The most common Cuckoo Sandbox mistakes and how to fix them

If you are interested in doing some Malware Research then you might have taken a look at the Cuckoo Sandbox project.

The project allows researchers to get in-depth information about specific malware which has been hand-picked by the Cuckoo Sandbox administrator.

The Cuckoo Sandbox project provides a online community which can be used to ask questions regarding Cuckoo Sandbox errors and updates. If you want to leave a question on the Cuckoo Sandbox community environment, you will need to login at the community website by using one of your social media accounts.

Mistake number one: Do not rush to install the Cuckoo Sandbox project

Did you know, that if you are using VirtualBox – you should NOT INSTALL the Virtual Guest adapters?! This will allow malware to identify the Cuckoo Sandbox, and it may allow the malware to change it’s behaviour.

Take a look at this Cuckoo Sandbox presentation which will give you a good insight on how to use the Cuckoo Sandbox environment.

Mistake number two: Cuckoo Sandbox cannot connect to guest machine

If you have installed the Cuckoo Sandbox environment and the Virtualbox environment. You will need to start your VirtualBox machine with the -headless command before you run cuckoo.py! This will allow the vboxnet adapter to get initialised.

Mistake number 3: POST /RPC HTTP 1.1 500 error in Virtual Host machine

You will get this error if you have made a network configuration error, or you did not pay attention to “MISTAKE NUMBER TWO”. Make sure that you start a -headless environment FIRST before you run cuckoo.py.

Problem loading virtual machine

Make sure your virtualbox.conf is set up correctly. Remember that spaces do play a role here with the configuration. I had simular problem when i put space in front of ” label = Windows7″. When i removed the space, the cuckoo.py loaded the machine. This can also have something in cuckoo.conf set up. Make sure the snapshot is correct in virtualbox.conf and your virtualbox machine. Just go over the virtualbox configuration and check if everything is properatelly installed. Also, please do not use Office 2013 to test .doc submissions, it will not work. Install 2003 or 2007, this is due to the file location in the directory.

The Cuckoo Sandbox web interface does not run

Make sure that you have installed MongoDB and that you have enabled Django in the reporting.conf Cuckoo Sandbox file.

Make sure that you have lots of MEMORY free

You will need a strong host to run the Cuckoo Sandbox environment.

Cuckoo Sandbox Analysis Critical Timeout

Improper setup of tcpdump, so make sure you run this command:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Other resources you might want to take a look at:

  • http://community.cuckoosandbox.org/
  • http://www.tekdefense.com/news/2013/3/12/installing-cuckoo.html
  • http://cuckoo.readthedocs.org/en/latest/usage/packages/
  • http://cuckoo.readthedocs.org/en/latest/usage/web/