How To Build a Malware Analysis Sandbox Using Cuckoo

Along of 2017, We had known that the attacking of malware especially ransomware-wannacry was been the media headline news. Many people including both of private and governments should give all of their resources for taking over those incidents. According to the Mid-Year’s 2017 Cyber Attacks Report published by Check Point Software Technolgies Ltd, there are three main categories of malware attack, they are banking, mobile and ransomware as described picture below:

In line with all reports about malware trends attack for 2017, we agree that a malware environment lab is a must thing. It can help us for detecting malware activity by analyzing their behaviour in a sandbox environment. One of the methodologies used to understand malicious code is sandboxing (Greamo & Ghosh, 2011). In simple terms, this process comprises the execution of malicious code in a controlled way that allows for direct observation of the effects. At this post, I will show about how to build a malware sandbox environment using the open sources sandbox tool, Cuckoo.

Reffer to their official website, Cuckoo Sandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities. By default it is able to:

  1. Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, Mac OS X, and Android virtualized environments.
  2. Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
  3. Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
  4. Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.

Topology of the sandbox

According to @warunikaamali’posting, a sample diagram of cuckoo architecture is like figure below:

In my scenario, I used one host (Ubuntu 16.04 LTS) and one Virtual Machine Guest’ Windows 7 which were running on my Vmware Workstation 14. Hereby the configuration both of host and VM Guest:

Cuckoo Host:

After installing Ubuntu 16.04 LTS in my Vmware, let’s install some dependencies software for cuckoo such as:

  • Python Libraries and Databases:
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig
$ sudo apt-get install mongodb #In order to use the Django-based Web Interface
$ sudo apt-get install postgresql libpq-dev #In order to use PostgreSQL as database
  • Virtualization software (VirtualBox)
$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install virtualbox-5.1
$ vboxmanage hostonlyif create # creating vboxnet0 and leaving default IP 192.168.56.1/24
  • IPtables rules
$ echo '#!/bin/bash' >update_ip_tables.sh

$ echo 'iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT' >> update_ip_tables.sh

$ echo 'iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> update_ip_tables.sh

$ echo 'iptables -A POSTROUTING -t nat -j MASQUERADE' >> update_ip_tables.sh

$ echo 'sysctl -w net.ipv4.ip_forward=1' >> update_ip_tables.sh

$ chmod +x ./update_ip_tables.sh

$ sudo ./update_ip_tables.sh
  • Cuckoo’s supporting tools
  1. Installing SSDEEP/Pydeep for calculating fuzzy hashes.
    $ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz
    $ tar xvzf ssdeep-2.12.tar.gz
    $ cd ssdeep-2.12/
    $./configure && make && make install
    $ git clone https://github.com/kbandla/pydeep
    $ cd pydeep
    $ python setup.py build
    $ python setup.py install
  2. Installing Tcpdump for dumping the network activity performed by the malware during execution.
    $ sudo apt-get install tcpdump apparmor-utils
    $ sudo aa-disable /usr/sbin/tcpdump
    $ sudo apt-get install tcpdump
    $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
  3. Installing Yara  for providing a rule-based approach to create descriptions of malware families based on textual or binary patterns.
    $ sudo apt-get install autoconf libtool libjansson-dev libmagic-dev libssl-dev -y
    $ wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz
    $ tar -zxf yara-3.4.0.tar.gz
    $ cd yara-3.4.0
    $ ./bootstrap.sh
    $ ./configure --with-crypto --enable-cuckoo --enable-magic
    $ make
     $ sudo make install
    $ cd yara-python
     $ python setup.py build
     $ sudo python setup.py install
  4. Installing Volatility for doing forensic analysis on memory dumps.

    $ pip install openpyxl
    $ pip install ujson
    $ pip install pycrypto
    $ pip install distorm3
    $ pip install pytz
    $ git clone https://github.com/volatilityfoundation/volatility.git
    $ cd volatility
    $ python setup.py build
    $ python setup.py install
  5. Installing M2Crypto for adding cryptographic support and security to your Python applications.

    $ sudo pip install m2crypto==0.24.0
  • Install Cuckoo
    $ git clone https://github.com/cuckoosandbox/cuckoo
    $ cd cuckoo/
    $ sudo -H pip install -r requirements.txt
    $ cd utils/
    $ ./community.py -a -f -w
  • Configure Cuckoo

After installing cuckoo, run cuckoo for the first time so it will create the Cuckoo Working Directory. By default it will be /home/user/.cuckoo/ like below:

Then go to “conf” directory for configuring several files.

cuckoo.conf

machinery = virtualbox
resultserver]
ip = 192.168.56.1 #This is the IP address of the host
port = 2042 #leave default unless you have services running

auxiliary.conf

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
# You can check this using the command: whereis tcpdump
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
# The ifconfig command will show you the interface name.
interface = vboxnet0 

virtualbox.conf

machines = cuckoo1
[cuckoo1]
label = cuckoo1
platform = windows
ip = 192.168.56.101 # IP address of the guest
snapshot = snapshot1 # name of snapshot

memory.conf

# Volatility configuration
# Basic settings
[basic]
# Profile to avoid wasting time identifying it
guest_profile = Win7SP1x86
# Delete memory dump after volatility processing.
delete_memdump = no

reporting.conf

[reporthtml]
enabled = yes
[mongodb]
enabled = yes

Cuckoo Guest-VM (Windows 7):

After installing windows 7 operating system for VM-Guest, there are several steps that should be acquired for supporting cuckoo analyzing. They are:

  • Install Pyton for Windows: http://python.org/download/
  • Install PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/
  • Deactivate automatic Windows updates
  • Deactivate local firewall
  • Optional: Install third party applications (Office 2003/2007, Acrobat Reader…)
  • Copy agent of cuckoo to C:\Python27\agent.py
  • running the agent using python
  • set the network as host-only
  • set the ip address is 192.168.56.101 255.255.255.0 and the gateway is 192.168.56.1
  • Finally take a snapshot and save as “snapshot1”.

So after set up all those stuff above, then we can use the “knife” for analyze malware.

I had tried submit a sample of wannacry that I got from https://github.com/ytisf/theZoo like below

Then we can check the proccess behaviour of the malware like below:

3 thoughts on “How To Build a Malware Analysis Sandbox Using Cuckoo

  1. Hello, Neat post. There’s a problem together with your web site in web explorer, could test this… IE still is the market leader and a huge component of other folks will miss your fantastic writing because of this problem.

  2. Pingback: Buy generic cialis

Leave a Reply

Your email address will not be published. Required fields are marked *