Cuckoo sandbox is an Open Source automated malware analysis system. To do so it uses custom components that monitor the behavior of the malicious processes while running in an isolated environment (typically a Windows operating system).
It can retrieve the following type of results:
Traces of win32 API calls performed by all processes spawned by the malware.
Files being created, deleted and downloaded by the malware during its execution.
Memory dumps of the malware processes.
Network traffic trace in PCAP format.
Screenshots of Windows desktop taking during the execution of the malware.
Full memory dumps of the machines.
In our case, we are using a combination of Ubuntu LTS server and VirtualBox to setup the platform where we are going to run Cuckoo.
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:
1) Installing Python and dependencies
$ apt-get install python # installed by default
$ apt-get install python-magic # for identifying file formats
$ apt-get install python-dpkt # for extracting info from pcaps
$ apt-get install python-mako # for rendering html reports and web gui
$ apt-get install python-sqlalchemy
$ apt-get install python-jinja2 # necessary for web.py utility
$ apt-get install python-bottle # necessary for web.py utility
2) Installing SSDEEP for calculating fuzzy hashes
$ apt-get install ssdeep
$ apt-get install python-pyrex # required for pyssdeep installation
$ apt-get install subversion
$ apt-get install libfuzzy-dev
$ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
$ cd pyssdeep
$ python setup.py build
$ python setup.py install # run as root user
3) Installing MongoDB and Python support
$ apt-get install python-pymongo # for mongodb support
$ apt-get install mongodb # includes server and clients
4) Installing Yara and Python support
$ apt-get install g++
$ apt-get install libpcre3 libpcre3-dev
$ wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
$ tar -xvzf yara-1.6.tar.gz
$ cd yara-1.6
$ make check
$ make install # finished yara installation
$ wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
$ tar -xvzf yara-python-1.6.tar.gz
$ cd yara-python-1.6
$ python setup.py build
$ python setup.py install # finished python support installation
5) Modifying Tcpdump running privileges
This is necessary so Cuckoo can run Tcpdump as non-root user.
$ apt-get install libcap2-bin
$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump # to check changes have been applied
6) Installing Cuckoo Sandbox
$ sudo useradd cuckoo
$ usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group
$ id cuckoo # checks cuckoo user details
$ apt-get install git
$ git clone git://github.com/cuckoobox/cuckoo.git
7) Configuring Windows Guest virtual machine
At this point we need to install Cuckoo python agent in the virtual machine that we want to use to run the malware.
Rename it to agent.pyw to prevent the command prompt from showing. We can run it manually or configure it to run at Windows startup following these steps:
Copy to C:\Python27\agent.pyw
Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:’Agent’ Type:’REG_SZ’ Data:”C:\Python27\agent.pyw”
After executing the Python script on the virtual machine a new socket should be listening on 0.0.0.0:8000
Our virtual machine is now ready to run malware so it’s time to save the system state creating a VirtualBox snapshot.
$ vboxmanage snapshot "WindowsXPVM1" take "WindowsXPVM1Snap01" --pause
And these are the commands we can use to restore the snapshot.
Before starting Cuckoo for the first time, we need to configure Cuckoo VirtualBox settings to specify the virtual machine the system will use to analyze a malware sample. To do it we edit cuckoo/conf/virtualbox.conf file and set the following variables.
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui", "sdl" or "headless". Refer to VirtualBox's official
# documentation to understand the differences.
mode = headless
# Path to the local installation of the VBoxManage utility
path = /usr/bin/VBoxManage
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = WindowsXPVM1
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = WindowsXPVM1
# Specify the operating system platform used by current machine
platform = windows
# Specify the IP address of the current machine. Make sure that the IP address
# is valid and that the host machine is able to reach it. If not, the analysis
# will fail.
ip = 192.168.56.101
Finally we can start our freshly installed Cuckoo sandbox.
Cuckoo Sandbox 0.5
Copyright (c) 2010-2012
Checking for updates...
Good! You have the latest version available.
2013-01-26 23:25:33,216 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
9) Analyzing a malware sample
Analyze the following malware sample: efeb717fdbb98d8043eb4c51254d9b74. We can use submit.py util for it.
[email protected]:/home/santiago/cuckoo/cuckoo/utils# python submit.py /home/talentcookie/binaries/efeb717fdbb98d8043eb4c51254d9b74
Success: File "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" added as task with ID 4
And these are Cuckoo logs while performing the malware analysis.
For me, it's the toughest thing to define oneself. I mean, It's always better and easy to judge others, isn't it?
I have hundreds of thing i can tell you about me but at the same time, i'll be hiding hundreds of thing from you. I can tell you my Office friends call me Dionysus (Google can tell you why). "Dead Can Dance Kiko" Song is enough to tell what i like. I feel happy to share something i learn everyday which i think this site is a part of it.