now boot to the graphical user environment XFCE using startx
and finish the rest of the setup from there.
Finish the rest of the setup of cuckoo
The install should now be finished and you have verified Cuckoo is working.
Proceed to set up a Host-only network for Virtualbox. Add a new host-only network by doing the following.
A new vboxnet0
should now appear in the list. This interface
Restart the networking service in Ubuntu and verify with ip addr
that a new interface has been added.
I had some minor trouble getting the files over as file sharing between VMs can be a bit of a jerk sometimes. So I prefer using SMB for transfer. You should have a Share set up on your Windows host
Connect to your share using SMB and download whatever ISOs and software you need smbclient -U username //10.0.0.2/Downloads -m SMB3 -W win
get windows7x64.iso
After this is done you can go back to the VM settings for the Ubuntu box in and change the first NIC to NAT.
Open VirtualBox and create your base VMs - I’m just going to create Windows 7 32-bit & 64-bit VMs called Win10x64 and Win7x64 respectively. They can be small VMs. So give them
1 CPU
512MB RAM
10GB HDD
1 NIC attached to vboxnet0
During installation, set the username to cuckoo for all VMs. Wait for the installation to finish.
Set a static IP in each VM
Win10x64 - 192.168.56.10
Win7x64 - 192.168.56.15
You will also want to
Disable the Windows Firewall
Disable UAC (Never Notify)
Disable Windows Updates (don't even bother with W10)
Download the latest Python 2.7.x for Windows to your Ubuntu server. Host the files a convenient place and fire up a simple web server cd ~/Downloads
cp ~/cuckoo/agents/agent.py ~/Downloads
python -m SimpleHTTPServer
Download the x64 MSI installer and the Cuckoo agent 192.168.51:8000/python-2.7.14.amd64.msi
192.168.51:8000/agent.py
Install Python manually in each VM.
Start the Cuckoo agent by opening a Command Prompt as Administrator
.
Whilst the VMs are running, follow these steps to snapshot them (repeat for each VM):
In the GUI, they should appear as Saved
vim ~/cuckoo/conf/virtualbox.conf
mode = headless
-> mode = gui
is useful for testing.
machines = cuckoo1
-> machines = Win1x64,Win7x64
plus any others you’ve made.
cuckoo1
is the default example. Each VM needs its own little block.
Now you should be able to run cuckoo. Start Cuckoo . cuckoo/bin/activate
cuckoo
Now fire up another terminal and start the Cuckoo web GUI cuckoo web runserver 192.168.45.128:8080
You can then submit a sample and enjoy the results :)