Installation of Cuckoo Sandbox in Windows 10

Do share if you like!

During my 5-week lab rotation at NUS under Dr. Wang Wei, I had to run analyses on malware programs for which I had to install Cuckoo Sandbox. I found a very little resource on the internet about the installation of cuckoo in Windows 10, hence this post.

Cuckoo Logo

Introduction

As in Wikipedia, in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code or untrusted programs from unverifi ed third-parties, suppliers, untrusted users, and untrusted websites. Any suspicious fi le can be thrown at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the fi le when executed inside a realistic but isolated environment.
It is very important to understand how they operate in order to understand the context, the motivations, and the goals of a breach. Cuckoo Sandbox is a software package for analyzing malware programs and get insights on their behavior by running them in a guest machine. The major features of this software are as follows:

  1. Traces of calls performed by all processes spawned by the malware.
  2. Files being created, deleted and downloaded by the malware during its execution.
  3. Memory dumps of the malware processes.
  4. Network traffic trace in PCAP format.
  5. Screenshots taken during the execution of the malware.
  6. Full memory dumps of the machines.
The installation guide is based on this tutorial, with some more problems that I faced.

Install WSL (Windows Subsystem Linux) in your Windows 10 OS

Purpose: Install major dependencies using the WSL.

  • Check Windows Version: You can find this from Settings > Systems > About. Find the version and type of your system. Your system version should be newer than 1607.
  • Enable WSL: Open WindowsPowerShell as an Administrator from the Start menu. Run the following command:
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  • Install Ubuntu: For build 16215 and above, go to Microsoft Store App and install Ubuntu. For build below 16215, enable developer mode and install Ubuntu via command prompt. Go to Microsoft Store > Search ‘Ubuntu’ > Get. For older versions, go to Settings > Update & Security > For Developers > Developer Mode; go to CMD > type ‘bash’ to install Ubuntu. Set username and password. To use Ubuntu bash, type ‘bash’ in Windows CMD.
  • Update and upgrade: Type in the following two commands in Ubuntu bash:
    sudo apt-get update
    sudo apt-get upgrade

Install Dependencies using WSL

Purpose: Cuckoo has many dependencies working together. Some of them are core dependencies like apache2, mysql, mongodb and few more. Failure of any of the major dependencies can stop cuckoo from running.

  • Lamp Server: Run the following command in Ubuntu bash. Don’t forget to add the ‘^’ character, it helps to find the latest package. Setup MySQL username and password when prompted.
    sudo apt-get install lamp-server^
  • MongoDB: Run the following command in Ubuntu bash.
    sudo apt-get install mongodb
  • Start services: Run the following commands in Ubuntu bash.
    sudo service apache2 start
    sudo service mysql start
    sudo service mongodb start
  • Check your installation: Run a web browser and type in ‘localhost’ in the address bar. You should find ‘Apache2 Ubuntu Default Page’.

Issue (I faced): After setting up lamp-server, it did not prompt me to set up username and password of MySQL. After trying in many possible ways, I gave up on it and Installed XAMPP (standalone in Windows, not in Ubuntu/WSL) and used the MySQL from it to use for Cuckoo.

Install Cuckoo in Windows

  • Install Python 2.7.x: Cuckoo depends on python 2.7.x (latest release of 2.7.x). So install the release and update the environment variable PATH with the installation directory of python 2.7.x (e.g.” C:\Python27”) and ‘Scripts’ directory (“C:\Python27\Scripts”) in the python directory.
  • [Optional] Upgrade pip setup tools: Run the following command in Windows cmd.
    pip install –upgrade setuptools
  • Install Cuckoo: Run the following command in Windows CMD.
    pip install cuckoo
  • Install MySQL-Python: Run the following command in Windows CMD.
    easy_install mysql-python
  • Initialize Cuckoo: Run the following command in Windows cmd. It will create a .cuckoo folder in the user directory (e.g. “C:\Users\Sanjay Saha/.cuckoo”). This directory contains all the configuration files (.conf) for running cuckoo sandbox.
    cuckoo init

Issue (I faced): The command, easy_install did not work for me, so I had to install mysql-python in an alternative way. Go to https://www.lfd.uci.edu/~gohlke/pythonlibs/#mysql-python and download a suitable WHL (mine was MySQL_python 1.2.5 cp27 none win_amd64.whl) and install it using the following command:
pip install <path-to-whl-file>

In case the command ‘cuckoo’ is unrecognized, you need to add the path to directory where cuckoo.exe resides in the environment variable PATH.

Setup Virtual Machine

  • Installing Virtual Machine: Download VirtualBox (from Oracle) and install it. Now, install a Virtual Machine (Guest machine/OS) inside of it. I installed Windows 7 – 64-bit OS as the guest machine. Screenshot of my VirtualBox Manager application:
Oracle VM VirtualBox Manager
  • Change Network settings: Power of guest machine before setting networks. We need to add two networks to the virtual machine: A Host-only network and a NAT network.

    To set up a NAT network, go to File > Preferences > Network (tab) > “+” sign > OK. The default setting of this NAT network is good to go.
Network Setting for Virtual Machine

To set up a Host-only network, go to File > Host Network Manager > Disable DHCP Server (by unchecking checkbox under ‘Enable’) > Close.

Host Network Manager in VirtualBox Manager

Now add the Host-only and the NAT network to the Guest machine. Go to Settings (of the guest machine, yellow wheel icon) > Network > Adapter 1, Adapter 2 (tabs).

Select Host-only Adapter from the drop-down in the Adapter 1 tab and check the ‘Enable Network Adapter’ checkbox.

Select NAT Network from the drop-down in the Adapter 2 tab and check the ‘Enable Network Adapter’ checkbox.

Network Setup for guest machine in VBox Manager
  • Setting up guest machine: Power on the guest machine from VirtualBox Manager. Turn off Windows Firewall in the guest machine. Set static IP for Host-only Network. Go to network settings of the guest machine, select the network adapter for the Host-only network, right click on it, go to properties and change the IP address. Remember/take note of the IP address for later use.
IP Configuration in the guest machine
  • Check from host machine: Get back to the host machine and run cmd. Run the following command to check if the guest machine is responding.
    ping <ip-of-guest-machine>
  • Install Python2.7.x and Pillow module inside guest machine: Inside the guest machine install python 2.7.x as you did in the host machine. Now, install pillow using the following command:
    pip install pillow
  • agent.py in VM: From the .cuckoo folder in the Host machine, go inside agent folder and copy the agent.py file to the VM (guest machine). Now you need to run this agent.py script in order to make the VM communicate with the host machine. Now you are almost done setting up the virtual machine.
  • Take a snapshot of the VM: In the VirtualBox Manager, take a snapshot of the VM and give it a name. I named my snapshot as ‘ready’.

Configuring Cuckoo

Find the folder which contains all the .conf files (e.g. “C:\Users\Sanjay Saha.cuckoo\conf”). Now you will need to update the following files.

  • Configuring cuckoo.conf: Set the following values of the configuration variables in this file:
    ip = <your-host-gateway-ip> # mine is 192.168.56.1
    connection = <your-db-connection> # mysql://root:@localhost/cuckoo
  • Configuring auxiliary.conf: Set the following values of the configuration variables in this file:
    enabled = yes
    tcpdump = <path-to-tcpdump> # mine is “C:\tools\tcpdump.exe”
  • Configuring reporting.conf: Under the section [mongodb] set –
    enabled = yes
  • Configuring virtualbox.conf: Before configuring this file, you need to have VirtualBox installed with a Virtual Machine (Guest machine/OS) installed inside it. Now set the following variables with appropriate values.
    path = <path-to-VBoxManage># C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
    interface = <name-of-network> # VirtualBox Host-Only Network
    [cuckoo1]
    label = <label-of-guest-machine> # mine is, win7x64
    ip = <ip-of-guest-host-only-network> # mine is, 192.168.56.104
    snapshot = <name-of-snapshot> # snapshot = ready
    interface = name-of-network-interface # VirtualBox Host-Only Network
    resultserver_ip = ip-of-host # 192.168.56.1
  • Create a database for cuckoo: Log-in to MySQL database and create a database named ‘cuckoo‘. I used phpMyAdmin that came with XAMPP to create the database.
  • Community Signature: Download community signature for cuckoo using the following command in CMD of the host machine.
    cuckoo community

Issue: I did not have tcpdump installed in my computer, also tcpdump is a software for Linux. So, I had to install an alternative of tcpdump for Windows: WinDump from https://www.winpcap.org/windump/. Later, I renamed the WinDump file as tcpdump.

You can find the name of the network interface for the VM from ipconfig. In your host machine, run cmd and type ‘ipconfig’. You will find the network interface name there.

Run Cuckoo

Run CMD from the host machine. Inside the cmd, type in the following command to run cuckoo.
cuckoo

In another CMD, run cuckoo web server by typing:
cuckoo web

If you want to use cuckoo API, you need to type in the following command:
cuckoo api

You will find a link to the cuckoo web server which you can use to access the cuckoo web interface. Generally, it should be ‘localhost:8000’.

Location of Cuckoo script

Issue: I faced error while running cuckoo web in CMD (python can’t open cuckoo). If you go to Scripts folder inside Python installation directory (“C:\Python27\Scripts”) you can find cuckoo.exe, cuckoo-script.py there. The video tells to make a copy of cuckoo.exe and renaming it as cuckoo (without extension). In my case, it was showing an error. I did the same thing with cuckoo-script.py file and it worked. Run the ‘cuckoo web’ command again to run the web server.


Do share if you like!

6 thoughts on “Installation of Cuckoo Sandbox in Windows 10

  1. Hi Sanjay Saha,

    Thanks a lot for your post, it was very helpful.
    Regarding the issues with installation of Xamps (mysql error).
    I’ve been solved it by changing the connection port of mysql installed on windows, as commented by “Jim Turnbull misterjaytee” at https://github.com/Microsoft:
    ———————————————————-
    /WSL/issues/2113.
    For other people who may stumble across this, here’s my scenario.

    WSL with MySQL installed, had two problems:

    Home directory warning
    Service would fail to start

    The first issue is easy to sort – change the directory for the mysql user:
    sudo usermod -d /var/lib/mysql/ mysql

    For the second issue, if you’re like me and you have a development environment setup under Windows, you may have MySql installed and running under Windows. Because the networking is shared between Windows and WSL, the two instances of MySql cannot both have the default port settings (3306). In my case, I changed the Windows running version of MySql to use port 3308, and then I could run the WSL version no problem:
    sudo service mysql start
    ——————————————
    I hope it could be helpful.
    Regards, Alexandre from Brazil.

  2. The same way I dealt with apache2 start error.

    I’ve changed the default port from 80 to 8090 at :/etc/apache2/ports.conf:
    ———–

    #Listen 80
    Listen 8090
    —————

  3. I faced error while running cuckoo web in CMD (python can’t open cuckoo). i dont have cuckoo-script.py or cuckoo.exe file. how can i get those files?

  4. I always met the problem:
    CRITICAL: CuckooDatabaseError: Unable to create or connect to database: (_mysql_exceptions.OperationalError) (1251, ‘Client does not support authentication protocol requested by server; consider upgrading MySQL client’)
    (Background on this error at: http://sqlalche.me/e/e3q8)

    Then I use:
    sudo apt-get upgrade mysql-client to update the client.

    It was fixed first, then I would meet the problem:
    [cuckoo] CRITICAL: CuckooDatabaseError: Unable to create or connect to database: (_mysql_exceptions.OperationalError) (2003, “Can’t connect to MySQL server on ‘localhost’ (10061)”)

    I tried to modify the localhost to 127.0.0.1. It would report the first error then.

    I have no idea what it is going on. Any idea will be appreciated.

  5. I’m having problems with tcpdump, installation is fine but the problem happens when you try to analyze any malware…

    File “/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py”, line 163, in stop
    module.stop()
    File “/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py”, line 156, in stop
    (out, err, faq(“permission-denied-for-tcpdump”))

    hopefully, you guys can help me xoxo

Leave a Reply

Your email address will not be published. Required fields are marked *