Patch Management
One of the keys to using Cuckoo successfully is to track the applied patches/updates to your guess Operating System (OS) and application(s) also known as a baseline. The baseline eliminates specific vulnerabilities in certain software based on the applied patch/update level. A baseline allows one to rule out malware which effects vulnerabilities covered by your baseline. My recommendation is to have your baseline patched/updated between 1 - 3 months behind the current month. This is because every environment handles patches/updates differently which can lead to delays in rolling out patches/updates.
Guess Operating System
Cuckoo supports Linux, Unix, and Windows operating systems. While Linux and Unix Operating systems are targets for malware, Windows is the most used Operating System in the business sector and therefore will be the Operating Systems of focus for this post. My recommendations are to test malware samples on Windows 7 (32-bit/64-bit) or Windows 10 (32-bit/64-bit).
Steps
1. Guess Operating System Configurations
- Disable the Windows Firewall
- Disable the Windows Defender
- Reason for disabling the above is that organizations use third party vendors to manage those functions (i.e. Norton anti-virus, Sonic wall, etc)
- If possible, set automatic updates to "notify when updates are available and let me chose which ones to download and install."
- Download and install Python 2.7
- (Optional) Download and install Python Image Library 1.1.7 for Python 2.7
- Transfer the Cuckoo Agent via a temporary shared folder between the host and guess operating system.
3. Additional Software
- Install the following commonly used programs: Microsoft Office (2007, 2010, 2013), Adobe Flash player, Adobe Reader, and Java.
- Add commonly used browser plugins
5. Paranoid Fish (Pafish)
- Purpose is to help one determine if their Sandbox is detectable by malware.
- Some malware has the capability to detects the presents of a sandbox. If it detects one it will fail to execute preventing one from obtaining any analytical information from it.
- Installation:
- Download the executable file Paranoid Fish to your Virtual Machine.
- Install the executable.
- Run it.
1. Cuckoo Sandbox Documentation.
Social Media
Facebook:
https://www.facebook.com/BDavisCS/
Twitter:
@BDavis_CyberSec