Credit where credit is due….The bulk of this article was obtained from the excellent article located here: http://www.xors.me/?p=4458
I found the original article and then modified it to fit my operating system and environment. It has been modified to work with Backtrack Linux installation using native virtualbox-4.1 installation
Background
To provide some background, Cuckoo Sandbox performs automated malware analysis using system virtualization technologies. At a high level, Cuckoo executes Python scripts, which then spawn a VirtualBox Virtual Machines (VM) environment running a Guest OS (ie. Windows XP), to execute and analyze malware code in a controlled environment. Once the Guest OS launches, VirtualBox uses local shares to access Python scripts located on the Host OS (ie. Ubuntu/Backtrack). Python therefore needs to be installed on both the Guest and Host OS environments for this product to work. Within the Guest OS, youwill also need vulnerable applications to help analyze code, by forcing malware binary or malicious URLs execution. As the installation documentation provided with Cuckoo Sandbox is missing a few requirements, this post will show a user how to perform a functional install of Cuckoo Sandbox.
A link to the original video is below in avi format.
cuckoo sandbox working under a normal user account
System Requirements:
Backtrack 5 (64Bit) Desktop fully up to date w/ 4 CPU, 16GB Memory, and 1TB Partition
- Install Backtrack to hard disk
- Open a terminal of your choice, I always set my default to terminator.
- Upgrade all your Ubuntu package
# apt-get update
# apt-get upgrade- Install Python packages (I already had these installed)
# apt-get install python python-magic python-dpkt python-mako- We also need ssdeep and pyssdeep:
$ wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.8/ssdeep-2.8.tar.gz
$ tar xzfvp ssdeep-2.8.tar.gz
$ cd ssdeep-2.8/
$ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
$ ./configure
$ make
$ sudo make install
$ cd pyssdeep
$ make
$ make install
python setup.py build
running build
running build_ext
python setup.py install
running install
running build
running build_ext
running install_lib
copying build/lib.linux-x86_64-2.6/ssdeepmodule.so -> /usr/local/lib/python2.6/dist-packages
running install_egg_info
Writing /usr/local/lib/python2.6/dist-packages/ssdeep-2.0_0.1.egg-info
$ sudo ldconfig- Install tcpdump (Backtrack already has this, so you may not need it)
# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/local/sbin/tcpdump- Install git to download from repositories and change to /opt directory
# apt-get install git
# cd /opt- Install Cuckoo Sandbox
# git clone git://github.com/cuckoobox/cuckoo.git- Install Oracle VirtualBox (I used the version from default backtrack)
- Virtualbox gets installed to /usr/local/virtualbox
# apt-get install virtualbox-4.1- Install Oracle VirtualBox (SDK) (updated with the revision correct at the time this was written)
# wget http://download.virtualbox.org/virtualbox/4.1.18/VirtualBoxSDK-4.1.18-78361.zip
# unzip VirtualBoxSDK-4.1.18-78361.zip
# cd /opt/sdk/installer
# export VBOX_INSTALL_PATH=/usr/local/virtualbox
# python vboxapisetup.py install- Archive the existing sdk files
- move the new SDK files into VirtualBox install directory
# tar czfvp /root/virtualbox-sdk-default.tar.gz /usr/local/virtualbox/sdk
# mv sdk /usr/local/virtualbox/sdk- Modify Cuckoo Configuration File
# cd /opt/cuckoo/conf
# vi cuckoo.conf- Make sure the sniffer is enabled / on in the cuckoo.conf file
sniffer = on- Find the virtual machines section
[VirtualMachines]
# List virtual machines IDs separated by commas.
enabled = cuckoo1
# Make sure the ‘username’ and ‘password’ matches the default logged in user in the Guest OS
# Leave the ‘share’ section alone, as this is where the Host OS scripts will be stored to share with the Guest OS
[cuckoo1]
name = cuckoo1
username = myWindowsUsername
password = myWindowsPassword
# Please notice that the shared folder name must coincide with the current
# virtual machine id, which is the name you assigned between the square
# brackets (e.g. [cuckoo1]).
share = shares/cuckoo1Install the Guest OS
I basically took a vm I already had that I knew was clean “WinXPPro” and cloned it to cuckoo1 in my default ~/VirtualBox VMs folder
Make sure you create a VM name ‘cuckoo1′ running Windows XP (SP3) or Windows 7; For Windows XP use 256 MB or Windows 7 use 1024 MB of memory. For the Hard Drive (HD) parameters, select ‘fixed storage’ for better performance. The HD storage space will depend on what you want to install, meaning the ‘vulnerable’ application to use (ie. MS Office, Adobe Reader, etc.)
Please Note: Make sure you create or change your default user account in Windows to match what we configured in the cuckoo.conf file. Make sure you also change the user account password to reflect what is in the .conf file.
Install Python In Guest OS
- Download Python 2.7 for Guest OS and let it install into the default location C:\Python2.7\
http://www.python.org/getit/releases/2.7/
- Disable Guest OS Firewall
- Go to the Network Adapter Advanced Settings and disable the running Guest OS Windows Firewall
- Install VirtualBox Oracle VM VirtualBox Guest Additions
- Select Devices/Install Guest Additions… (Reboot of OS is required)
Configuring Virtual Machine for Cuckoo Sandbox
- Enable Network .PCAP Dump
$ sudo mkdir -p /opt/cuckoo/shares/cuckoo1
$ VBoxManage controlvm cuckoo1 poweroff
$ VBoxManage modifyvm cuckoo1 --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap- Creating Guest OS Shared Folders (to obtain Host OS Python scripts access used by Cuckoo)
$ VBoxManage sharedfolder add cuckoo1 --name setup --hostpath /opt/cuckoo/shares/setup
$ VBoxManage sharedfolder add cuckoo1 --name cuckoo1 --hostpath /opt/cuckoo/shares/cuckoo1Installing Guest OS Vulnerable Applications
- start the virtual machine
$ VBoxManage startvm cuckoo1
Waiting for VM "cuckoo1" to power on...
VBoxManage: error: Netsniffer cannot open '/opt/cuckoo/shares/cuckoo1/dump.pcap' for writing. The directory must exist and it must be writable for the current user (VERR_ACCESS_DENIED)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component Console, interface IConsole, calleeThe above error is because I want to run this as a normal user and not root…..just seems scary to be analyzing malware as root. So I created my virtualbox image as a normal user. The fix is easy though.
$ ls -la /opt/cuckoo/shares/cuckoo1/dump.pcap
ls: cannot access /opt/cuckoo/shares/cuckoo1/dump.pcap: No such file or directory
$ ls -la /opt/cuckoo/shares/cuckoo1
total 8
drwxr-xr-x 2 root root 4096 2012-07-12 21:01 .
drwxr-xr-x 4 root root 4096 2012-07-12 21:01 ..
$ sudo chown -R MY_USERNAME /opt/cuckoo/shares/cuckoo1
$ VBoxManage startvm cuckoo1
Waiting for VM "cuckoo1" to power on...
VM "cuckoo1" has been successfully started.Next you can download old versions of applications from http://www.oldapps.com and install them into the Guest OS. You will also want to verify the shares are working in the guest os. So click start, run, and type:
\\vboxsvrYou should see two shares
- \\vboxsvr\setup
- \\vboxsvr\cuckoo1
Please Note: connecting to the shares is important. Make sure you do not forget this step otherwise Cuckoo would quickly close the VM afterwards, without analyzing code.
Verify Guest OS is ready for malware analysis
- Reboot the Guest OS
- log in and leave it running for 5 – 10 minutes.
- Make sure:
- All OS or Application Updates are disabled.
- All Applications are launched at least once, to accept default Licensing Agreements.
- Make sure you disabled the Guest OS Firewall.
- Once you are satisfied that nothing unwanted will pop-up or prompt you during the malware analysis stage continue to the next step.
- Create a Guest OS Clean Snapshot
$ VBoxManage snapshot cuckoo1 take baseImage --pause
$ VBoxManage controlvm cuckoo1 poweroff
$ VBoxManage snapshot cuckoo1 restorecurrent- Testing Cuckoo Sandbox (for the First Time)
$ cd /opt/cuckoo
$ ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/
Cuckoo Sandbox v0.3.3-dev
www.cuckoobox.org
Copyright (c) 2010-2012
ERROR: Unable to create folder "log": [Errno 13] Permission denied: 'log'The fix for the unable to create folder log was easy:
$ cd /opt
$ sudo chown -R MY_USERNAME cuckooMake sure you replace MY_USERNAME with whatever your login username is for your install. The next time we run cuckoo, all is fine now:
$ ./cuckoo.py
eeee e e eeee e e eeeee eeeee
8 8 8 8 8 8 8 8 8 88 8 88
8e 8e 8 8e 8eee8e 8 8 8 8
88 88 8 88 88 8 8 8 8 8
88e8 88ee8 88e8 88 8 8eee8 8eee8
Cuckoo Sandbox v0.3.3-dev
www.cuckoobox.org
Copyright (c) 2010-2012
[2012-07-12 22:04:30,322] [Core.Init] INFO: Started.
[2012-07-12 22:04:30,644] [Core.VirtualBox.Check] INFO: Your VirtualBox version is: "4.1.18", good!
[2012-07-12 22:04:30,644] [Core.Init] INFO: Populating virtual machines pool...
[2012-07-12 22:04:31,159] [Core.VirtualBox.Restore] INFO: Virtual machine "cuckoo1" successfully restored to current snapshot.
[2012-07-12 22:04:31,660] [Core.VirtualBox.Infos] INFO: Virtual machine "cuckoo1" information:
[2012-07-12 22:04:31,660] [Core.VirtualBox.Infos] INFO: \_| Name: cuckoo1
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: | ID: e562a96e-9b5e-4d4f-866d-a9700345ef3c
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: | OS Type: WindowsXP
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: | VRAM Size: 16 MB
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: | CPU Count: 1 Core/s
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: | Memory Size: 4096 MB
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: | State: Saved
[2012-07-12 22:04:31,663] [Core.VirtualBox.Infos] INFO: | Current Snapshot: "baseImage"
[2012-07-12 22:04:31,663] [Core.VirtualBox.Infos] INFO: | MAC Address: 08:00:27:8F:7E:69
[2012-07-12 22:04:31,663] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-07-12 22:04:31,859] [Core.CuckooDatabase] INFO: Generated database "db/cuckoo.db" which didn't exist before.Testing Cuckoo Sandbox w/ Malware
- Open a new Terminal (Ctrl-Alt-T)
- change to the /opt/cuckoo directory
$ cd /opt/cuckooCuckoo Sandbox Submission Utility
There are numerous ways to submit samples to cuckoo for analysis. The following are some examples:
Submit a local binary
$ ./submit.py /path/to/binarySubmit a local binary and specify an higher priority
$ ./submit.py /path/to/binary –priority 5Submit a local binary and specify a custom analysis timeout of 60 seconds
$ ./submit.py /path/to/binary –timeout 60Submit a local binary and specify a custom analysis package
$ ./submit.py /path/to/binary –package <name of package>Submit an URL to be downloaded locally and analyzed
$ ./submit.py –download http://www.website.tld/file.exeSubmit an URL to be analyzed within Internet Explorer
$ ./submit.py –url http://maliciousurl.tld/exploit.phpSubmit a local binary to be run on virtual machine cuckoo1
$ ./submit.py /path/to/binary –machine cuckoo1So I did a url in one terminal and below is the command along with the results:
$ ./submit.py –url http://maliciousurl.tld/exploit.php
[2012-07-12 22:41:22,563] [Core.Dispatcher] INFO: Acquired analysis task for target "/tmp/9392e29d9a6ca8733a657dad9eccb21b.url".
[2012-07-12 22:41:22,720] (Task #4) [Core.Analysis.Run] INFO: Acquired virtual machine "cuckoo1".
[2012-07-12 22:41:22,723] [Core.Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:8F:7E:69.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2012-07-12 22:41:23,176] [Core.VirtualBox.Restore] INFO: Virtual machine "cuckoo1" successfully restored to current snapshot.
[2012-07-12 22:41:27,302] [Core.VirtualBox.Start] INFO: Virtual machine "cuckoo1" starting in "gui" mode.
[2012-07-12 22:41:27,345] [Core.VirtualBox.Execute] INFO: Cuckoo analyzer running with PID 1 on virtual machine "cuckoo1".
[2012-07-12 22:41:27,494] [Core.VirtualBox.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine "cuckoo1".
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[2012-07-12 22:41:27,494] [Core.Sniffer.Stop] INFO: Sniffer stopped monitoring 08:00:27:8F:7E:69.
[2012-07-12 22:41:27,495] (Task #4) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to "analysis/4".
[2012-07-12 22:41:27,676] (Task #4) [Core.Analysis.Processing] INFO: Analysis results processor started with PID "7556".
[2012-07-12 22:41:27,699] [Processor] INFO: Post-analysis processing started.
[2012-07-12 22:41:27,699] [Processor] INFO: Starting processing of results at path "analysis/4".
[2012-07-12 22:41:27,805] [Processing.Processes] ERROR: Analysis results folder does not exist at path "analysis/4/logs".
[2012-07-12 22:41:28,017] [Processor] INFO: Post-analysis processing completed.
[2012-07-12 22:41:28,105] [Core.VirtualBox.Stop] INFO: Virtual machine "cuckoo1" powered off successfully.
[2012-07-12 22:41:28,106] (Task #4) [Core.Analysis.FreeVM] INFO: Virtual machine "cuckoo1" released.
[2012-07-12 22:41:28,106] (Task #4) [Core.Analysis.Run] INFO: Analyis completed.Some Additional Tips
If the VM closes very quickly, after spawning, it is a result of either:
- Guest OS username or password does not match what is in the cuckoo.conf file.
- You did not manually connect to the \\vboxsvr\setup and \\vboxsvr\cuckoo1 shares, to cache the session.
- Your \\vboxsvr shares are not mapped to the proper Host OS (ie. /opt/cuckoo/shares) paths.
- Something is not correct when you enabled your .pcap dump file.
You can also enable debug logging to help you out:
# vi /opt/cuckoo/conf/cuckoo.conf
[Logging]
# Enable/Disable additional debugging messages. This messages won’t wrote to
# log file but just printed on screen. [on/off]
debug = onError: Analysis results folder does not exist at path “analysis/{some number}/logs”
Someone pointed out that even my own instructions had the Error: Analysis results folder does not exist at path “analysis/{some number}/logs”
If you make changes to the Guest vm, you need to save the state over again, otherwise it will simply be restored to the state in which it was when you first issued the command “VBoxManage snapshot cuckoo1 take baseImage –pause”. I created this document before having a working copy and forgot to modify it after it was working. Basically my user in the Guest OS did not have a password but I had a password in the cuckoo.conf file for the user. You will get the above error if you change or create a new password for the user defined in the cuckoo.conf file or if the password is incorrect. The fix is really simple:
# start the vm
# Go to Control Panel - Users - Select Your Username
# Create Password
# enter the password
# Select OK and close any open windows until back at the desktop
# leave the vm running
# Now issue these commands in the following order:
$ VBoxManage snapshot cuckoo1 take baseImage --pause
$ VBoxManage controlvm cuckoo1 poweroff
$ VBoxManage snapshot cuckoo1 restorecurrent
$ VBoxManage controlvm cuckoo1 poweroffAfter you do the above, simply poweron the virtual machine and make sure you have a password prompt. Make sure the password you enter matches the one in the cuckoo.conf file.
Another cause of the above error message is if you simply submitted a faulty/corrupt malware sample. To prove my set-up is in fact working, here are some screen shots of an analysis (I don’t want to post all 50 pages as images so just the first few):
$ lynx reports/report.html
Cuckoo Sandbox Malware Results
All the results are kept in the /opt/cuckoo/analysis directory. You can also spawn the Cuckoo Sandbox Web Analyzer, which is very pretty:
# cd /opt/cuckoo
# ./web.plNow launch Firefox in Ubuntu and go to http://127.0.0.1:8080
You can also do like I did and just launch lynx:
$ lynx /opt/cuckoo/analysis/1/reports/report.html
20 Responses to “Installing cuckoo sandbox in backtrack for malware analysis”
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hi
Working through this config. I have a problem with the cuckoo.conf. The .conf file as included in the latest 0.5 cuckoo build does not have a [Virtual Machines] section..
Its just that this article implies it will already be there just to be edited.
hope you can help.
henry
This is what I have for mine….
Hi
Thanks much for getting back to me.
I will follow the same syntax and layout and give it a try again!
Regards
Henry
not a problem at all……I haven’t updated to the latest version yet so let me know if it doesn’t work and I will update so I can see where the problem is.
Hi
As a matter of interest – below is the contents of the new 0.5 version cuckoo.conf file. I’m getting “CuckooCriticalError: Configured machine cuckoo1 was not detected or its not in proper state” – I would bet its down to the conf file. The article stated section “[Virtual Machines]” is not present…
” [cuckoo]
# Enable or disable startup version check. When enabled, Cuckoo will connect
# to a remote location to verify whether the running version is the latest
# one available.
version_check = on
# If turned on, Cuckoo will delete the original file and will just store a
# copy in the local binaries repository.
delete_original = off
# Specify the name of the machine manager module to use, this module will
# define the interaction between Cuckoo and your virtualization software
# of choice.
machine_manager = virtualbox
# Enable creation of memory dump of the analysis machine before shutting
# down. Even if turned off, this functionality can also be enabled at
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = off
[processing]
# Set the maximum size of analysis’s generated files to process.
# This is used to avoid the processing of big files which can bring memory leak.
# The value is expressed in bytes, by default 100Mb.
analysis_size_limit = 104857600
# Enable or disable DNS lookups.
resolve_dns = on
[database]
# Specify the database connection string.
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, default is a SQLite in db/cuckoo.db.
connection =
# Database connection timeout in seconds.
# If empty, default is set to 60 seconds.
timeout =
[timeouts]
# Set the default analysis timeout expressed in seconds. This value will be
# used to define after how many seconds the analysis will terminate unless
# otherwise specified at submission.
default = 120
# Set the critical timeout expressed in seconds. After this timeout is hit
# Cuckoo will consider the analysis failed and it will shutdown the machine
# no matter what. When this happens the analysis results will most likely
# be lost. Make sure to have a critical timeout greater than the
# default timeout.
critical = 600
# Maximum time to wait for virtual machine status change. For example when
# shutting down a vm. Default is 300 seconds.
vm_state = 300
[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/sbin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
interface = vboxnet0
[graylog]
# Enable or disable remote logging to a Graylog2 server.
enabled = no
# Graylog2 server host.
host = localhost
# Graylog2 server port.
port = 12201
# Default logging level for Graylog2. [debug/info/error/critical].
level = error
”
I will keep it simple and try set up a single machine called cuckoo1 using some of your conf file lines.
Regards
Henry
Did you ever find a resolution for this error? I am coming across the same error.
Jeremy
Hi again – looking at this further – it appears considerably different -perhaps I should have installed the atricle version (0.3.3-dev) first! There is a virtualbox.conf where the user configures the virtual machine(s) as opposed to in the cuckoo.conf.
Maybe Ive bitten off more than I bargained for..
Henry
hi, i’m trying to install Cuckoo sandbox follow your instruction. but i’m try it on ubuntu 12.04.
but when i try ./submit.py –url http://maliciousurl.tld/exploit.php, i’ve got error :
[2013-02-20 06:58:05,883] [Core.Init] INFO: Started.
[2013-02-20 06:58:05,929] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.2.0”, good!
[2013-02-20 06:58:05,930] [Core.Init] INFO: Populating virtual machines pool…
[2013-02-20 06:58:06,424] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
[2013-02-20 06:58:06,432] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
[2013-02-20 06:58:06,433] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | ID: ff0ae5e5-702e-4301-bce3-2b70bf9d230a
[2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | Memory Size: 256 MB
[2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | State: Saved
[2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | Current Snapshot: ““baseImage””
[2013-02-20 06:58:06,436] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:4C:57:E6
[2013-02-20 06:58:06,436] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2013-02-20 06:58:06,450] [Core.Dispatcher] INFO: Acquired analysis task for target “/tmp/887645fa9577b5fd0501793e016ab245.url”.
[2013-02-20 06:58:06,694] (Task #6) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
[2013-02-20 06:58:06,702] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:4C:57:E6.
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2013-02-20 06:58:07,247] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
[2013-02-20 06:58:12,492] [VirtualMachine.Start] INFO: Virtual machine “cuckoo1” starting in “gui” mode.
Exception in thread 6:
Traceback (most recent call last):
File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
self.run()
File “./cuckoo.py”, line 524, in run
if not vm.execute(python_path, args):
File “/opt/cuckoo/cuckoo/core/virtualbox.py”, line 355, in execute
exec_flags = VBOX.ExecuteProcessFlag_Hidden #
File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
raise AttributeError
AttributeError
any ideas?
i don’t have any clue…
thanks.
i have got the same question to you.
yijiedao@ubuntu:~/software/cuckoo-1$ python cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.2
http://www.cuckoobox.org
Copyright (C) 2010-2012
[2013-04-01 18:08:34,308] [Core.Init] INFO: Started.
[2013-04-01 18:08:34,557] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.2.10”, good!
[2013-04-01 18:08:34,558] [Core.Init] INFO: Populating virtual machines pool…
[2013-04-01 18:08:35,324] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
[2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
[2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: | ID: 7802e5d8-fbbc-472e-aa68-db7359ff18ab
[2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | Memory Size: 256 MB
[2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | State: Saved
[2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | Current Snapshot: “admin-04-01”
[2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:B9:AF:A9
[2013-04-01 18:08:35,333] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2013-04-01 18:08:35,333] [Core.Dispatcher] INFO: Acquired analysis task for target “/home/yijiedao/software/virus-sample/vir12/vir12-9-29/12-9-29/001gangsir.cn.exe”.
[2013-04-01 18:08:35,696] (Task #4) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
[2013-04-01 18:08:35,723] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:B9:AF:A9.
tcpdump: eth0: You don’t have permission to capture on that device
(socket: Operation not permitted)
[2013-04-01 18:08:36,571] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
[2013-04-01 18:08:41,554] [VirtualMachine.Start] INFO: Virtual machine “cuckoo1” starting in “gui” mode.
Exception in thread 4:
Traceback (most recent call last):
File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
self.run()
File “cuckoo.py”, line 524, in run
if not vm.execute(python_path, args):
File “/home/yijiedao/software/cuckoo-1/cuckoo/core/virtualbox.py”, line 355, in execute
exec_flags = VBOX.ExecuteProcessFlag_Hidden #
File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
raise AttributeError
AttributeError
have you ever solved this problem?
please give me some help
One of the things I noticed is that it says you don’t have permisions to capture tcpdump. I would validate your installation and check permissions.
tcpdump: eth0: You don’t have permission to capture on that device
Also, check the path of your python installation in the virtual machine and make sure it matches the settings.
i have rechecked the installation steps and i found that i forget to setup the “tcpdump” properly,right now ,the tcpdump can listen the eth0 :
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes
but the problem i posted is still here bothering me :
Traceback (most recent call last):
File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
self.run()
File “cuckoo.py”, line 524, in run
if not vm.execute(python_path, args):
File “/home/yijiedao/software/cuckoo-1/cuckoo/core/virtualbox.py”, line 355, in execute
exec_flags = VBOX.ExecuteProcessFlag_Hidden #
File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
raise AttributeError
AttributeError
i installed Virtualbox-4.2.10 for ubuntu 12.04 LTS on the ubuntu host,and a windows xp SP3 as a guest machine running the cuckoo sandbox-0.3.2,Python-2.7.3 is installed in the ubuntu host by default.
i installed python-3.2myself,does these two versions of python collide each other raise the problem up there?
so i uninstalled the python-3.2 with command:
$ sudo apt-get –purge remove python3.2
$ sudo apt-get autoremove
when runing the cuckoo vm,the problem still come out
what should i do ? this one have bothered me for almost three days !
[…] http://www.edwiget.name/2012/07/installing-cuckoo-sandbox-in-backtrack-for-malware-analysis/ […]
I am new to the Cuckoo Sandbox, but I have been following this article for building a sandbox. When I get to the starting of Cuckoo (./cuckoo.py) I get the following error:
[root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errorno 99] Cannot assign requested address
Is this a VirtualBox related issue?
is that running as the root user? If I was to guess from the message alone, I would say either a permissions issue or firewall issue. BTW, I haven’t actually used cuckoo in some time myself and several people have stated the instructions dont seem to work for the newer versions of cuckoo.
Was able to get the vboxnet0 worked out. I just needed to add it in VirutalBox, thought that it was not seeing it, however clicking on the add button in Preferences/Network did the trick. Now the issue is: Configured machine cuckoo1 was not detected or it’s not in proper state.
I believe the issue is that it is looking for cuckoo1, I named mine “Cuckoo1x64”. How do I edit this to see “Cuckoo1x64” and not cuckoo1?
No wat u have to do is open virtualmachine and execute cuckoo.py u won’t find this error
I’m to the point that I am receiving the error: “CuckooCriticalError: Configured machine cuckoo1 was not detected or it’s not in proper state”. I went through the conf and changed all names to “Cuckoo1x64”, does it matter if the name isn’t “cuckoo1”? Does it need to be “cuckoo1” for the sake of the program?
Jeremy
My cuckoo executing well but for only some kind of files.For the rest i am getiing the following error. I think there is a problem with processing modules dropped and tagetinfo.But i am not fin it can any body help.
Checking for updates…
Outdated! Cuckoo Sandbox version 1.1 is available now.
2014-07-02 12:31:59,524 [lib.cuckoo.core.scheduler] INFO: Using “virtualbox” machine manager
2014-07-02 12:32:01,210 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2014-07-02 12:32:01,211 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks…
2014-07-02 12:32:51,200 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE “/home/vamz/Downloads/cuckoo_exe/new/TeamViewer_Setup_en.exe” (task=767)
2014-07-02 12:32:51,354 [lib.cuckoo.core.scheduler] INFO: File already exists at “/home/vamz/cuckoo/storage/binaries/183a3f0822d661909bca09997d0d2caee440bfc385a9252185f6adf72b5e12f3”
2014-07-02 12:32:51,418 [lib.cuckoo.core.scheduler] INFO: Task #767: acquired machine WinXPVM1 (label=WinXPVM1)
2014-07-02 12:32:51,452 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 3669 (interface=vboxnet0, host=192.168.56.101, dump path=/home/vamz/cuckoo/storage/analyses/767/dump.pcap)
2014-07-02 12:32:55,770 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=WinXPVM1, ip=192.168.56.101)
2014-07-02 12:35:07,445 [lib.cuckoo.core.guest] INFO: WinXPVM1: analysis completed successfully
2014-07-02 12:35:09,761 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE “/home/vamz/Downloads/cuckoo_exe/new/pars-vpn.exe” (task=768)
2014-07-02 12:35:10,035 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module “Dropped”:
Traceback (most recent call last):
File “/home/vamz/cuckoo/lib/cuckoo/core/plugins.py”, line 183, in process
data = current.run()
File “/home/vamz/cuckoo/modules/processing/dropped.py”, line 23, in run
file_info = File(file_path=file_path).get_all()
File “/home/vamz/cuckoo/lib/cuckoo/common/objects.py”, line 264, in get_all
infos[“yara”] = self.get_yara()
File “/home/vamz/cuckoo/lib/cuckoo/common/objects.py”, line 240, in get_yara
except yara.Error as e:
AttributeError: ‘module’ object has no attribute ‘Error’
Can any one pls reply???
[…] http://www.edwiget.name/2012/07/installing-cuckoo-sandbox-in-backtrack-for-malware-analysis/ […]