ÈÐ Wïgê† Ðð† ñåmê

ïñ£ð§ê¢, ïñ£ðrmå†ïðñ §ê¢µr, Ðïgï†ål £ðrêñ§ï¢§, hå¢kïñg, §¥§†êm åÐmïñ阮rå†ïðñ, lïñµx ßlðg

Installing cuckoo sandbox in backtrack for malware analysis

, , , ,

Credit where credit is due….The bulk of this article was obtained from the excellent article located here: http://www.xors.me/?p=4458

I found the original article and then modified it to fit my operating system and environment.  It has been modified to work with Backtrack Linux installation using native virtualbox-4.1 installation

Background

To provide some background, Cuckoo Sandbox performs automated malware analysis using system virtualization technologies.  At a high level, Cuckoo executes Python scripts, which then spawn a VirtualBox Virtual Machines (VM) environment running a Guest OS (ie. Windows XP), to execute and analyze malware code in a controlled environment. Once the Guest OS launches, VirtualBox uses local shares to access Python scripts located on the Host OS (ie. Ubuntu/Backtrack).  Python therefore needs to be installed on both the Guest and Host OS environments for this product to work.  Within the Guest OS, youwill also need vulnerable applications to help analyze code, by forcing malware binary or malicious URLs execution.  As the installation documentation provided with Cuckoo Sandbox is missing a few requirements, this post will show a user how to perform a functional install of Cuckoo Sandbox.

A link to the original video is below in avi format.

cuckoo sandbox working under a normal user account

System Requirements:
Backtrack 5 (64Bit) Desktop fully up to date w/ 4 CPU, 16GB Memory, and 1TB Partition

  • Install Backtrack to hard disk
  • Open a terminal of your choice, I always set my default to terminator.
  • Upgrade all your Ubuntu package

[codesyntax lang=”bash”]

# apt-get update
# apt-get upgrade

[/codesyntax]

  • Install Python packages (I already had these installed)

[codesyntax lang=”bash”]

# apt-get install python python-magic python-dpkt python-mako

[/codesyntax]

  • We also need ssdeep and pyssdeep:

[codesyntax lang=”bash”]

$ wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.8/ssdeep-2.8.tar.gz
$ tar xzfvp ssdeep-2.8.tar.gz
$ cd ssdeep-2.8/
$ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
$ ./configure
$ make
$ sudo make install
$ cd pyssdeep
$ make
$ make install
python setup.py build
running build
running build_ext
python setup.py install
running install
running build
running build_ext
running install_lib
copying build/lib.linux-x86_64-2.6/ssdeepmodule.so -> /usr/local/lib/python2.6/dist-packages
running install_egg_info
Writing /usr/local/lib/python2.6/dist-packages/ssdeep-2.0_0.1.egg-info
$ sudo ldconfig

[/codesyntax]

  • Install tcpdump (Backtrack already has this, so you may not need it)

[codesyntax lang=”bash”]

# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/local/sbin/tcpdump

[/codesyntax]

  • Install git to download from repositories and change to /opt directory

[codesyntax lang=”bash”]

# apt-get install git
# cd /opt

[/codesyntax]

  • Install Cuckoo Sandbox

[codesyntax lang=”bash”]

# git clone git://github.com/cuckoobox/cuckoo.git

[/codesyntax]

  • Install Oracle VirtualBox (I used the version from default backtrack)
  • Virtualbox gets installed to /usr/local/virtualbox

[codesyntax lang=”bash”]

# apt-get install virtualbox-4.1

[/codesyntax]

  • Install Oracle VirtualBox (SDK) (updated with the revision correct at the time this was written)

[codesyntax lang=”bash”]

# wget http://download.virtualbox.org/virtualbox/4.1.18/VirtualBoxSDK-4.1.18-78361.zip
# unzip VirtualBoxSDK-4.1.18-78361.zip
# cd /opt/sdk/installer
# export VBOX_INSTALL_PATH=/usr/local/virtualbox 
# python vboxapisetup.py install

[/codesyntax]

  • Archive the existing sdk files
  • move the new SDK files into VirtualBox install directory

[codesyntax lang=”bash”]

# tar czfvp /root/virtualbox-sdk-default.tar.gz /usr/local/virtualbox/sdk
# mv sdk /usr/local/virtualbox/sdk

[/codesyntax]

  • Modify Cuckoo Configuration File

[codesyntax lang=”bash”]

# cd /opt/cuckoo/conf
# vi cuckoo.conf

[/codesyntax]

  • Make sure the sniffer is enabled / on in the cuckoo.conf file

[codesyntax lang=”bash”]

sniffer = on

[/codesyntax]

  • Find the virtual machines section

[codesyntax lang=”bash”]

[VirtualMachines]
# List virtual machines IDs separated by commas.
enabled = cuckoo1

# Make sure the ‘username’ and ‘password’ matches the default logged in user in the Guest OS

#  Leave the ‘share’ section alone, as this is where the Host OS scripts will be stored to share with the Guest OS

[cuckoo1]
name = cuckoo1
username = myWindowsUsername
password = myWindowsPassword
# Please notice that the shared folder name must coincide with the current
# virtual machine id, which is the name you assigned between the square
# brackets (e.g. [cuckoo1]).
share = shares/cuckoo1

[/codesyntax]

Install the Guest OS

I basically took a vm I already had that I knew was clean “WinXPPro” and cloned it to cuckoo1 in my default ~/VirtualBox VMs folder

Make sure you create a VM name ‘cuckoo1′ running Windows XP (SP3) or Windows 7; For Windows XP use 256 MB or Windows 7 use 1024 MB of memory.  For the Hard Drive (HD) parameters, select ‘fixed storage’ for better performance. The HD storage space will depend on what you want to install, meaning the ‘vulnerable’ application to use (ie. MS Office, Adobe Reader, etc.)

Please Note: Make sure you create or change your default user account in Windows to match what we configured in the cuckoo.conf file. Make sure you also change the user account password to reflect what is in the .conf file.

Install Python In Guest OS

  • Download Python 2.7 for Guest OS and let it install into the default location C:\Python2.7\

http://www.python.org/getit/releases/2.7/

  • Disable Guest OS Firewall
  • Go to the Network Adapter Advanced Settings and disable the running Guest OS Windows Firewall
  • Install VirtualBox Oracle VM VirtualBox Guest Additions
  • Select Devices/Install Guest Additions… (Reboot of OS is required)

Configuring Virtual Machine for Cuckoo Sandbox

  • Enable Network .PCAP Dump

[codesyntax lang=”bash”]

$ sudo mkdir -p /opt/cuckoo/shares/cuckoo1
$ VBoxManage controlvm cuckoo1 poweroff
$ VBoxManage modifyvm cuckoo1 --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap

[/codesyntax]

  • Creating Guest OS Shared Folders (to obtain Host OS Python scripts access used by Cuckoo)

[codesyntax lang=”bash”]

$ VBoxManage sharedfolder add cuckoo1 --name setup --hostpath /opt/cuckoo/shares/setup
$ VBoxManage sharedfolder add cuckoo1 --name cuckoo1 --hostpath /opt/cuckoo/shares/cuckoo1

[/codesyntax]

Installing Guest OS Vulnerable Applications

  • start the virtual machine

[codesyntax lang=”bash”]

$ VBoxManage startvm cuckoo1
Waiting for VM "cuckoo1" to power on...
VBoxManage: error: Netsniffer cannot open '/opt/cuckoo/shares/cuckoo1/dump.pcap' for writing. The directory must exist and it must be writable for the current user (VERR_ACCESS_DENIED)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component Console, interface IConsole, callee

[/codesyntax]

The above error is because I want to run this as a normal user and not root…..just seems scary to be analyzing malware as root. So I created my virtualbox image as a normal user. The fix is easy though.

[codesyntax lang=”bash”]

$ ls -la /opt/cuckoo/shares/cuckoo1/dump.pcap
ls: cannot access /opt/cuckoo/shares/cuckoo1/dump.pcap: No such file or directory

$ ls -la /opt/cuckoo/shares/cuckoo1
total 8
drwxr-xr-x 2 root root 4096 2012-07-12 21:01 .
drwxr-xr-x 4 root root 4096 2012-07-12 21:01 ..

$ sudo chown -R MY_USERNAME /opt/cuckoo/shares/cuckoo1
$ VBoxManage startvm cuckoo1
Waiting for VM "cuckoo1" to power on...
VM "cuckoo1" has been successfully started.

[/codesyntax]

Next you can download old versions of applications from http://www.oldapps.com and install them into the Guest OS.  You will also want to verify the shares are working in the guest os.  So click start, run, and type:

[codesyntax lang=”bash”]

\\vboxsvr

[/codesyntax]

You should see two shares

  • \\vboxsvr\setup
  • \\vboxsvr\cuckoo1

Please Note:  connecting to the shares is important.  Make sure you do not forget this step otherwise Cuckoo would quickly close the VM afterwards, without analyzing code.

Verify Guest OS is ready for malware analysis

  • Reboot the Guest OS
  • log in and leave it running for 5 – 10 minutes.
  • Make sure:
    • All OS or Application Updates are disabled.
    • All Applications are launched at least once, to accept default Licensing Agreements.
    • Make sure you disabled the Guest OS Firewall.
    • Once you are satisfied that nothing unwanted will pop-up or prompt you during the malware analysis stage continue to the next step.
  • Create a Guest OS Clean Snapshot

[codesyntax lang=”bash”]

$ VBoxManage snapshot cuckoo1 take baseImage --pause
$ VBoxManage controlvm cuckoo1 poweroff
$ VBoxManage snapshot cuckoo1 restorecurrent

[/codesyntax]

  • Testing Cuckoo Sandbox (for the First Time)

[codesyntax lang=”bash”]

$ cd /opt/cuckoo
$ ./cuckoo.py 

                     _ 
    ____ _   _  ____| |  _ ___   ___
   / ___) | | |/ ___) |_/ ) _ \ / _ \
  ( (___| |_| ( (___|  _ ( |_| | |_| |
   \____)____/ \____)_| \_)___/ \___/

 Cuckoo Sandbox v0.3.3-dev
 www.cuckoobox.org
 Copyright (c) 2010-2012

ERROR: Unable to create folder "log": [Errno 13] Permission denied: 'log'

[/codesyntax]

The fix for the unable to create folder log was easy:

[codesyntax lang=”bash”]

$ cd /opt
$ sudo chown -R MY_USERNAME cuckoo

[/codesyntax]

Make sure you replace MY_USERNAME with whatever your login username is for your install.  The next time we run cuckoo, all is fine now:

[codesyntax lang=”bash”]

$ ./cuckoo.py 

  eeee e   e eeee e   e  eeeee eeeee 
  8  8 8   8 8  8 8   8  8  88 8  88 
  8e   8e  8 8e   8eee8e 8   8 8   8 
  88   88  8 88   88   8 8   8 8   8 
  88e8 88ee8 88e8 88   8 8eee8 8eee8

 Cuckoo Sandbox v0.3.3-dev
 www.cuckoobox.org
 Copyright (c) 2010-2012

[2012-07-12 22:04:30,322] [Core.Init] INFO: Started.
[2012-07-12 22:04:30,644] [Core.VirtualBox.Check] INFO: Your VirtualBox version is: "4.1.18", good!
[2012-07-12 22:04:30,644] [Core.Init] INFO: Populating virtual machines pool...
[2012-07-12 22:04:31,159] [Core.VirtualBox.Restore] INFO: Virtual machine "cuckoo1" successfully restored to current snapshot.
[2012-07-12 22:04:31,660] [Core.VirtualBox.Infos] INFO: Virtual machine "cuckoo1" information:
[2012-07-12 22:04:31,660] [Core.VirtualBox.Infos] INFO: 	\_| Name: cuckoo1
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: 	  | ID: e562a96e-9b5e-4d4f-866d-a9700345ef3c
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: 	  | OS Type: WindowsXP
[2012-07-12 22:04:31,661] [Core.VirtualBox.Infos] INFO: 	  | VRAM Size: 16 MB
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: 	  | CPU Count: 1 Core/s
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: 	  | Memory Size: 4096 MB
[2012-07-12 22:04:31,662] [Core.VirtualBox.Infos] INFO: 	  | State: Saved
[2012-07-12 22:04:31,663] [Core.VirtualBox.Infos] INFO: 	  | Current Snapshot: "baseImage"
[2012-07-12 22:04:31,663] [Core.VirtualBox.Infos] INFO: 	  | MAC Address: 08:00:27:8F:7E:69
[2012-07-12 22:04:31,663] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-07-12 22:04:31,859] [Core.CuckooDatabase] INFO: Generated database "db/cuckoo.db" which didn't exist before.

[/codesyntax]

Testing Cuckoo Sandbox w/ Malware

  • Open a new Terminal (Ctrl-Alt-T)
  • change to the /opt/cuckoo directory

[codesyntax lang=”bash”]

$ cd /opt/cuckoo

[/codesyntax]

 Cuckoo Sandbox Submission Utility

There are numerous ways to submit samples to cuckoo for analysis.  The following are some examples:

Submit a local binary

[codesyntax lang=”bash”]
$ ./submit.py /path/to/binary

[/codesyntax]

Submit a local binary and specify an higher priority

[codesyntax lang=”bash”]
$ ./submit.py /path/to/binary –priority 5

[/codesyntax]

Submit a local binary and specify a custom analysis timeout of 60 seconds

[codesyntax lang=”bash”]
$ ./submit.py /path/to/binary –timeout 60

[/codesyntax]

Submit a local binary and specify a custom analysis package

[codesyntax lang=”bash”]
$ ./submit.py /path/to/binary –package <name of package>

[/codesyntax]

Submit an URL to be downloaded locally and analyzed

[codesyntax lang=”bash”]
$ ./submit.py –download http://www.website.tld/file.exe

[/codesyntax]

Submit an URL to be analyzed within Internet Explorer

[codesyntax lang=”bash”]
$ ./submit.py –url http://maliciousurl.tld/exploit.php

[/codesyntax]

Submit a local binary to be run on virtual machine cuckoo1

[codesyntax lang=”bash”]
$ ./submit.py /path/to/binary –machine cuckoo1

[/codesyntax]

So I did a url in one terminal and below is the command along with the results:

[codesyntax lang=”bash”]
$ ./submit.py –url http://maliciousurl.tld/exploit.php

[2012-07-12 22:41:22,563] [Core.Dispatcher] INFO: Acquired analysis task for target “/tmp/9392e29d9a6ca8733a657dad9eccb21b.url”.
[2012-07-12 22:41:22,720] (Task #4) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
[2012-07-12 22:41:22,723] [Core.Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:8F:7E:69.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2012-07-12 22:41:23,176] [Core.VirtualBox.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
[2012-07-12 22:41:27,302] [Core.VirtualBox.Start] INFO: Virtual machine “cuckoo1” starting in “gui” mode.
[2012-07-12 22:41:27,345] [Core.VirtualBox.Execute] INFO: Cuckoo analyzer running with PID 1 on virtual machine “cuckoo1”.
[2012-07-12 22:41:27,494] [Core.VirtualBox.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine “cuckoo1”.
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[2012-07-12 22:41:27,494] [Core.Sniffer.Stop] INFO: Sniffer stopped monitoring 08:00:27:8F:7E:69.
[2012-07-12 22:41:27,495] (Task #4) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to “analysis/4”.
[2012-07-12 22:41:27,676] (Task #4) [Core.Analysis.Processing] INFO: Analysis results processor started with PID “7556”.
[2012-07-12 22:41:27,699] [Processor] INFO: Post-analysis processing started.
[2012-07-12 22:41:27,699] [Processor] INFO: Starting processing of results at path “analysis/4”.
[2012-07-12 22:41:27,805] [Processing.Processes] ERROR: Analysis results folder does not exist at path “analysis/4/logs”.
[2012-07-12 22:41:28,017] [Processor] INFO: Post-analysis processing completed.
[2012-07-12 22:41:28,105] [Core.VirtualBox.Stop] INFO: Virtual machine “cuckoo1” powered off successfully.
[2012-07-12 22:41:28,106] (Task #4) [Core.Analysis.FreeVM] INFO: Virtual machine “cuckoo1” released.
[2012-07-12 22:41:28,106] (Task #4) [Core.Analysis.Run] INFO: Analyis completed.

[/codesyntax]

Some Additional Tips

If the VM closes very quickly, after spawning, it is a result of either:

  • Guest OS username or password does not match what is in the cuckoo.conf file.
  • You did not manually connect to the \\vboxsvr\setup and \\vboxsvr\cuckoo1 shares, to cache the session.
  • Your \\vboxsvr shares are not mapped to the proper Host OS (ie. /opt/cuckoo/shares) paths.
  • Something is not correct when you enabled your .pcap dump file.

You can also enable debug logging to help you out:

[codesyntax lang=”bash”]

# vi /opt/cuckoo/conf/cuckoo.conf

[Logging]
# Enable/Disable additional debugging messages. This messages won’t wrote to
# log file but just printed on screen. [on/off]
debug = on

[/codesyntax]

Error:   Analysis results folder does not exist at path “analysis/{some number}/logs”

Someone pointed out that even my own instructions had the Error:   Analysis results folder does not exist at path “analysis/{some number}/logs”

If you make changes to the Guest vm, you need to save the state over again, otherwise it will simply be restored to the state in which it was when you first issued the command “VBoxManage snapshot cuckoo1 take baseImage –pause”.  I created this document before having a working copy and forgot to modify it after it was working.  Basically my user in the Guest OS did not have a password but I had a password in the cuckoo.conf file for the user.  You will get the above error if you change or create a new password for the user defined in the cuckoo.conf file or if the password is incorrect.  The fix is really simple:

[codesyntax lang=”bash”]

# start the vm
# Go to Control Panel - Users - Select Your Username
# Create Password
# enter the password
# Select OK and close any open windows until back at the desktop
# leave the vm running
# Now issue these commands in the following order:
 $ VBoxManage snapshot cuckoo1 take baseImage --pause

 $ VBoxManage controlvm cuckoo1 poweroff

 $ VBoxManage snapshot cuckoo1 restorecurrent
 $ VBoxManage controlvm cuckoo1 poweroff

[/codesyntax]

After you do the above, simply poweron the virtual machine and make sure you have a password prompt.  Make sure the password you enter matches the one in the cuckoo.conf file.

Another cause of the above error message is if you simply submitted a faulty/corrupt malware sample.  To prove my set-up is in fact working, here are some screen shots of an analysis (I don’t want to post all 50 pages as images so just the first few):

$ lynx reports/report.html

 

Cuckoo Sandbox Malware Results

All the results are kept in the /opt/cuckoo/analysis directory.  You can also spawn the Cuckoo Sandbox Web Analyzer, which is very pretty:

[codesyntax lang=”bash”]
# cd /opt/cuckoo
# ./web.pl

[/codesyntax]

Now launch Firefox in Ubuntu and go to http://127.0.0.1:8080

You can also do like I did and just launch lynx:

[codesyntax lang=”bash”]

$ lynx /opt/cuckoo/analysis/1/reports/report.html

[/codesyntax]

20 responses to “Installing cuckoo sandbox in backtrack for malware analysis”

  1. henryflynn2 Avatar
    henryflynn2

    Hi

    Working through this config. I have a problem with the cuckoo.conf. The .conf file as included in the latest 0.5 cuckoo build does not have a [Virtual Machines] section..

    Its just that this article implies it will already be there just to be edited.

    hope you can help.

    henry

    1. edwigetadmin Avatar
      edwigetadmin

      This is what I have for mine….

      http://www.cuckoobox.org
      #
      # This file is part of Cuckoo.
      #
      # Cuckoo is free software: you can redistribute it and/or modify
      # it under the terms of the GNU General Public License as published by
      # the Free Software Foundation, either version 3 of the License, or
      # (at your option) any later version.
      #
      # Cuckoo is distributed in the hope that it will be useful,
      # but WITHOUT ANY WARRANTY; without even the implied warranty of
      # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
      # GNU General Public License for more details.
      #
      # You should have received a copy of the GNU General Public License
      # along with this program. If not, see http://www.gnu.org/licenses/.

      [Logging]
      # Enable/Disable additional debugging messages. This messages won’t wrote to
      # log file but just printed on screen. [on/off]
      debug = off

      [Analysis]
      # This is the actual analysis timeout (expressed in seconds). This represents
      # the default timeout performed by analysis core if none is specified.
      analysis_timeout = 1200
      # Watchdog timeout (expressed in seconds) for analysis execution to complete,
      # when this timeout gets hit, current execution is aborted and virtual machine
      # is restored and freed.
      watchdog_timeout = 1800
      # Specify here the path where analysis results shall be stored.
      results_path = analysis/
      # Enable or disable this option to instruct Cuckoo to delete the original file
      # submitted for the analysis. [on/off]
      delete_file = off

      [Processing]
      # Specify here the interpreter path to be used to launch the script.
      interpreter = /usr/bin/python
      # Specify here the path to the analysis results processing script.
      script = processor.py

      [Sniffer]
      # Enable or disable the following option by assigning a True or False value.
      # In case you decide to disable it, you’re supposed to either not have any
      # network dump or to used VirtualBox’s (or any other virtualization engine
      # you are using) to handle the network monitoring instead of using an external
      # sniffer such as tcpdump. [on/off]
      sniffer = on
      # Path to the sniffer (tcpdump) binary.
      path = /usr/sbin/tcpdump
      # This specifies the network interface where the sniffer will bind to in order
      # to monitor virtual machines’ generated traffic.
      interface = eth0

      [VirtualMachines]
      # Virtualization product.
      engine = VirtualBox
      # List virtual machines IDs separated by commas.
      enabled = cuckoo1
      # Set to “gui” if you want Cuckoo to spawn virtual machines’ GUIs or set to
      # “headless” if you don’t.
      mode = gui
      # Path to local Python installation on guest machines. Please be sure to have
      # correctly set this value as it’s critical to Cuckoo’s proper execution.
      python = C:\Python27\python.exe

      [cuckoo1]
      name = cuckoo1
      username = MYUSERNAME
      password = MYPASSWORD
      # Please notice that the shared folder name must coincide with the current
      # virtual machine id, which is the name you assigned between the square
      # brackets (e.g. [cuckoo1]).
      share = shares/cuckoo1

      [cuckoo2]
      name = cuckoo2
      username = MYUSERNAME
      password = MYPASSWORD
      # Please notice that the shared folder name must coincide with the current
      # virtual machine id, which is the name you assigned between the square
      # brackets (e.g. [cuckoo1]).
      share = shares/cuckoo2

      1. henryflynn2 Avatar
        henryflynn2

        Hi

        Thanks much for getting back to me.

        I will follow the same syntax and layout and give it a try again!

        Regards

        Henry

        1. edwigetadmin Avatar
          edwigetadmin

          not a problem at all……I haven’t updated to the latest version yet so let me know if it doesn’t work and I will update so I can see where the problem is.

          1. henryflynn2 Avatar
            henryflynn2

            Hi

            As a matter of interest – below is the contents of the new 0.5 version cuckoo.conf file. I’m getting “CuckooCriticalError: Configured machine cuckoo1 was not detected or its not in proper state” – I would bet its down to the conf file. The article stated section “[Virtual Machines]” is not present…

            ” [cuckoo]
            # Enable or disable startup version check. When enabled, Cuckoo will connect
            # to a remote location to verify whether the running version is the latest
            # one available.
            version_check = on

            # If turned on, Cuckoo will delete the original file and will just store a
            # copy in the local binaries repository.
            delete_original = off

            # Specify the name of the machine manager module to use, this module will
            # define the interaction between Cuckoo and your virtualization software
            # of choice.
            machine_manager = virtualbox

            # Enable creation of memory dump of the analysis machine before shutting
            # down. Even if turned off, this functionality can also be enabled at
            # submission. Currently available for: VirtualBox and libvirt modules (KVM).
            memory_dump = off

            [processing]
            # Set the maximum size of analysis’s generated files to process.
            # This is used to avoid the processing of big files which can bring memory leak.
            # The value is expressed in bytes, by default 100Mb.
            analysis_size_limit = 104857600

            # Enable or disable DNS lookups.
            resolve_dns = on

            [database]
            # Specify the database connection string.
            # Examples, see documentation for more:
            # sqlite:///foo.db
            # postgresql://foo:bar@localhost:5432/mydatabase
            # mysql://foo:bar@localhost/mydatabase
            # If empty, default is a SQLite in db/cuckoo.db.
            connection =

            # Database connection timeout in seconds.
            # If empty, default is set to 60 seconds.
            timeout =

            [timeouts]
            # Set the default analysis timeout expressed in seconds. This value will be
            # used to define after how many seconds the analysis will terminate unless
            # otherwise specified at submission.
            default = 120

            # Set the critical timeout expressed in seconds. After this timeout is hit
            # Cuckoo will consider the analysis failed and it will shutdown the machine
            # no matter what. When this happens the analysis results will most likely
            # be lost. Make sure to have a critical timeout greater than the
            # default timeout.
            critical = 600

            # Maximum time to wait for virtual machine status change. For example when
            # shutting down a vm. Default is 300 seconds.
            vm_state = 300

            [sniffer]
            # Enable or disable the use of an external sniffer (tcpdump) [yes/no].
            enabled = yes

            # Specify the path to your local installation of tcpdump. Make sure this
            # path is correct.
            tcpdump = /usr/sbin/tcpdump

            # Specify the network interface name on which tcpdump should monitor the
            # traffic. Make sure the interface is active.
            interface = vboxnet0

            [graylog]
            # Enable or disable remote logging to a Graylog2 server.
            enabled = no

            # Graylog2 server host.
            host = localhost

            # Graylog2 server port.
            port = 12201

            # Default logging level for Graylog2. [debug/info/error/critical].
            level = error

            I will keep it simple and try set up a single machine called cuckoo1 using some of your conf file lines.

            Regards

            Henry

          2. Jeremy Avatar
            Jeremy

            Did you ever find a resolution for this error? I am coming across the same error.

            Jeremy

  2. henryflynn2 Avatar
    henryflynn2

    Hi again – looking at this further – it appears considerably different -perhaps I should have installed the atricle version (0.3.3-dev) first! There is a virtualbox.conf where the user configures the virtual machine(s) as opposed to in the cuckoo.conf.

    Maybe Ive bitten off more than I bargained for..

    Henry

  3. insanlaksana Avatar
    insanlaksana

    hi, i’m trying to install Cuckoo sandbox follow your instruction. but i’m try it on ubuntu 12.04.
    but when i try ./submit.py –url http://maliciousurl.tld/exploit.php, i’ve got error :

    [2013-02-20 06:58:05,883] [Core.Init] INFO: Started.
    [2013-02-20 06:58:05,929] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.2.0”, good!
    [2013-02-20 06:58:05,930] [Core.Init] INFO: Populating virtual machines pool…
    [2013-02-20 06:58:06,424] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
    [2013-02-20 06:58:06,432] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
    [2013-02-20 06:58:06,433] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
    [2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | ID: ff0ae5e5-702e-4301-bce3-2b70bf9d230a
    [2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
    [2013-02-20 06:58:06,434] [VirtualMachine.Infos] INFO: | Memory Size: 256 MB
    [2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
    [2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | State: Saved
    [2013-02-20 06:58:06,435] [VirtualMachine.Infos] INFO: | Current Snapshot: ““baseImage””
    [2013-02-20 06:58:06,436] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:4C:57:E6
    [2013-02-20 06:58:06,436] [Core.Init] INFO: 1 virtual machine/s added to pool.
    [2013-02-20 06:58:06,450] [Core.Dispatcher] INFO: Acquired analysis task for target “/tmp/887645fa9577b5fd0501793e016ab245.url”.
    [2013-02-20 06:58:06,694] (Task #6) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
    [2013-02-20 06:58:06,702] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:4C:57:E6.
    tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 1515 bytes
    [2013-02-20 06:58:07,247] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
    [2013-02-20 06:58:12,492] [VirtualMachine.Start] INFO: Virtual machine “cuckoo1” starting in “gui” mode.
    Exception in thread 6:
    Traceback (most recent call last):
    File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
    self.run()
    File “./cuckoo.py”, line 524, in run
    if not vm.execute(python_path, args):
    File “/opt/cuckoo/cuckoo/core/virtualbox.py”, line 355, in execute
    exec_flags = VBOX.ExecuteProcessFlag_Hidden #
    File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
    raise AttributeError
    AttributeError

    any ideas?
    i don’t have any clue…
    thanks.

    1. CISSP Avatar
      CISSP

      i have got the same question to you.

      yijiedao@ubuntu:~/software/cuckoo-1$ python cuckoo.py
      _
      ____ _ _ ____| | _ ___ ___
      / ___) | | |/ ___) |_/ ) _ \ / _ \
      ( (___| |_| ( (___| _ ( |_| | |_| |
      \____)____/ \____)_| \_)___/ \___/ v0.3.2

      http://www.cuckoobox.org
      Copyright (C) 2010-2012

      [2013-04-01 18:08:34,308] [Core.Init] INFO: Started.
      [2013-04-01 18:08:34,557] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.2.10”, good!
      [2013-04-01 18:08:34,558] [Core.Init] INFO: Populating virtual machines pool…
      [2013-04-01 18:08:35,324] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
      [2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
      [2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
      [2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: | ID: 7802e5d8-fbbc-472e-aa68-db7359ff18ab
      [2013-04-01 18:08:35,331] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
      [2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | Memory Size: 256 MB
      [2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
      [2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | State: Saved
      [2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | Current Snapshot: “admin-04-01”
      [2013-04-01 18:08:35,332] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:B9:AF:A9
      [2013-04-01 18:08:35,333] [Core.Init] INFO: 1 virtual machine/s added to pool.
      [2013-04-01 18:08:35,333] [Core.Dispatcher] INFO: Acquired analysis task for target “/home/yijiedao/software/virus-sample/vir12/vir12-9-29/12-9-29/001gangsir.cn.exe”.
      [2013-04-01 18:08:35,696] (Task #4) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
      [2013-04-01 18:08:35,723] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:B9:AF:A9.
      tcpdump: eth0: You don’t have permission to capture on that device
      (socket: Operation not permitted)
      [2013-04-01 18:08:36,571] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1” successfully restored to current snapshot.
      [2013-04-01 18:08:41,554] [VirtualMachine.Start] INFO: Virtual machine “cuckoo1” starting in “gui” mode.
      Exception in thread 4:
      Traceback (most recent call last):
      File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
      self.run()
      File “cuckoo.py”, line 524, in run
      if not vm.execute(python_path, args):
      File “/home/yijiedao/software/cuckoo-1/cuckoo/core/virtualbox.py”, line 355, in execute
      exec_flags = VBOX.ExecuteProcessFlag_Hidden #
      File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
      raise AttributeError
      AttributeError

      have you ever solved this problem?
      please give me some help

      1. edwigetadmin Avatar
        edwigetadmin

        One of the things I noticed is that it says you don’t have permisions to capture tcpdump. I would validate your installation and check permissions.

        tcpdump: eth0: You don’t have permission to capture on that device

        Also, check the path of your python installation in the virtual machine and make sure it matches the settings.

        1. CISSP Avatar
          CISSP

          i have rechecked the installation steps and i found that i forget to setup the “tcpdump” properly,right now ,the tcpdump can listen the eth0 :

          tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes

          but the problem i posted is still here bothering me :

          Traceback (most recent call last):
          File “/usr/lib/python2.7/threading.py”, line 551, in __bootstrap_inner
          self.run()
          File “cuckoo.py”, line 524, in run
          if not vm.execute(python_path, args):
          File “/home/yijiedao/software/cuckoo-1/cuckoo/core/virtualbox.py”, line 355, in execute
          exec_flags = VBOX.ExecuteProcessFlag_Hidden #
          File “/usr/local/lib/python2.7/dist-packages/vboxapi/VirtualBox_constants.py”, line 1266, in __getattr__
          raise AttributeError
          AttributeError

          i installed Virtualbox-4.2.10 for ubuntu 12.04 LTS on the ubuntu host,and a windows xp SP3 as a guest machine running the cuckoo sandbox-0.3.2,Python-2.7.3 is installed in the ubuntu host by default.
          i installed python-3.2myself,does these two versions of python collide each other raise the problem up there?
          so i uninstalled the python-3.2 with command:

          $ sudo apt-get –purge remove python3.2
          $ sudo apt-get autoremove

          when runing the cuckoo vm,the problem still come out
          what should i do ? this one have bothered me for almost three days !

  4. Analyser un logiciel malveillant comme un nul(l) 1/2 | Pirater comme un nul(l)

    […] http://www.edwiget.name/2012/07/installing-cuckoo-sandbox-in-backtrack-for-malware-analysis/ […]

  5. Jeremy Avatar
    Jeremy

    I am new to the Cuckoo Sandbox, but I have been following this article for building a sandbox. When I get to the starting of Cuckoo (./cuckoo.py) I get the following error:

    [root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errorno 99] Cannot assign requested address

    Is this a VirtualBox related issue?

    1. edwigetadmin Avatar
      edwigetadmin

      is that running as the root user? If I was to guess from the message alone, I would say either a permissions issue or firewall issue. BTW, I haven’t actually used cuckoo in some time myself and several people have stated the instructions dont seem to work for the newer versions of cuckoo.

      1. Jeremy Avatar
        Jeremy

        Was able to get the vboxnet0 worked out. I just needed to add it in VirutalBox, thought that it was not seeing it, however clicking on the add button in Preferences/Network did the trick. Now the issue is: Configured machine cuckoo1 was not detected or it’s not in proper state.

        I believe the issue is that it is looking for cuckoo1, I named mine “Cuckoo1x64”. How do I edit this to see “Cuckoo1x64” and not cuckoo1?

    2. ysudhirk Avatar
      ysudhirk

      No wat u have to do is open virtualmachine and execute cuckoo.py u won’t find this error

  6. Jeremy Avatar
    Jeremy

    I’m to the point that I am receiving the error: “CuckooCriticalError: Configured machine cuckoo1 was not detected or it’s not in proper state”. I went through the conf and changed all names to “Cuckoo1x64”, does it matter if the name isn’t “cuckoo1”? Does it need to be “cuckoo1” for the sake of the program?

    Jeremy

  7. ysudhirk Avatar
    ysudhirk

    My cuckoo executing well but for only some kind of files.For the rest i am getiing the following error. I think there is a problem with processing modules dropped and tagetinfo.But i am not fin it can any body help.

    Checking for updates…
    Outdated! Cuckoo Sandbox version 1.1 is available now.

    2014-07-02 12:31:59,524 [lib.cuckoo.core.scheduler] INFO: Using “virtualbox” machine manager
    2014-07-02 12:32:01,210 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
    2014-07-02 12:32:01,211 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks…
    2014-07-02 12:32:51,200 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE “/home/vamz/Downloads/cuckoo_exe/new/TeamViewer_Setup_en.exe” (task=767)
    2014-07-02 12:32:51,354 [lib.cuckoo.core.scheduler] INFO: File already exists at “/home/vamz/cuckoo/storage/binaries/183a3f0822d661909bca09997d0d2caee440bfc385a9252185f6adf72b5e12f3”
    2014-07-02 12:32:51,418 [lib.cuckoo.core.scheduler] INFO: Task #767: acquired machine WinXPVM1 (label=WinXPVM1)
    2014-07-02 12:32:51,452 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 3669 (interface=vboxnet0, host=192.168.56.101, dump path=/home/vamz/cuckoo/storage/analyses/767/dump.pcap)
    2014-07-02 12:32:55,770 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=WinXPVM1, ip=192.168.56.101)
    2014-07-02 12:35:07,445 [lib.cuckoo.core.guest] INFO: WinXPVM1: analysis completed successfully
    2014-07-02 12:35:09,761 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE “/home/vamz/Downloads/cuckoo_exe/new/pars-vpn.exe” (task=768)
    2014-07-02 12:35:10,035 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module “Dropped”:
    Traceback (most recent call last):
    File “/home/vamz/cuckoo/lib/cuckoo/core/plugins.py”, line 183, in process
    data = current.run()
    File “/home/vamz/cuckoo/modules/processing/dropped.py”, line 23, in run
    file_info = File(file_path=file_path).get_all()
    File “/home/vamz/cuckoo/lib/cuckoo/common/objects.py”, line 264, in get_all
    infos[“yara”] = self.get_yara()
    File “/home/vamz/cuckoo/lib/cuckoo/common/objects.py”, line 240, in get_yara
    except yara.Error as e:
    AttributeError: ‘module’ object has no attribute ‘Error’

    1. ysudhirk Avatar
      ysudhirk

      Can any one pls reply???

  8. Analyser un logiciel malveillant et Dangereux 1/2 – Le Hack pour les nuls

    […] http://www.edwiget.name/2012/07/installing-cuckoo-sandbox-in-backtrack-for-malware-analysis/ […]

Leave a Reply