It can retrieve the following type of results:
- Traces of win32 API calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAP format.
- Screenshots of Windows desktop taking during the execution of the malware.
- Full memory dumps of the machines.
1.- Installing Python and dependencies
$ apt-get install python # installed by default $ apt-get install python-magic # for identifying file formats $ apt-get install python-dpkt # for extracting info from pcaps $ apt-get install python-mako # for rendering html reports and web gui $ apt-get install python-sqlalchemy $ apt-get install python-jinja2 # necessary for web.py utility $ apt-get install python-bottle # necessary for web.py utility
2.- Installing SSDEEP for calculating fuzzy hashes
$ apt-get install ssdeep $ apt-get install python-pyrex # required for pyssdeep installation $ apt-get install subversion $ apt-get install libfuzzy-dev $ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep $ cd pyssdeep $ python setup.py build $ python setup.py install # run as root user
3.- Installing MongoDB and Python support
$ apt-get install python-pymongo # for mongodb support $ apt-get install mongodb # includes server and clients
4.- Installing Yara and Python support
$ apt-get install g++ $ apt-get install libpcre3 libpcre3-dev $ wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz $ tar -xvzf yara-1.6.tar.gz $ cd yara-1.6 $ ./configure $ make $ make check $ make install # finished yara installation $ wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz $ tar -xvzf yara-python-1.6.tar.gz $ cd yara-python-1.6 $ python setup.py build $ python setup.py install # finished python support installation
5.- Modifying Tcpdump running privilegesThis is necessary so Cuckoo can run Tcpdump as non-root user.
$ apt-get install libcap2-bin $ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump $ getcap /usr/sbin/tcpdump # to check changes have been applied
6.- Installing Cuckoo Sandbox
$ sudo useradd cuckoo $ usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group $ id cuckoo # checks cuckoo user details $ apt-get install git $ git clone git://github.com/cuckoobox/cuckoo.git
7.- Configuring Windows Guest virtual machineAt this point we need to install Cuckoo python agent in the virtual machine that we want to use to run the malware. I am going to continue the work described in my previous post and use WindowsXPVM1 for this purpose.
First steps to prepare the Windows Guest system:
- Install Pyton for Windows: http://python.org/download/
- Install PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/
- Deactivate automatic Windows updates
- Deactivate local firewall
- Optional: Install third party applications (Office 2003/2007, Acrobat Reader...): http://www.oldapps.com/
I also renamed it to agent.pyw to prevent the command prompt from showing. We can run it manually or configure it to run at Windows startup following these steps:
$ cp /home/santiago/cuckoo/cuckoo/agent/agent.py /home/santiago/cuckoo/shares/WindowsXPVM1/
- Copy to C:\Python27\agent.pyw
- Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
And these are the commands we can use to restore the snapshot.
$ vboxmanage snapshot "WindowsXPVM1" take "WindowsXPVM1Snap01" --pause
$ vboxmanage controlvm "WindowsXPVM1" poweroff $ vboxmanage snapshot "WindowsXPVM1" restorecurrent $ vboxheadless --startvm "WindowsXPVM1"
8.- Starting Cuckoo sandboxBefore starting Cuckoo for the first time, we need to configure Cuckoo VirtualBox settings to specify the virtual machine the system will use to analyze a malware sample. To do it we edit cuckoo/conf/virtualbox.conf file and set the following variables.
Finally we can start our freshly installed Cuckoo sandbox.
[virtualbox] # Specify which VirtualBox mode you want to run your machines on. # Can be "gui", "sdl" or "headless". Refer to VirtualBox's official # documentation to understand the differences. mode = headless # Path to the local installation of the VBoxManage utility. path = /usr/bin/VBoxManage # Specify a comma-separated list of available machines to be used. For each # specified ID you have to define a dedicated section containing the details # on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = WindowsXPVM1 [WindowsXPVM1] # Specify the label name of the current machine as specified in your # VirtualBox configuration. label = WindowsXPVM1 # Specify the operating system platform used by current machine # [windows/darwin/linux]. platform = windows # Specify the IP address of the current machine. Make sure that the IP address # is valid and that the host machine is able to reach it. If not, the analysis # will fail. ip = 192.168.56.101
root@donkey:/home/santiago/cuckoo/cuckoo# python cuckoo.py _| _|_|_| _| _| _|_|_| _| _| _|_| _|_| _| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_|_| _|_|_| _| _| _|_| _|_| Cuckoo Sandbox 0.5 www.cuckoosandbox.org Copyright (c) 2010-2012 Checking for updates... Good! You have the latest version available. 2013-01-26 23:25:33,216 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager 2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s 2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
9.- Analyzing a malware sampleI decided to analyze the following malware sample: efeb717fdbb98d8043eb4c51254d9b74 You can find virustotal description here. We can use submit.py util for it.
And these are Cuckoo logs while performing the malware analysis.
root@donkey:/home/santiago/cuckoo/cuckoo/utils# python submit.py /home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74 Success: File "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" added as task with ID 4
Then we can web.py Cuckoo tool to view the output of the analysis.
2013-01-26 23:34:00,275 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" (task=4) 2013-01-26 23:34:00,286 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/santiago/cuckoo/cuckoo/storage/binaries/8dafb21e7d106a6c98f745f30c2577ee7b0984ec7ba2c4107f7ddcd0d127baf6" 2013-01-26 23:34:00,304 [lib.cuckoo.core.scheduler] INFO: Task #4: acquired machine WindowsXPVM1 (label=WindowsXPVM1) 2013-01-26 23:34:00,312 [lib.cuckoo.core.sniffer] INFO: Started sniffer (interface=vboxnet0, host=192.168.56.101, dump path=/home/santiago/cuckoo/cuckoo/storage/analyses/4/dump.pcap) 2013-01-26 23:34:02,063 [lib.cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed
And at this point we can connect to our host through the web http://192.168.0.200:8080 and see our analysis report.
root@donkey:/home/santiago/cuckoo/cuckoo/utils# python web.py Bottle server starting up (using WSGIRefServer())... Listening on http://0.0.0.0:8080/ Hit Ctrl-C to quit.
i'm sorry, i can't understand :ReplyDelete
Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
what's that meaning?
Run cmd.exe with administrator privileges, then type:
reg.exe ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" -v "Agent" -t REG_SZ -d "C:\Python27\agent.pyw"
thanks for share........ReplyDelete
This article is very very helpful thanks for the author!!!! But i have 1 doubt i m not getting the database in the cuckoo folder can ne1 help me???ReplyDelete
Thank you!! My contact mail is firstname.lastname@example.org
This installation part is very useful and I have followed everything that's working fine. But still if author is able to provide how to integrate mongo DB and Yara rule into the cuckoo sandbox means it will be very useful. Could you please provide the information ?ReplyDelete
I used your guide and it was very helpful. Other than installations methods for various things (i used pip for most python stuff), I changed nothing except the names of my VMs and other harmless changes. But I am stuck at pending on all submits. It never fires up the VM or does anything after I submit a binary. So I am thinking a step is missing from your walkthrough. I may be wrong(it has happened on occasion). I'll find a solution but I wanted to let you know in case something needs to be updated here.ReplyDelete
I missed the point where I needed to install python on my guest machine. Installing Python solved the issue for me.Delete
I am getting an error "44,989 [lib.cuckoo.core.scheduler] ERROR: VBoxManage exited with error restoring the machine's snapshot" not sure what could be the error i have tried this procedure earlier with physical machine and it worked fine. However when i used it with a VM in VBoxManage, i am getting errors. please helpReplyDelete
Can you update the links?ReplyDelete
2016-09-14 18:03:04,341 [lib.cuckoo.core.scheduler] ERROR: VBoxManage exited with error restoring the machine's snapshotReplyDelete
2016-09-14 18:03:04,614 [lib.cuckoo.core.scheduler] CRITICAL: A critical error has occurred trying to use the machine with name Cuckoo during an analysis due to which it is no longer in a working state, please report this issue and all of the related environment details to the developers so we can improve this situation. (Note that before we would simply remove this VM from doing any more analyses, but as all the VMs will eventually be depleted that way, hopefully we'll find a better solution now).
I am receiving the same error.Delete