The perfect Cuckoo Sandbox installation guide

If you want to analyze malware, you might have run in to the Cuckoo Sandbox project which has been crafted by Claudio Guarnieri , Alessandro Tanasi , Jurriaan Bremer and Mark Schloesser.

The team which has been mentioned earlier has created the Cuckoo Sandbox project, so people will be able to analyze malware in their own personal environment.

So what does the Cuckoo Sandbox project produce as results?

The Cuckoo Sandbox is able to provide RAW data which includes, but is not limited to:

–          Native functions and Windows API calls traces

–          Copies of files created and deleted from the filesystem

–          Dump of the memory of the selected process

–          Full memory dump of the analysis machine

–          Screenshots of the desktop during the execution of the malware analysis

–          Network dump generated by the machine used for the analysis

Once the RAW data has been collected, the Cuckoo Sandbox project will allow the user to create “end-user” reports. The Cuckoo Sandbox is currently able to provide the following types of reports:

–          JSON

–          HTML

–          MAEC

–          MongoDB interface

–          HPFeeds interface

The Cuckoo Sandbox has been written in Python, so you can easily access the source code and adjust it to your personal demands.

My experiences with Cuckoo Sandbox

–          Setup Cuckoo Sandbox on a Virtual Private Server

–          Setup Cuckoo Sandbox on a Windows environment

–          Setup Cuckoo Sandbox on a Desktop computer at home

Official Cuckoo Sandbox sources

–          http://docs.cuckoosandbox.org/en/latest/

In the link above, you will see the Cuckoo Sandbox installation guide, which has been provided by the Cuckoo Sandbox developers. The project developers do STATE that it can be hard to get the Cuckoo Sandbox environment running with the first try. But we will try to “debunk” that with this perfect Cuckoo Sandbox Installation guide.

Installing the Cuckoo Sandbox environment

Awesome, this is the part where we are going to start our process of installing the Cuckoo Sandbox environment.

So first of all, let’s make sure that we are running on the same environment:

Environment for the Cuckoo Sandbox project

For this tutorial, I have chosen to install the project on a (old) computer which has been catching dust.

The computer has the following specs:

–          Quad Core processor AMD (Desktop)

–          4 GB DDR2 Memory

–          1000GB Harddisk

–          External graphic card (7600GT)

I have also decided that I will be running the Virtual environments in the “GUI” option, so we are going to install the Cuckoo Sandbox environment via the Graphical user interface which is provided by the Ubuntu Desktop distro.

—- It is possible to install Cuckoo Sandbox via SSH, but I think it is nice if you can “watch” the malware run in the virtual machines.

The environment will be able to run “one” virtual machine, as the virtual machines will use “memory”. If you want to use multiple virtual machines on a Cuckoo environment, I urge you to have lots of free memory. For example, each virtual environment will use 1024mb of memory.

So if you have 4GB, you will have 2GB for the operating system, 1GB for the virtual machine and 1GB for “roaming” memory.

What to have ready:

–          Working Internet Connection

–          Working Windows (XP, 7,8,8.1) license which you will use for your “malware analyzes”

–          Coffee

–          Google

Lets get started: Installation of Ubuntu Desktop 14.04 LTS

Download the environment which you want to run Cuckoo Sandbox on.

You can download the Ubuntu Desktop environment from the official source :

http://www.ubuntu.com/download/desktop/

Once you have downloaded the operating system, install it on the computer you wish to use.

Install Ubuntu on the machine
Install Ubuntu on the machine

 

This will take some time, so have your coffee ready.

Once it has been installed, log in on the Ubuntu machine and run the following commands via the “Terminal Console”.

sudo apt-get update
sudo apt-get upgrade

The commands above will make sure that you have the latest updates and will upgrade the packages which need to be updated.

Once the upgrade is done, you can follow these commands to install the Cuckoo Sandbox environment

sudo apt-get python
sudo apt-get install python-sqlalchemy python-bson

Now we can continue to install the dependencies which are used by Python and Cuckoo

sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet

The command above will install the following packages, they are all needed for the Cuckoo Sandbox project to work at a full capacity:

  • DPKT
  • Jinja2
  • Magic
  • Pydeep
  • Pymongo
  • Yara
  • Libvirt
  • Bottlepy
  • Django
  • Pefile
  • Volatility
  • MAEC Python bindings
  • Chardet

Continue to install the PIP command on your Ubuntu environment by using the following command in your terminal:

sudo apt-get install python-pip

sudo pip install cybox

Do not forget to install python-magic, python-dpkt and python-libvirt via the PIP command:

sudo pip install jinja2 pymongo bottle pefile maec==4.0.1.0 django chardet

Remember that we will also need to install YARA and Pydeep

We continue to install the VirtualBox software on the Ubuntu Desktop environment

sudo apt-get install virtualbox

sudo apt-get install tcpdump

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Creating the Cuckoo user on Ubuntu

sudo adduser cuckoo
sudo usermod -G vboxusers cuckoo

Install SSDEEP

sudo apt-get install ssdeep
sudo apt-get install python-pyrex # required for pyssdeep installation
sudo apt-get install subversion
sudo apt-get install libfuzzy-dev
sudo svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
sudo python setup.py build
sudo python setup.py install 

Install Mongo

sudo apt-get install python-pymongo
sudo apt-get install mongodb

lnstall YARA

sudo apt-get install g++
sudo apt-get install libpcre3 lippcre3-dev
sudo wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
sudo  tar -xvzf yara-1.6.tar.gz
sudo  cd yara-1.6
sudo ./configure
sudo  make
sudo make check
sudo make install

Install Python Support

sudo wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
sudo tar -xvzf yara-python-1.6.tar.gz
sudo cd yara-python-1.6
sudo python setup.py build
sudo python setup.py install

Install GIT so we can download Cuckoo Sandbox

sudo apt-get install git

Install Cuckoo Sandbox

sudo git clone git://github.com/cuckoobox/cuckoo.git

Now we have installed the Cuckoo Sandbox. But wait, we are not done yet.

We are going to setup the Virtual Environment which is going to run the malware first

–          Click here to continue to the Virtual Environment setup guide