The Cuckoo Sandbox malware analysis environment is an open source project which is provided via the CuckooSandbox.org website. The Cuckoo Sandbox platform is an ideal environment to analyze malware samples for unique values, the platform is capable of creating an massive database of malware reports. The reports can be researched after they have been generated to the Cuckoo Sandbox.
Now here comes the thing, Cuckoo Sandbox is an project which has been designed for the Linux operating systems. The complete installation guide of Cuckoo Sandbox has also been designed for Linux operating systems – so what do the people do, when they have to install Cuckoo Sandbox on a Windows operating system?
They just do IT.
Foreword on the installation of Cuckoo Sandbox on a Windows operating System
This tutorial will guide you to install an Cuckoo Sandbox environment on your Windows operating system, but there are some points you need to be aware of:
I am still having trouble to get the following packages working on the Windows Cuckoo Sandbox lab:
- Python-Magic
- Python-DPKT
- Python-libvirt
- TCPDUMP
- Cuckoo Sandbox webinterface
- Cuckoo Sandbox HostOnly option [Routing in Windows 8.1]
What does work:
- Cuckoo Sandbox cuckoo.py
- Cuckoo Sandbox api.py
- Cuckoo Sandbox submit.py
- Vboxmanage
- MongoDB
- MySQL database
- Cuckoo Sandbox virtual machine [cuckoo1]
So please note that this manual is provided as is, and it does not guarentee you that you will have a fully operational Cuckoo Sandbox lab on Windows.
If you are able to fix some problems or errors, please leave your feedback on the website.
Installing Cuckoo Sandbox on a Windows Operating System
The Cuckoo Sandbox project holds an incredible important manual on how to install the Cuckoo Sandbox project on a Linux operating system. I have used the Cuckoo Sandbox manual as a guideline and I have searched for Windows alternatives for the needed Cuckoo Sandbox modules and plugins.
Installation of Python 2.7
The manual of the Cuckoo Sandbox project states that the advised Python which you should use is the Python 2.7 version.
You can download the Python 2.7 version from the official Python website.
https://www.python.org/download/releases/2.7/
Installation of PIP for Windows
The next step which we need to take is the installation of PIP if it is not included. Do note that the latest version of Python 2.7.9+ already has PIP installed in the Python27\Scripts\ folder. If you do not see the PIP module, then head to the following website and follow the installation instructions:
https://pip.pypa.io/en/latest/installing.html
Once we have PIP installed, we will need to run the following PIP commands via the CMD:
- pip install sqlalchemy bson
- pip install jinja2 pymongo bottle pefile django chardet
- pip install cybox==2.0.1.4
- pip install maec==4.0.1.0
- pip install MySQLdb (if this does not work, use https://pypi.python.org/pypi/MySQL-python/1.2.5)
Installation of MongoDB
The Cuckoo Sandbox project allows the operators to use the MongoDB database software to manage the reports and files.
You can download the MongoDB database software here:
https://www.mongodb.org/downloads
Once it has been downloaded and installed. We will run it via the following MongoDB command:
MongoDB\Server\3.0\bin\mongod –dbpath [PATH WHERE YOU WANT THE DB TO BE STORED]
Installation of Cuckoo Sandbox
Go ahead and navigate to the Cuckoo Sandbox GITHUB page. Download the ZIP folder and install it on the location where you want it to be installed.
Modifying the configuration files of Cuckoo Sandbox
Make sure that you modify the default Cuckoo Sandbox configuration files. You will need to edit the following files:
- Auxilery.conf [Disable TCPDUMP]
- Virtualbox.conf [Modify VirtualBox path]
- Reporting.conf [Enable MongoDB]
- Cuckoo.conf [Insert MYSQL connection or database string]
The client
You can follow the default Cuckoo Sandbox manual for installing the client which will run the malware samples.
http://cuckoo.readthedocs.org/en/latest/installation/guest/requirements/
How to use
I have been using the Cuckoo Sandbox API script and the Cuckoo Sandbox Submit script which are located in \utils\ to submit samples.