The team which has been mentioned earlier has created the Cuckoo Sandbox project, so people will be able to analyze malware in their own personal environment.
So what does the Cuckoo Sandbox project produce as results?
The Cuckoo Sandbox is able to provide RAW data which includes, but is not limited to:
– Native functions and Windows API calls traces
– Copies of files created and deleted from the filesystem
– Dump of the memory of the selected process
– Full memory dump of the analysis machine
– Screenshots of the desktop during the execution of the malware analysis
– Network dump generated by the machine used for the analysis
Once the RAW data has been collected, the Cuckoo Sandbox project will allow the user to create “end-user” reports. The Cuckoo Sandbox is currently able to provide the following types of reports:
– MongoDB interface
– HPFeeds interface
The Cuckoo Sandbox has been written in Python, so you can easily access the source code and adjust it to your personal demands.
My experiences with Cuckoo Sandbox
– Setup Cuckoo Sandbox on a Virtual Private Server
– Setup Cuckoo Sandbox on a Windows environment
– Setup Cuckoo Sandbox on a Desktop computer at home
Official Cuckoo Sandbox sources
In the link above, you will see the Cuckoo Sandbox installation guide, which has been provided by the Cuckoo Sandbox developers. The project developers do STATE that it can be hard to get the Cuckoo Sandbox environment running with the first try. But we will try to “debunk” that with this perfect Cuckoo Sandbox Installation guide.
Installing the Cuckoo Sandbox environment
Awesome, this is the part where we are going to start our process of installing the Cuckoo Sandbox environment.
So first of all, let’s make sure that we are running on the same environment:
Environment for the Cuckoo Sandbox project
For this tutorial, I have chosen to install the project on a (old) computer which has been catching dust.
The computer has the following specs:
– Quad Core processor AMD (Desktop)
– 4 GB DDR2 Memory
– 1000GB Harddisk
– External graphic card (7600GT)
I have also decided that I will be running the Virtual environments in the “GUI” option, so we are going to install the Cuckoo Sandbox environment via the Graphical user interface which is provided by the Ubuntu Desktop distro.
—- It is possible to install Cuckoo Sandbox via SSH, but I think it is nice if you can “watch” the malware run in the virtual machines.
The environment will be able to run “one” virtual machine, as the virtual machines will use “memory”. If you want to use multiple virtual machines on a Cuckoo environment, I urge you to have lots of free memory. For example, each virtual environment will use 1024mb of memory.
So if you have 4GB, you will have 2GB for the operating system, 1GB for the virtual machine and 1GB for “roaming” memory.
What to have ready:
– Working Internet Connection
– Working Windows (XP, 7,8,8.1) license which you will use for your “malware analyzes”
Lets get started: Installation of Ubuntu Desktop 14.04 LTS
Download the environment which you want to run Cuckoo Sandbox on.
You can download the Ubuntu Desktop environment from the official source :
Once you have downloaded the operating system, install it on the computer you wish to use.
This will take some time, so have your coffee ready.
Once it has been installed, log in on the Ubuntu machine and run the following commands via the “Terminal Console”.
sudo apt-get updatesudo apt-get upgrade
The commands above will make sure that you have the latest updates and will upgrade the packages which need to be updated.
Once the upgrade is done, you can follow these commands to install the Cuckoo Sandbox environment
sudo apt-get pythonsudo apt-get install python-sqlalchemy python-bson
Now we can continue to install the dependencies which are used by Python and Cuckoo
sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet
The command above will install the following packages, they are all needed for the Cuckoo Sandbox project to work at a full capacity:
- MAEC Python bindings
Continue to install the PIP command on your Ubuntu environment by using the following command in your terminal:
sudo apt-get install python-pip sudo pip install cybox
Do not forget to install python-magic, python-dpkt and python-libvirt via the PIP command:
sudo pip install jinja2 pymongo bottle pefile maec==220.127.116.11 django chardet
Remember that we will also need to install YARA and Pydeep
We continue to install the VirtualBox software on the Ubuntu Desktop environment
sudo apt-get install virtualbox sudo apt-get install tcpdump sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
Creating the Cuckoo user on Ubuntu
sudo adduser cuckoo sudo usermod -G vboxusers cuckoo
sudo apt-get install ssdeepsudo apt-get install python-pyrex # required for pyssdeep installationsudo apt-get install subversionsudo apt-get install libfuzzy-devsudo svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeepcd pyssdeepsudo python setup.py buildsudo python setup.py install
sudo apt-get install python-pymongosudo apt-get install mongodb
sudo apt-get install g++sudo apt-get install libpcre3 lippcre3-devsudo wget http://yara-project.googlecode.com/files/yara-1.6.tar.gzsudo tar -xvzf yara-1.6.tar.gzsudo cd yara-1.6sudo ./configuresudo makesudo make checksudo make install
Install Python Support
sudo wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gzsudo tar -xvzf yara-python-1.6.tar.gzsudo cd yara-python-1.6sudo python setup.py buildsudo python setup.py install
Install GIT so we can download Cuckoo Sandbox
sudo apt-get install git
Install Cuckoo Sandbox
sudo git clone git://github.com/cuckoobox/cuckoo.git
Now we have installed the Cuckoo Sandbox. But wait, we are not done yet.
We are going to setup the Virtual Environment which is going to run the malware first
– Click here to continue to the Virtual Environment setup guide