During my 5-week lab rotation at NUS under Dr. Wang Wei, I had to run analyses on malware programs for which I had to install Cuckoo Sandbox. I found a very little resource on the internet about the installation of cuckoo in Windows 10, hence this post.
As in Wikipedia, in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code or untrusted programs from unverified third-parties, suppliers, untrusted users, and untrusted websites. Any suspicious file can be thrown at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.
It is very important to understand how they operate in order to understand the context, the motivations, and the goals of a breach. Cuckoo Sandbox is a software package for analyzing malware programs and get insights on their behavior by running them in a guest machine. The major features of this software are as follows:
- Traces of calls performed by all processes spawned by the malware.
- Files being created, deleted and downloaded by the malware during its execution.
- Memory dumps of the malware processes.
- Network traffic trace in PCAP format.
takenduring the execution of the malware.
- Full memory dumps of the machines.
Install WSL (Windows Subsystem Linux) in your Windows 10 OS
Purpose: Install major dependencies using the WSL.
- Check Windows Version: You can find this from Settings > Systems > About. Find the version and type of your system. Your system version should be newer than 1607.
- Enable WSL: Open WindowsPowerShell as an Administrator from the Start menu. Run the following command:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- Install Ubuntu: For build 16215 and above, go to Microsoft Store App and install Ubuntu. For build below 16215, enable developer mode and install Ubuntu via command prompt. Go to Microsoft Store > Search ‘Ubuntu’ > Get. For older versions, go to Settings > Update & Security > For Developers > Developer Mode; go to CMD > type ‘bash’ to install Ubuntu. Set username and password. To use Ubuntu bash, type ‘bash’ in Windows CMD.
- Update and upgrade: Type in the following two commands in Ubuntu bash:
sudo apt-get update
sudo apt-get upgrade
Install Dependencies using WSL
Purpose: Cuckoo has many dependencies working together. Some of them are core dependencies like apache2, mysql, mongodb and few more. Failure of any of the major dependencies can stop cuckoo from running.
- Lamp Server: Run the following command in Ubuntu bash. Don’t forget to add the ‘^’ character, it helps to find the latest package. Setup MySQL username and password when prompted.
sudoapt-get install lamp-server^
- MongoDB: Run the following command in Ubuntu bash.
sudo apt-get install mongodb
- Start services: Run the following commands in Ubuntu bash.
sudo service apache2 start
sudo service mysql start
sudo service mongodb start
- Check your installation: Run a web browser and type in ‘localhost’ in the address bar. You should find ‘Apache2 Ubuntu Default Page’.
Issue (I faced): After setting up lamp-server, it did not prompt me to set up username and password of MySQL. After trying in many possible ways, I gave up on it and Installed XAMPP (standalone in Windows, not in Ubuntu/WSL) and used the MySQL from it to use for Cuckoo.
Install Cuckoo in Windows
- Install Python 2.7.x: Cuckoo depends on python 2.7.x (latest release of 2.7.x). So install the release and update the environment variable PATH with the installation directory of python 2.7.x (e.g.” C:\Python27”) and ‘Scripts’ directory (“C:\Python27\Scripts”) in the python directory.
- [Optional] Upgrade pip setup tools: Run the following command in Windows cmd.
pip install –upgrade
- Install Cuckoo: Run the following command in Windows CMD.
pip install cuckoo
- Install MySQL-Python: Run the following command in Windows CMD.
- Initialize Cuckoo: Run the following command in Windows cmd. It will create a .cuckoo folder in the user directory (e.g. “C:\Users\Sanjay Saha/.cuckoo”). This directory contains all the configuration files (.conf) for running cuckoo sandbox.
Issue (I faced): The command, easy_install did not work for me, so I had to install
pip install <path-to-whl-file>
In case the command ‘cuckoo’ is unrecognized, you need to add the path to
Setup Virtual Machine
- Installing Virtual Machine: Download VirtualBox (from Oracle) and install it. Now, install a Virtual Machine (Guest machine/OS) inside of it. I installed Windows 7 – 64-bit OS as the guest machine. Screenshot of my VirtualBox Manager application:
- Change Network settings: Power of guest machine before setting networks. We need to add two networks to the virtual machine: A Host-only network and a NAT network.
To set up a NAT network, go to File > Preferences > Network (tab) > “+” sign > OK. The default setting of this NAT network is good to go.
To set up a Host-only network, go to File > Host Network Manager > Disable DHCP Server (by unchecking checkbox under ‘Enable’) > Close.
Now add the Host-only and the NAT network to the Guest machine. Go to Settings (of the guest machine, yellow wheel icon) > Network > Adapter 1, Adapter 2 (tabs).
Select Host-only Adapter from the drop-down in the Adapter 1 tab and check the ‘Enable Network Adapter’ checkbox.
Select NAT Network from the drop-down in the Adapter 2 tab and check the ‘Enable Network Adapter’ checkbox.
- Setting up guest machine: Power on the guest machine from VirtualBox Manager. Turn off Windows Firewall in the guest machine. Set static IP for Host-only Network. Go to network settings of the guest machine, select the network adapter for the Host-only network, right click on it, go to properties and change the IP address. Remember/take note of the IP address for later use.
- Check from host machine: Get back to the host machine and run cmd. Run the following command to check if the guest machine is responding.
- Install Python2.7.x and Pillow module inside guest machine: Inside the
guestmachine install python 2.7.x as you did in the host machine. Now, install pillow using the following command:
pip install pillow
- agent.py in VM: From the .cuckoo folder in the Host machine, go inside agent folder and copy the agent.py file to the VM (guest machine). Now you need to run this agent.py script in order to make the VM communicate with the host machine. Now you are almost done setting up the virtual machine.
- Take a snapshot of the VM: In the VirtualBox Manager, take a snapshot of the VM and give it a name. I named my snapshot as ‘ready’.
Find the folder which contains all the .conf files (e.g. “C:\Users\Sanjay Saha.cuckoo\conf”). Now you will need to update the following files.
- Configuring cuckoo.conf: Set the following values of the configuration variables in this file:
ip = <your-host-gateway-ip> # mine is 192.168.56.1
connection = <your-db-connection> # mysql://root:@localhost/cuckoo
- Configuring auxiliary.conf: Set the following values of the configuration variables in this file:
enabled = yes
tcpdump = <path-to-tcpdump> # mine is “C:\tools\tcpdump.exe”
- Configuring reporting.conf: Under the section [mongodb] set –
enabled = yes
- Configuring virtualbox.conf: Before configuring this file, you need to have VirtualBox installed with a Virtual Machine (Guest machine/OS) installed inside it. Now set the following variables with appropriate values.
path = <path-to-VBoxManage># C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
interface = <name-of-network> # VirtualBox Host-Only Network
label = <label-of-guest-machine> # mine is, win7x64
ip = <ip-of-guest-host-only-network> # mine is, 192.168.56.104
snapshot = <name-of-snapshot> # snapshot = ready
interface = name-of-network-interface # VirtualBox Host-Only Network
resultserver_ip = ip-of-host # 192.168.56.1
- Create a database for cuckoo: Log-in to MySQL database and create a database named ‘cuckoo‘. I used phpMyAdmin that came with XAMPP to create the database.
- Community Signature: Download community signature for cuckoo using the following command in CMD of the host machine.
Issue: I did not have
You can find the name of the network interface for the VM from
Run CMD from the host machine. Inside the cmd, type in
In another CMD, run cuckoo web server by typing:
If you want to use cuckoo API, you need to type in the following command:
You will find a link to the cuckoo web server which you can use to access the cuckoo web interface. Generally, it should be ‘localhost:8000’.
Issue: I faced error while running cuckoo web in CMD (python can’t open cuckoo). If you go to Scripts folder inside Python installation directory (“C:\Python27\Scripts”) you can find cuckoo.exe, cuckoo-script.py there. The video tells to make a copy of cuckoo.exe and renaming it as cuckoo (without extension). In my case, it was showing an error. I did the same thing with cuckoo-script.py file and it worked. Run the ‘cuckoo web’ command again to run the web server.