This post is currently being updated to latest versions, including all the feedback received. Thanks for the support.
(Screenshots and Video coming soon)
This tutorial will give you a step by step guide to using Ubuntu 20 Desktop and VirtualBox to create a Cuckoo Malware Analysis environment.
Installation of Ubuntu 20 Desktop
Step 1: Go to https://ubuntu.com/download/desktop and download the .iso.
Step 2: Using the hypervisor of your choice (VMWare Workstation / VirtualBox / VMWare ESXi etc) install the base Ubuntu 20 Desktop.
Make sure that you have set enough RAM and Hard Drive space for your Ubuntu 20 Desktop as you will be running a Windows 7 Virtual Machine inside it with a minimum 4GB RAM and 60 – 80GB Hard Drive.
Step 3: When installing make sure you don’t call your username “cuckoo” otherwise this may conflict with the installation later.
Step 4: Make sure that your Virtual Machine has the VT-x capability enabled. Also make sure you have assigned enough RAM as you will need at least 4GB for your Windows 7 Virtual Machine.
Step 5: Once your Ubuntu 20 Desktop is ready then log in.
Step 6: Click Activities (Top Left) and then type Terminal and click the Terminal icon to start it.
Step 7: You should now have a Terminal window.
Step 8: Make sure that your Ubuntu Desktop is fully updated by running
sudo apt-get update && sudo apt-get upgrade -yStep 9: Enter your password to run the command as sudo root.
Step 10: If prompted select y to continue. Once the update and upgrade has finished you will be returned to the terminal prompt.
Step 11: It is good security practice to have a separate user to run the sandbox. Now we will create our user:
sudo adduser cuckooStep 12: Choose a password for your new user.
Step 13: Enter your user information in the fields as it requests. Alternatively you can just leave blank and press enter.
Step 14: Press Y to confirm the information entered. This will then return you to the terminal prompt.
Step 15: Now we are going to add that user to the sudo group. Type
sudo adduser cuckoo sudoStep 16: Now we will install the prerequisites for cuckoo.
Step 17: We need to install curl so type
sudo apt-get install curland then we need to download the get python pip command, so type
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.pyStep 18: Now we need to install python so type
sudo apt-get install pythonStep 19: Now we need to install python-pip and this can be done using the downloaded file from step 17. So type
sudo python get-pip.pyStep 20: Now we are going to install the pre-requisites needed to install both VirtualBox and Cuckoo so type
sudo apt-get install -y python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev gitStep 21: Once these have installed now we need to install the Python supporting tools so type
sudo apt-get install -y python-setuptoolsStep 22: Now we will install jpeg and interface supporting tools
sudo apt-get install -y libjpeg-dev zlib1g-dev swigStep 23: Now to install mongodb by typing
sudo apt-get install -y mongodbStep 24: Cuckoo’s recommended database is PostgreSQL so install it by running
sudo apt-get install -y postgresql libpq-devStep 25: Now we move on to installing VirtualBox. The current version of Virtual Box is 6.1.
Step 26: Now we will install Virtual Box 6.1 so type
sudo apt-get install -y virtualboxStep 27: Now we will download and install all the plugins needed for cuckoo to work. Change to your Downloads folder by typing
cd Downloads/or if you are not currently in your home directory type
~/DownloadsStep 28: So now we start with installing Volatility type
git clone https://github.com/volatilityfoundation/volatility.gitthen
cd volatilityStep 29: Next we are going to build it type
sudo python setup.py buildnow install it
sudo python setup.py installStep 30: Now go back up to your Downloads directory type
cd ..Step 31: Now were going to install Distorm3 type
sudo -H pip install distorm3==3.4.4Step 32: Now were going to install Yara so type
sudo -H pip install yara-python==3.6.3Step 33: Now were going to install ssdeep so type
sudo apt-get install -y ssdeepNow verify its installed by typing
ssdeep -VYou should get 2.14.1 as the version.
Step 34: Now we will install pydeep by typing
sudo -H pip install pydeepwe can check it installed ok by typing
pip show pydeepStep 35: Now we will install openpyxl by typing
sudo -H pip install openpyxlStep 36: Now install ujson by typing
sudo -H pip install ujsonStep 37: Now install jupyter by typing
sudo -H pip install jupyterStep 38: Now we will install TCPDump to enable packet capture analysis. Type
sudo apt-get install tcpdumpit may already be installed. Now type
sudo apt-get install libcap2-binit may already be installed. Type
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpand then
getcap /usr/sbin/tcpdumpStep 39: We need to install and disable apparmor due to it silently protecting the Ubuntu operating system by securing applications and we want TCP Dump to run correctly by typing
sudo apt-get install -y apparmor-utilsand then type
sudo aa-disable /usr/sbin/tcpdumpStep 40: Now finally we can install Cuckoo Sandbox.
Step 41: Type
pip install -U pip setuptoolsit may say that the requirements are already met.
Step 42: Now we will install Cuckoo so type
sudo -H pip install -U cuckooStep 43: Now to create the default directory’s for Cuckoo type
cuckooStep 44: Now we need to setup the virtualbox environment. We need to install net-tools so type
sudo apt install -y net-toolsStep 45: Now type
ifconfigto find the IP address information of your Virtual machine.
Step 46: Now we want to create a host only network adapter so type
vboxmanage hostonlyif createStep 47: We now want to set the IP address for the virtual interface so type
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1Step 48: Now if you run
ifconfigagain you will see your interface and IP address you have just set.
Step 49: We want to make these changes survive a reboot and set automatically during system startup. So we need to make a new directory so type
sudo mkdir /opt/systemd/then
sudo nano /opt/systemd/vboxhostonlyand copy the following code into the file:
!/bin/bash
hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1then Ctrl + X to exit , Y to save and enter to write file.
Step 50: Now we need to make the file executable so type
cd /opt/systemd/then
sudo chmod a+x vboxhostonlyStep 51: now we need to create a service so type
sudo touch /etc/systemd/system/vboxhostonlynic.serviceStep 52: Edit the file by typing
sudo nano /etc/systemd/system/vboxhostonlynic.serviceand then typing in:
Description=Setup VirtualBox Hostonly Adapter
After=vboxdrv.service
[Service]
Type=oneshot
ExecStart=/opt/systemd/vboxhostonly
[Install]
WantedBy=multi-user.targetthen Ctrl + X to exit , Y to save and enter to write file.
Step 53: Now to install the service and ensure it loads at boot time type:
systemctl daemon-reload
systemctl enable vboxhostonlynic.serviceThat is the networking complete.
Step 54: We are now going to create a Windows 7 SP1 x64 Virtual Machine using Virtual Box. *Please note you will need your own licence for this part
Step 55: Click on the Menu icon bottom left and then type or select Virtual Box.
Step 56: Once you have selected it the Oracle VirtualBox Manager should start.
Step 57: We are now going to create our Windows 7 Virtual Machine. So click on the New icon to create a new Virtual Machine.
Step 58: Enter a name, for ease we have called our Virtual Machine cuckoo1. Choose your OS that you are installing.
Step 59: Now click next. Choose the RAM size you want to allocate. Ideally minimum is 4GB. For my one I will set to 7024 MB (7GB ish).
Step 60: Click next. Create the virtual hard disk by clicking Create.
Step 61: Select VDI and click Next.
Step 62: Select Dynamically allocated and then click next.
Step 63: Choose your Hard Disk size. I have set to 80 GB.
Step 64: Now click Create.
Step 65: Now you need to mount the Windows 7 iso file to your Ubuntu Virtual Machine.
Step 66: Click Ok. THis will now mount the Windows 7 .iso into the Virtual Machine. Now click on Settings in VirtualBox and then go to Storage. Now click on the CD (Empty). TO the right or Optical Drive click the down arrow next to the CD and choose the Host Drive as the CD Choice.
Step 67: Click Ok to close, then start to start your Virtual Machine. Follow the normal Windows 7 Installation. I have called my Windows 7 Virtual Machine cuckoo1.
Step 68: Now your Windows 7 Virtual Machine is built log in. We are going to make some changes to make the Virtual Machine vulnerable on purpose. Go to start and type in Group. You should see the Edit Group Policy option.
Step 69: Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Scroll down to the User Account Control options.
Step 70: Right click the “User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode” and select Properties. Using the drop down menu select Elevate without prompting and click ok.
Step 71: Right click the “User Account Control: Detect application installations and prompt for elevation” and select Properties. Check the Disabled option and click ok.
Step 72: Right click the “User Account Control: Run all administrators in Admin Approval Mode” and select Properties. Check the Disabled option and click ok.
Step 73: Now we are going to disable the automatic install of Windows Updates. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update and right click Configure Automatic Updates and edit. Select Enabled, 2- Notify for download and notify for install, then click ok.
Step 74: Now we need to remove the Windows protection from the network. Go to Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall and change “Protect all network connections” to Disabled.
Step 75: Next we need to disable Windows Defender as we have no need for anti virus or malware protection. We do this by going to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus then set “Turn off Windows Defender Antivirus” to Enabled.
Step 76: The easiest way to get these files to your Windows 7 Virtual Machine is to install VirtualBox Guest Additions and create a shared folder.
You do this by clicking Devices in the VirtualBox window and choose install VirtualBox Guest Additions. This will then mount a CD into your Virtual Machine and you can then you can run from the CD in your Virtual Machine.
Once you have set up the shared folder reboot your Windows 7 Virtual Machine and then login and you can go to File explorer in Windows and type \\vboxsvr\*Downloads and this will take you to the mapped shared folder. *I shared my Ubuntu Downloads folder.
Step 77: Now we need to install Python 2.7 for windows. You can download it from https://www.python.org/ftp/python/2.7.8/python-2.7.8.amd64.msi Place this .msi into your shared folder and run from your Windows 7 Virtual Machine. Next download Python Pillow from https://pypi.python.org/packages/2.7/P/Pillow/Pillow-2.5.3.win-amd64-py2.7.exe#md5=33c3a581ff1538b4f79b4651084090c8 Place this .msi into your shared folder and run from your Windows 7 Virtual Machine.
Step 78: Now install Adobe Reader, Flash, Java and Microsoft Office (Optional) and any other applications you think yo may need.
Step 79: Open up Internet Explorer and Adobe Reader and any other application that may have a splash screen which may interfere with the operation of the cuckoo client.
Step 80: Upload the agent.py file from your Ubuntu host which can be found in the
~/.cuckoo/agentdirectory on your Ubuntu machine. You can do this by copying it into the Downloads or shared folder with your Virtual Machine.
cd ~/.cuckoo/agentthen
cp agent.py ~/DownloadsStep 81: Copy the agent.py file and place it in C:\Users\*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup this will then start the agent.py on boot up of the Virtual Machine. On the Windows 7 Virtual Machine you will need to Show hidden files and folders for the AppData folder to be seen.
You can do this by going to file explorer and then Organizse > Folder Options.
Step 82: Once you are happy that you have all the required software installed reboot the Windows 7 Virtual Machine and log in. You should get a blank command window appear. If you get a network popup click allow.
Step 83: You can now minimise the Virtual Machine down.
Step 84: So now we have created our Windows 7 Virtual Machine we need to set up the networking to create the sandbox environment. Click on the VirtualBox Manager and click settings for the Windows 7 Virtual Machine. Select Network and then change Attached to: Host-only Adapter and select vboxnet0 in the Name. Click OK.
Step 85: Now you need to make this persistent. Type
sudo apt-get install -y iptables-persistentand choose yes when it prompts you to save current config
Step 86: Now we need to configure IP forwarding so an internet connection gets routed from the host machine to the guest Virtual Machine. We will use iptables to set these network forwarding rules:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPTthen
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTthen
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEStep 87: You can check your rules by running
sudo iptables -LStep 88: Now enable IP forwarding in the kernel so that these settings are set to Active (required for WWW Internet access):
echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forwardthen
sudo sysctl -w net.ipv4.ip_forward=1Step 89: Now we need to make sure that the IP forwarding starts up after a reboot. Type
sudo nano /etc/sysctl.confand remove the # from
net.ipv4.ip_forward=1then Ctrl + X to exit , Y to save and enter to write file. Now run
sudo su –then
iptables-save > /etc/iptables/rules.v4Step 90: Now we need to configure our Windows 7 Virtual Machine IP Address information. Open the network adapters in and set up the following information:
Step 91: Once you click OK and OK you should then get internet connectivity again.
Step 92: We now want to take a snapshot of the Virtual Machine, so click Machine > Take Snapshot. Name it Snapshot 1 and click ok.
Step 93: We now need to finish off the configuration of the Cuckoo services on our Ubuntu 20 workstation. All the Cuckoo configuration files are located in the
~/.cuckoo/confor from your home directory
cd .cuckoo/directory.
Step 94: Change into the config directory type
cd ~/.cuckoo/confEdit the cuckoo.conf file by
sudo nano cuckoo.confEnsure that the following are set:
machinery = virtualboxmemory_dump = yesand resultserver
resultserver ip = 192.168.56.1then Ctrl + X to exit , Y to save and enter to write file.
Step 95: Edit the auxiliary.conf file by
sudo nano auxiliary.confensure that the sniffer is
enabled = yesthen Ctrl + X to exit , Y to save and enter to write file.
Step 96: Edit the virtualbox.conf file by
sudo nano virtualbox.confand ensure that virtualbox
mode = guiand
machines = cuckoo1(change name to your Windows 7 Virtual Machine Name if required and
label = cuckoo1and
platform = windowsand
ip = 192.168.56.101and
snapshot = Snapshot 1then Ctrl + X to exit , Y to save and enter to write file.
Step 97: Edit the processing.conf file by
sudo nano processing.confand ensure that memory
enabled = yesthen Ctrl + X to exit , Y to save and enter to write file.
Step 98: Edit the memory.conf file by
sudo nano memory.confand ensure that basic
guest_profile = Win7SP1x64then Ctrl + X to exit , Y to save and enter to write file.
Step 99: If you require another Operating System then you can get a full list of the supported profiles by running
vol.py --info |grep Profiles -A48Step 100: Edit reporting.conf file by
sudo nano reporting.confand ensure that singlefile Enable creation of report.html
enabled = yesand mongodb
enabled = yesthen Ctrl + X to exit , Y to save and enter to write file.
Step 101: Now shutdown your Windows 7 Virtual Machine, then reboot your Ubuntu Virtual Machine. Log back in as the same user (do not log in as the cuckoo user)
Step 102: Now to use Cuckoo you first need to update Cuckoo’s scoring signatures so open a Terminal and type
cuckoo communityStep 103: Now open VirtualBox Manager and start your cuckoo1 Virtual Machine. Log in so you have the blank command window showing and then minimize the Virtual Machine.
Step 104: Now in Terminal window 1 type
cuckooand press enter. You will get the starting cuckoo screen and it will sit waiting for analysis tasks.
Step 105: In the second Terminal window type
cuckoo web runserver 0.0.0.0:8000Step 106: Now you can visit the Cuckoo Web Server via 127.0.0.1:8000 or the Virtual Machine IP Address on your local network via your browser.
Finally a Fully operational Cuckoo Sandbox. Their are lots more settings within the Cuckoo conf files and you can hook up MISP and other services directly to it.
I hope this tutorial is helpful and comments are always welcome.