Following article covers installation and hardening of the latest (Git) Cuckoo Sandbox version. There are few articles about setting up Cuckoo on Ubuntu/Debian, I had no luck however to find one describing this process on Gentoo.
There is no guide about hardening latest (0.6+) Cuckoo as well. Guide for 0.5 doesn’t work anymore, because latest cuckoomon.dll uses different communication format and it will not report any information during analysis.
Gentoo is not officially supported, it is possible however to make Cuckoo Sandbox run ‘almost’ flawlessly on it. I’m using ‘test’ package set (~amd64) so if you’re on stable, you will have to set proper keywords for Cuckoo dependencies – 0.6+ needs latest versions. Most dependencies can be found in Portage already.
Let’s start with following set:
$ emerge -av dev-python/sqlalchemy dev-python/dpkt dev-python/jinja dev-python/bottle net-analyzer/tcpdump
Now it’s time for Ssdeep. Ebuild can be found on Gentoo Bugzilla. Download latest one and place it in your local overlay (f. e. /usr/local/portage/app-forensics/ssdeep). You’ll also need Python bindings for Ssdeep, ebuild can be found here (place it in your local overlay, f. e. /usr/local/portage/dev-python/pyssdeep). You have to create a digest files for them as well. When it’s done, you are ready to install Ssdeep:
$ emerge -av app-forensics/ssdeep dev-python/pyssdeep
Unfortunately I had no luck with making Cuckoo use Ssdeep, both Ssdeep and PySsdeep work fine when executed manually, no hash however is included in Cuckoo report.
Gentoo Portage also miss Yara ebuilds. Ebuild for Yara can be found here (place it in your local overlay, f. e. /usr/local/portage/app-forensics/yara) and for Yara Python bindings here (place it in your local overlay, f. e. /usr/local/portage/dev-python/yara-python). Now you’re ready to install Yara:
$ emerge -av app-forensics/yara dev-python/yara-python
Depending on which virtualization platform you prefer, proper packages have to be installed. I’m going to use VirtualBox:
$ emerge -av app-emulation/virtualbox app-emulation/virtualbox-modules app-emulation/virtualbox-additions app-emulation/virtualbox-extpack-oracle
Time to give tcpdump some capabilities, so normal users without root privileges can use it.
$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump $ getcap /usr/sbin/tcpdump
getcap will list all capabilities set for tcpdump. You can run setcap each time system is rebooted, or you can create a init script and do it on system boot:
$ echo "/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip" >> /etc/local.d/setcap-tcpdump.start $ chmod +x /etc/local.d/setcap-tcpdump.start
Next step is creating user account for Cuckoo:
$ useradd -c Cuckoo -G vboxusers -m -s /bin/bash -U cuckoo
There are quite a few supported databases, I’m going to use MariaDB (fork of MySQL). You’ll need proper support for it in Python:
$ emerge -av dev-python/mysql-python
You have to create a new database as well:
$ mysql -u root -p MariaDB [(none)]> create database cuckoo; MariaDB [(none)]> grant all privileges on cuckoo.* to cuckoo@localhost identified by 'cuck00pass' ; MariaDB [(none)]> flush privileges; MariaDB [(none)]> quit;
Where ‘cuckoo’ in ‘cuckoo@localhost’ is username which you created for Cuckoo, and ‘localhost’ is the host on which it will be running (in most cases it’s ‘localhost’, except when DB is running on different machine than Cuckoo). ‘cuck00pass’ is password used by Cuckoo to access database.
Time for Cuckoo. If you don’t have Git on your system, install it:
$ emerge -av dev-vcs/git
$ su cuckoo $ cd $ git clone git://github.com/cuckoobox/cuckoo.git
The above commands will place the Cuckoo in your Cuckoo user’s home directory. If you want to use different destination, just provide the proper path after cd.
Configuration is rather simple, you can follow the official guide to set up your Cuckoo. Remember to apply configuration for MariaDB, if you want to use it – it’s the same as for MySQL and it’s described in the official guide.
Now you have to create a virtual machine with OS which will be used to test malware. If you’re going to use Cuckoo in your company, probably the best choice is to use default build installed on workstations and servers. You can of course create as many VMs as you want, and you can run the same malware on all of them to check which of them are vulnerable. The official guide covers the process nicely, so I’m not going to describe it here. Just remember to run VirtualBox from your Cuckoo user, f. e. in KDE you can use kdesu:
$ kdesu -u cuckoo -c VirtualBox
Remember as well to use ‘host-only’ network and to not install the guest additions – they’re not needed and will make more difficult to detect the sandbox by malware. If you’re looking for latest Python 2.x for Windows, you can find it here, and the latest PIL for Python 2.x (Python Imaging Library – required for screenshots) can be found here.
Host-only networking in VirtualBox requires some iptables rules to be added (simple masquerade). I’m using the default VirtualBox settings for host-only network:
$ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT $ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ iptables -A POSTROUTING -t nat -j MASQUERADE $ /etc/init.d/iptables save
Remember to add iptables to default runlevel, if you don’t have it there already. You also have to enable ‘ipv4.ip_forward’ in /etc/sysctl.conf.
At this point your basic Cuckoo environment is ready. To run it, log in as Cuckoo user, go to ~/cuckoo directory and execute the following:
$ python ./cuckoo.py
On the other terminal (consider using screen tool) log in once again as Cuckoo user, go to the same directory and execute:
$ python ./utils/web.py
Now you can open your preferred Web Browser and go to http://localhost:8080/ – from this Web interface you can submit samples for analysis and browse analysis results. There’s also Python app called submit.py placed in cuckoo/utils folder, which you can use to submit samples.
There’s one more thing you should know at this point – setting up host-only networking in VirtualBox makes Cuckoo fail to launch after reboot. This is caused by Cuckoo binding to not configured vboxnet0 interface. To bypass this, use VBoxManage to set the vboxnet0 IP address before launching Cuckoo or create a shell script which will do that for you:
$ vim ~/cuckoo/start-cuckoo.sh
and place the following lines in it:
#!/bin/bash VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 ./cuckoo.py
Your Cuckoo Sandbox is ready to use, now it’s time to proceed to next step and apply some hardening, preventing malware from detecting the sandbox.
First thing you will need is an a0rtega’s tool called pafish (Paranoid Fish). Download it on your host OS (in my case Gentoo Linux) from Git repository:
$ git clone https://github.com/a0rtega/pafish.git
To test if hardening works, submit pafish.exe just like any malware sample, using Cuckoo Web UI or submit.py. If you’re going to do that right now, you’ll see that your sandbox can be easily detected by malware.
There are probably more ways to avoid detection – I’m going to modify hooks, just like it was described in a0rtega’s post on AlienVault Labs Blog, but I will apply his method on latest cuckoomon sources – his patched dll and patch itself doesn’t work with 0.6+.
You can download my patched dll here or proceed and create one on your own – which can be useful when new Cuckoo will be released and current dll will not work anymore.
First you’ll need environment capable for building Windows 32-bit binaries. You can use any Windows host with MinGW32 bundle, or you can use your Gentoo (or any other Linux). If you choose the second option, here’s what you have to do.
Start with installing Gentoo Cross-toolchain generator:
$ emerge -av sys-devel/crossdev
To compile 32-bit Windows binaries you’ll need 32-bit MinGW:
$ crossdev -t i686-pc-mingw32
Now it’s time to get the cuckoomon sources. Unfortunately getting the exact version of Cuckoomon sources used by latest Cuckoo Sandbox is not possible (asked on Community page, no answer given…). By testing all public Cuckoomon Git branches I found that ‘netlog’ branch works quite nice, even while it sometimes drops some errors. You can download latest ‘netlog’ branch from here or use git command on your Linux box:
$ mkdir netlog $ cd netlog/ $ git init $ git remote add -t netlog -f origin https://github.com/cuckoobox/cuckoomon.git $ git checkout netlog
To patch the sources, go to netlog/ directory and execute:
$ patch -p1 < /path/to/cuckoomon-netlog-0.6_hardening.patch
Finally, build the patched cuckoomon.dll and replace the original dll with it:
$ make $ cp cuckoomon.dll /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll $ chown cuckoo:cuckoo /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll $ chmod -x /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll
Done! You don’t have to restart Cuckoo, simply upload pafish.exe for analysis and you’ll find that VirtualBox specific tests will not detect the sandbox.
I hope that this post will help you setup Cuckoo without any major issues. If you have any questions, please post them below.