Cuckoo Sandbox Installation (Part 4 of 4)

This is 4 of a 4 part series on the installation of Cuckoo Sandbox. Part 4 will focus on preparing the guess Operating System of the Virtual Machine for use with the Cuckoo Sandbox.

Patch Management
One of the keys to using Cuckoo successfully is to track the applied patches/updates to your guess Operating System (OS) and application(s) also known as a baseline. The baseline eliminates specific vulnerabilities in certain software based on the applied patch/update level. A baseline allows one to rule out malware which effects vulnerabilities covered by your baseline. My recommendation is to have your baseline patched/updated between 1 - 3 months behind the current month. This is because every environment handles patches/updates differently which can lead to delays in rolling out patches/updates. 


Guess Operating System
Cuckoo supports Linux, Unix, and Windows operating systems. While Linux and Unix Operating systems are targets for malware, Windows is the most used Operating System in the business sector and therefore will be the Operating Systems of focus for this post. My recommendations are to test malware samples on Windows 7 (32-bit/64-bit) or Windows 10 (32-bit/64-bit). 


Steps

1. Guess Operating System Configurations

• Disable the Windows Firewall
• Disable the Windows Defender
• Reason for disabling the above is that organizations use third party vendors to manage those functions (i.e. Norton anti-virus, Sonic wall, etc)

• If possible, set automatic updates to "notify when updates are available and let me chose which ones to download and install."

2. Cuckoo Dependencies [1]

• Download and install Python 2.7
• (Optional) Download and install Python Image Library 1.1.7 for Python 2.7 
• Transfer the Cuckoo Agent via a temporary shared folder between the host and guess operating system.

3. Additional Software

• Install the following commonly used programs: Microsoft Office (2007, 2010, 2013), Adobe Flash player, Adobe Reader, and Java.

4. Plugins

• Add commonly used browser plugins  

5. Paranoid Fish (Pafish)

• Purpose is to help one determine if their Sandbox is detectable by malware.
• Some malware has the capability to detects the presents of a sandbox. If it detects one it will fail to execute preventing one from obtaining any analytical information from it.  
• Installation:
• Download the executable file Paranoid Fish to your Virtual Machine.
• Install the executable.
• Run it.

References
1. Cuckoo Sandbox Documentation.


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 3 of 4)

This is 3 of a 4 part series on the installation of Cuckoo Sandbox. Part 3 will focus on editing the configuration files for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 3


Steps

To edit the configuration files:

• Open a terminal
• Navigate to the directory of the configuration files 
• /home/YourUserName/Downloads/cuckoo/conf
• Open a specific file using nano editor
• nano FileName
• Replace the value on the right side of the equal sign with a corresponding value (i.e replace "yes" with "no", or change a numerical value). 
• Note: The items in "[ ]" are the section heads within the specific configuration file.  

• Nano editor Basics
• To save the edited file hold the "Ctrl" button on your keyboard and press the "x" button on your keyboard.
• Type "Y"

• How to Find the IP Address of your Windows virtual machine:
• 1. Power on the VM.
• 2. Open a command prompt and type the command:
• ipconfig  

• How to Find the Network Interface of your virtual machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig
• Look the IP Address range which your VM's IP Address falls within. To the left of the IP Address range will be the name of the Network Interface associated with it. Below is a picture containing an example:
•   
  

• How to Find the vmx_path:
• Type the following command:
•  find / -name "*.vmx"

• How to Find the IP Address of your host machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig

Configuration Files[1]

• cuckoo.conf 
• nano cuckoo.conf
• [cuckoo]
• memory_dump = on
• machinery = virtualbox or vmware

• [resultserver]
• ip = ip address of the host system not the virtual machine.

• auxiliary.conf
• nano auxiliary.conf
• [mitm]
• enable = yes

• [sniffer]
• interface = the network interface of your virtual machine

• vmware.conf
• nano vmware.conf 
• [vmware]
• machines = name of virtual machine
• interface = name of the network interface for the virtual machine
• [Name_of_the_Virtual_Machine]
• vmx_path = ../name_of_virtual_machine/ name_of_virtual_machine.vmx
• ip = ip address of the virtual machine

• processing.conf
• nano processing.conf
•  [memory]
• enable = yes

• memory.conf
• nano memory.conf
• [basic]
• guest_profile = volatility's profile name for your guest operating system
• Here are a list of profile names for the various Windows operating systems
•  
  

• reporting.conf
• nano reporting.conf 
• [reporthtml]
• enable = yes

• [mongodb]
• enable = yes

References  
1. Cuckoo Sandbox Configuration Files

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec 

Cuckoo Sandbox Installation (Part 2 of 4)

This is 2 of a 4 part series on the installation of Cuckoo Sandbox. Part 2 will focus on installing additional functionality to the Host Operating System for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 2


Steps
All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts.

1. Install Django-based web interface [1]

• sudo apt-get install mongodb

2. Install TCPdump [1]

• sudo apt-get install tcpdump
• sudo apt-get install libcap2-bin
• sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
• getcap /usr/sbin/tcpdump

3. Install Volatility [2]

• sudo apt install git
• git clone https://github.com/volatilityfoundation/volatility.git
• Navigate to the volatility folder 
• cd /home/YourUserName/volatility
• sudo python setup.py install

4. Install Volatility Plug-ins

• Distorm3
• Download Distorm3  
• Navigate to the Downloads folder
• tar -xvzf distorm-3.4.0.tar.gz
• Navigate to the distorm-3.4.0 folder
• cd /home/YourUserName/Downloads/distorm-3.4.0
• sudo python setup.py install

•  Yara [3]
•  Install autoreconf
• sudo apt-get install autoconf
• Install libtool-bin
• sudo apt-get install libtool-bin
• Download Yara
• Navigate to the Downloads folder
• tar -xvzf yara-3.5.0.tar.gz
• Navigate to the yara-3.5.0 folder
• cd /home/YourUserName/Downloads/yara-3.5.0
• ./bootstrap.sh
• ./configure --with-crypto --enable-magic --enable-cuckoo
• make
• sudo make install 
• sudo -H pip install yara-python

• PyCrypto [4]
• Download PyCrypto
• Navigate to the Downloads folder
• tar -xvzf pycrypto-2.6.1.tar.gz
• Navigate to the pycrypto-2.6.1 folder
• cd /home/YourUserName/Downloads/pycrypto-2.6.1
•  python setup.py build
• sudo python setup.py install

• Openpyxl [5]
• sudo -H pip install openpyxl

• UJSON [6]
• sudo -H pip install ujson

•  IPython [7]
• sudo -H pip install jupyter

5. Install Mitmproxy

• sudo apt-get install python3-pip python3-dev libssl-dev libtiff5-dev libjpeg8-dev zlib1g-dev libwebp-dev
• sudo pip3 install mitmproxy
• mitmproxy
• cd ~/.mitmproxy
• cp mitmproxy-ca-cert.p12 /home/YourUserName/Downloads/cuckoo/analyzer/windows/bin/cert.p12 
•  mitmdump = /usr/local/bin/mitmdump

References
1. Cuckoo Sandbox Documentation
2. Volatility Documentation
3. Yara Documentation
4. PyCrypto Documentation
5. OpenPyxl Documentation
6. UJSON Documentation
7. IPython Documentation


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 1 of 4)

This is the first of four parts series on the "Installation of Cuckoo Sandbox." Part 1 will focus on preparing the Host Operating System. 

Video Instructions
Cuckoo Sandbox Installation Part 1

Background
In order to successfully install Cuckoo Sandbox you must setup the required environment. The required software is Linux, Python, and a virtualization platform (i.e Virtualbox or VMware Player).

Steps

All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts. 

1. Linux

• Install Linux as your main operating system. This can be any distribution of Linux. (My choice was  Ubuntu 16.04).
• Run the update command to update your Linux distribution. 
• sudo apt-get update

2. Python libraries [1]

•   Install the dependencies 
•  sudo apt-get install python python-pip python-dev libffi-dev libssl-dev 

• Install libxml2-dev and libxslt-dev 
• sudo apt-get install libxml2-dev libxslt-dev

•  Install the requirements from the requirements text file using PyPI 
• Download Cuckoo Sandbox and extract it.  
• Command to extract the .tar.gz file: tar -xvzf 
• Example: tar -xvzf FileName.tar.gz
• Navigate to the cuckoo folder:
• cd /home/YourUserName/Downloads/cuckoo
• sudo -H pip install -r requirements.txt 
• sudo -H pip install --upgrade pip

 3. Virtualization Software

• Install VMware player
• Download VMWare Workstation Player for Linux
• Navigate to 
• cd/ home/YourUserName/Downloads

• sudo chmod u+x VMWare-Player-12.5.1-4542065.x86_64.bundle
• sudo ./VMWare-Player-12.5.1-4542065.x86_64.bundle

4. Create a user for cuckoo

• sudo adduser cuckoo

References:
1. Cuckoo Sandbox Documentation


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec