Along of 2017, We had known that the attacking of malware especially ransomware-wannacry was been the media headline news. Many people including both of private and governments should give all of their resources for taking over those incidents. According to the Mid-Year’s 2017 Cyber Attacks Report published by Check Point Software Technolgies Ltd, there are three main categories of malware attack, they are banking, mobile and ransomware as described picture below:
In line with all reports about malware trends attack for 2017, we agree that a malware environment lab is a must thing. It can help us for detecting malware activity by analyzing their behaviour in a sandbox environment. One of the methodologies used to understand malicious code is sandboxing (Greamo & Ghosh, 2011). In simple terms, this process comprises the execution of malicious code in a controlled way that allows for direct observation of the effects. At this post, I will show about how to build a malware sandbox environment using the open sources sandbox tool, Cuckoo.
Reffer to their official website, Cuckoo Sandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities. By default it is able to:
- Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, Mac OS X, and Android virtualized environments.
- Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
- Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
- Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.
Topology of the sandbox
According to @warunikaamali’posting, a sample diagram of cuckoo architecture is like figure below:
In my scenario, I used one host (Ubuntu 16.04 LTS) and one Virtual Machine Guest’ Windows 7 which were running on my Vmware Workstation 14. Hereby the configuration both of host and VM Guest:
After installing Ubuntu 16.04 LTS in my Vmware, let’s install some dependencies software for cuckoo such as:
- Python Libraries and Databases:
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev $ sudo apt-get install python-virtualenv python-setuptools $ sudo apt-get install libjpeg-dev zlib1g-dev swig $ sudo apt-get install mongodb #In order to use the Django-based Web Interface $ sudo apt-get install postgresql libpq-dev #In order to use PostgreSQL as database
- Virtualization software (VirtualBox)
$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list $ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - $ sudo apt-get update $ sudo apt-get install virtualbox-5.1
$ vboxmanage hostonlyif create # creating vboxnet0 and leaving default IP 192.168.56.1/24
- IPtables rules
$ echo '#!/bin/bash' >update_ip_tables.sh $ echo 'iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT' >> update_ip_tables.sh $ echo 'iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> update_ip_tables.sh $ echo 'iptables -A POSTROUTING -t nat -j MASQUERADE' >> update_ip_tables.sh $ echo 'sysctl -w net.ipv4.ip_forward=1' >> update_ip_tables.sh $ chmod +x ./update_ip_tables.sh $ sudo ./update_ip_tables.sh
- Cuckoo’s supporting tools
- Installing SSDEEP/Pydeep for calculating fuzzy hashes.
$ wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz $ tar xvzf ssdeep-2.12.tar.gz $ cd ssdeep-2.12/ $./configure && make && make install $ git clone https://github.com/kbandla/pydeep $ cd pydeep $ python setup.py build $ python setup.py install
- Installing Tcpdump for dumping the network activity performed by the malware during execution.
$ sudo apt-get install tcpdump apparmor-utils $ sudo aa-disable /usr/sbin/tcpdump $ sudo apt-get install tcpdump $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
- Installing Yara for providing a rule-based approach to create descriptions of malware families based on textual or binary patterns.
$ sudo apt-get install autoconf libtool libjansson-dev libmagic-dev libssl-dev -y
$ wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz
$ tar -zxf yara-3.4.0.tar.gz
$ cd yara-3.4.0
$ ./configure --with-crypto --enable-cuckoo --enable-magic
$ sudo make install
$ cd yara-python
$ python setup.py build
$ sudo python setup.py install
Installing Volatility for doing forensic analysis on memory dumps.
$ pip install openpyxl
$ pip install ujson
$ pip install pycrypto
$ pip install distorm3
$ pip install pytz
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility
$ python setup.py build
$ python setup.py install
Installing M2Crypto for adding cryptographic support and security to your Python applications.
$ sudo pip install m2crypto==0.24.0
- Install Cuckoo
$ git clone https://github.com/cuckoosandbox/cuckoo $ cd cuckoo/ $ sudo -H pip install -r requirements.txt $ cd utils/ $ ./community.py -a -f -w
- Configure Cuckoo
After installing cuckoo, run cuckoo for the first time so it will create the Cuckoo Working Directory. By default it will be /home/user/.cuckoo/ like below:
Then go to “conf” directory for configuring several files.
machinery = virtualbox
ip = 192.168.56.1 #This is the IP address of the host
port = 2042 #leave default unless you have services running
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
# You can check this using the command: whereis tcpdump
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
# The ifconfig command will show you the interface name.
interface = vboxnet0
machines = cuckoo1
label = cuckoo1
platform = windows
ip = 192.168.56.101 # IP address of the guest
snapshot = snapshot1 # name of snapshot
# Volatility configuration # Basic settings [basic] # Profile to avoid wasting time identifying it guest_profile = Win7SP1x86 # Delete memory dump after volatility processing. delete_memdump = no
[reporthtml] enabled = yes [mongodb] enabled = yes
Cuckoo Guest-VM (Windows 7):
After installing windows 7 operating system for VM-Guest, there are several steps that should be acquired for supporting cuckoo analyzing. They are:
- Install Pyton for Windows: http://python.org/download/
- Install PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/
- Deactivate automatic Windows updates
- Deactivate local firewall
- Optional: Install third party applications (Office 2003/2007, Acrobat Reader…)
- Copy agent of cuckoo to C:\Python27\agent.py
- running the agent using python
- set the network as host-only
- set the ip address is 192.168.56.101 255.255.255.0 and the gateway is 192.168.56.1
- Finally take a snapshot and save as “snapshot1”.
So after set up all those stuff above, then we can use the “knife” for analyze malware.
I had tried submit a sample of wannacry that I got from https://github.com/ytisf/theZoo like below
Then we can check the proccess behaviour of the malware like below: