This tutorial will give you a step by step guide to using Ubuntu 20 Desktop and VirtualBox to create a Cuckoo Malware Analysis environment.

Installation of Ubuntu 20 Desktop

Step 1: Go to https://ubuntu.com/download/desktop and download the .iso.

Step 2: Using the hypervisor of your choice (VMWare Workstation / VirtualBox / VMWare ESXi etc) install the base Ubuntu 20 Desktop.

Make sure that you have set enough RAM and Hard Drive space for your Ubuntu 20 Desktop as you will be running a Windows 7 Virtual Machine inside it with a minimum 4GB RAM and 60 – 80GB Hard Drive.

Step 3: When installing make sure you don’t call your username “cuckoo” otherwise this may conflict with the installation later.

Step 4: Make sure that your Virtual Machine has the VT-x capability enabled. Also make sure you have assigned enough RAM as you will need at least 4GB for your Windows 7 Virtual Machine.

Step 5: Once your Ubuntu 20 Desktop is ready then log in.

Step 6: Click Activities (Top Left) and then type Terminal and click the Terminal icon to start it.

Step 7: You should now have a Terminal window.

Step 8: Make sure that your Ubuntu Desktop is fully updated by running sudo apt-get update && sudo apt-get upgrade -y

Step 9: Enter your password to run the command as sudo root.

Step 10: If prompted select y to continue. Once the update and upgrade has finished you will be returned to the terminal prompt.

Step 11: It is good security practice to have a separate user to run the sandbox. Now we will create our user: sudo adduser cuckoo

Step 12: Choose a password for your new user.

Step 13: Enter your user information in the fields as it requests. Alternatively you can just leave blank and press enter.

Step 13: Press Y to confirm the information entered. This will then return you to the terminal prompt.

Step 14: Now we are going to add that user to the sudo group. Type sudo adduser cuckoo sudo

Step 15: Now we will install the prerequisites for cuckoo.

Step 16: We need to install curl so type sudo apt-get install curl and then we need to download the get python pip command, so type curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

Step 17: Now we need to install python so type sudo apt-get install python

Step 18: Now we need to install python-pip and this can be done using the downloaded file from step 16. So type sudo python get-pip.py

Step 19: Now we are going to install the pre-requisites needed to install both VirtualBox and Cuckoo so type sudo apt-get install -y python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev git

Step 20: Once these have installed now we need to install the Python supporting tools so type sudo apt-get install -y python-setuptools

Step 21: Now we will install jpeg and interface supporting tools sudo apt-get install -y libjpeg-dev zlib1g-dev swig

Step 22: Now to install mongodb by typing sudo apt-get install -y mongodb

Step 23: Cuckoo’s recommended database is PostgreSQL so install it by running sudo apt-get install -y postgresql libpq-dev

Step 24: Now we move on to installing VirtualBox. The current version of Virtual Box is 6.1.

Step 25: Now we will install Virtual Box 6.1 so type sudo apt-get install -y virtualbox

Step 26: Now we will download and install all the plugins needed for cuckoo to work. Change to your Downloads folder by typing cd Downloads/ or if you are not currently in your home directory type ~/Downloads

Step 27: So now we start with installing Volatility type git clone https://github.com/volatilityfoundation/volatility.git then cd volatility

Step 28: Next we are going to build it type sudo python setup.py build now install it sudo python setup.py install

Step 29: Now go back up to your Downloads directory type cd ..

Step 30: Now were going to install Distorm3 type sudo -H pip install distorm3==3.4.4

Step 31: Now were going to install Yara so type sudo -H pip install yara-python==3.6.3

Step 32: Now were going to install ssdeep so type sudo apt-get install -y ssdeep Now verify its installed by typing ssdeep -V You should get 2.14.1 as the version.

Step 33: Now we will install pydeep by typing sudo -H pip install pydeep we can check it installed ok by typing pip show pydeep

Step 34: Now we will install openpyxl by typing sudo -H pip install openpyxl

Step 35: Now install ujson by typing sudo -H pip install ujson

Step 36: Now install jupyter by typing sudo -H pip install jupyter

Step 37: Now we will install TCPDump to enable packet capture analysis. Type sudo apt-get install tcpdump it may already be installed. Now type sudo apt-get install libcap2-bin it may already be installed. Type sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump and then getcap /usr/sbin/tcpdump

Step 38: We need to install and disable apparmor due to it silently protecting the Ubuntu operating system by securing applications and we want TCP Dump to run correctly by typing sudo apt-get install -y apparmor-utils and then type sudo aa-disable /usr/sbin/tcpdump

Step 39: Now finally we can install Cuckoo Sandbox.

Step 40: Type pip install -U pip setuptools it may say that the requirements are already met.

Step 41: Now we will install Cuckoo so type sudo -H pip install -U cuckoo

Step 42: Now to create the default directory’s for Cuckoo type cuckoo

Step 43: Now we need to setup the virtualbox environment. We need to install net-tools so type sudo apt install -y net-tools

Step 44: Now type ifconfig to find the IP address information of your Virtual machine.

Step 45: Now we want to create a host only network adapter so type vboxmanage hostonlyif create

Step 46: We now want to set the IP address for the virtual interface so type vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

Step 47: Now if you run ifconfig again you will see your interface and IP address you have just set.

Step 48: We want to make these changes survive a reboot and set automatically during system startup. So we need to make a new directory so type sudo mkdir /opt/systemd/ then sudo nano /opt/systemd/vboxhostonly and copy the following code into the file:
!/bin/bash
hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

then Ctrl + X to exit , Y to save and enter to write file.

Step 49: Now we need to make the file executable so type cd /opt/systemd/ then sudo chmod a+x vboxhostonly

Step 50: now we need to create a service so type sudo touch /etc/systemd/system/vboxhostonlynic.service

Step 51: Edit the file by typing sudo nano /etc/systemd/system/vboxhostonlynic.service and then typing in:
Description=Setup VirtualBox Hostonly Adapter
After=vboxdrv.service

[Service]
Type=oneshot
ExecStart=/opt/systemd/vboxhostonly

[Install]
WantedBy=multi-user.target

then Ctrl + X to exit , Y to save and enter to write file.

Step 52: Now to install the service and ensure it loads at boot time type:
systemctl daemon-reload
systemctl enable vboxhostonlynic.service

That is the networking complete.

Step 53: We are now going to create a Windows 7 SP1 x64 Virtual Machine using Virtual Box. *Please note you will need your own licence for this part

Step 54: Click on the Menu icon bottom left and then type or select Virtual Box.

Step 55: Once you have selected it the Oracle VirtualBox Manager should start.

Step 56: We are now going to create our Windows 7 Virtual Machine. So click on the New icon to create a new Virtual Machine.

Step 57: Enter a name, for ease we have called our Virtual Machine cuckoo1. Choose your OS that you are installing.

Step 58: Now click next. Choose the RAM size you want to allocate. Ideally minimum is 4GB. For my one i will set to 7024 MB (7GB ish).

Step 59: Click next. Create the virtual hard disk by clicking Create.

Step 60: Select VDI and click Next.

Step 61: Select Dynamically allocated and then click next.

Step 62: Choose your Hard Disk size. I have set to 80 GB.

Step 63: Now click Create.

Step 64: Now you need to mount the Windows 7 iso file to your Ubuntu Virtual Machine.

Step 65: Click Ok. THis will now mount the Windows 7 .iso into the Virtual Machine. Now click on Settings in VirtualBox and then go to Storage. Now click on the CD (Empty). TO the right or Optical Drive click the down arrow next to the CD and choose the Host Drive as the CD Choice.

Step 66: Click Ok to close, then start to start your Virtual Machine. Follow the normal Windows 7 Installation. I have called my Windows 7 Virtual Machine cuckoo1.

Step 67: Now your Windows 7 Virtual Machine is built log in. We are going to make some changes to make the Virtual Machine vulnerable on purpose. Go to start and type in Group. You should see the Edit Group Policy option.

Step 68: Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Scroll down to the User Account Control options.

Step 69: Right click the “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” and select Properties. Using the drop down menu select Elevate without prompting and click ok.

Step 70: Right click the “User Account Control: Detect application installations and prompt for elevation” and select Properties. Check the Disabled option and click ok.

Step 71: Right click the “User Account Control: Run all administrators in Admin Approval Mode” and select Properties. Check the Disabled option and click ok.

Step 72: Now we are going to disable the automatic install of Windows Updates. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update and right click Configure Automatic Updates and edit. Select Enabled, 2- Notify for download and notify for install, then click ok.

Step 73: Now we need to remove the Windows protection from the network. Go to Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall and change “Protect all network connections” to Disabled.

Step 74: Next we need to disable Windows Defender as we have no need for anti virus or malware protection. We do this by going to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus then set “Turn off Windows Defender Antivirus” to Enabled.

Step 75: The easiest way to get these files to your Windows 7 Virtual Machine is to install VirtualBox Guest Additions and create a shared folder.

You do this by clicking Devices in the VirtualBox window and choose install VirtualBox Guest Additions. This will then mount a CD into your Virtual Machine and you can then you can run from the CD in your Virtual Machine.

Once you have set up the shared folder reboot your Windows 7 Virtual Machine and then login and you can go to File explorer in Windows and type \\vboxsvr\*Downloads and this will take you to the mapped shared folder. *I shared my Ubuntu Downloads folder.

Step 76: Now we need to install Python 2.7 for windows. You can download it from https://www.python.org/ftp/python/2.7.8/python-2.7.8.amd64.msi Place this .msi into your shared folder and run from your Windows 7 Virtual Machine. Next download Python Pillow from https://pypi.python.org/packages/2.7/P/Pillow/Pillow-2.5.3.win-amd64-py2.7.exe#md5=33c3a581ff1538b4f79b4651084090c8 Place this .msi into your shared folder and run from your Windows 7 Virtual Machine.

Step 77: Now install Adobe Reader, Flash, Java and Microsoft Office (Optional) and any other applications you think yo may need.

Step 78: Open up Internet Explorer and Adobe Reader and any other application that may have a splash screen which may interfere with the operation of the cuckoo client.

Step 79: Upload the agent.py file from your Ubuntu host which can be found in the ~/.cuckoo/agent directory on your Ubuntu machine. You can do this by copying it into the Downloads or shared folder with your Virtual Machine. cd ~/.cuckoo/agent then cp agent.py ~/Downloads

Step 80: Copy the agent.py file and place it in C:\Users\*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup this will then start the agent.py on boot up of the Virtual Machine. On the Windows 7 Virtual Machine you will need to Show hidden files and folders for the AppData folder to be seen.

You can do this by going to file explorer and then Organizse > Folder Options.

Step 81: Once you are happy that you have all the required software installed reboot the Windows 7 Virtual Machine and log in. You should get a blank command window appear. If you get a network popup click allow.

Step 82: You can now minimize the Virtual Machine down.

Step 83: So now we have created our Windows 7 Virtual Machine we need to set up the networking to create the sandbox environment. Click on the VirtualBox Manager and click settings for the Windows 7 Virtual Machine. Select Network and then change Attached to: Host-only Adapter and select vboxnet0 in the Name. Click OK.

Step 84: Now you need to make this persistant. Type sudo apt-get install -y iptables-persistent and choose yes when it prompts you to save current config

Step 85: Now we need to configure IP forwarding so an internet connection gets routed from the host machine to the guest Virtual Machine. We will use iptables to set these network forwarding rules: sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT then sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT then sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Step 86: You can check your rules by running sudo iptables -L

Step 87: Now enable IP forwarding in the kernel so that these settings are set to Active (required for WWW Internet access):echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward then sudo sysctl -w net.ipv4.ip_forward=1

Step 88: Now we need to make sure that the IP forwarding starts up after a reboot. Type sudo nano /etc/sysctl.conf and remove the # from net.ipv4.ip_forward=1 then Ctrl + X to exit , Y to save and enter to write file. Now run sudo su – then iptables-save > /etc/iptables/rules.v4

Step 89: Now we need to configure our Windows 7 Virtual Machine IP Address information. Open the network adapters in and set up the following information:

Step 90: Once you click OK and OK you should then get internet connectivity again.

Step 91: We now want to take a snapshot of the Virtual Machine, so click Machine > Take Snapshot. Name it Snapshot 1 and click ok.

Step 92: We now need to finish off the configuration of the Cuckoo services on our Ubuntu 20 workstation. All the Cuckoo configuration files are located in the ~/.cuckoo/conf or from your home directory cd .cuckoo/ directory.

Step 93: Change into the config directory type cd ~/.cuckoo/conf Edit the cuckoo.conf file by sudo nano cuckoo.conf Ensure that the following are set: machinery = virtualbox and memory_dump = yes and resultserver ip = 192.168.56.1 then Ctrl + X to exit , Y to save and enter to write file.

Step 94: Edit the auxiliary.conf file by sudo nano auxiliary.conf ensure that the sniffer is enabled = yes then Ctrl + X to exit , Y to save and enter to write file.

Step 95: Edit the virtualbox.conf file by sudo nano virtualbox.conf and ensure that virtualbox mode = gui and machines = cuckoo1 (change name to your Windows 7 Virtual Machine Name if required and label = cuckoo1 and platform = windows and ip = 192.168.56.101 and snapshot = Snapshot 1 then Ctrl + X to exit , Y to save and enter to write file.

Step 96: Edit the processing.conf file by sudo nano processing.conf and ensure that memory enabled = yes then Ctrl + X to exit , Y to save and enter to write file.

Step 97: Edit the memory.conf file by sudo nano memory.conf and ensure that basic guest_profile = Win7SP1x64 then Ctrl + X to exit , Y to save and enter to write file.

Step 98: If you require another Operating System then yo ucna get a full list of the supported profiles by running vol.py --info |grep Profiles -A48

Step 99: Edit reporting.conf file by sudo nano reporting.conf and ensure that singlefile Enable creation of report.html enabled = yes and mongodb enabled = yes then Ctrl + X to exit , Y to save and enter to write file.

Step 100: Now shutdown your Windows 7 Virtual Machine, then reboot your Ubuntu Virtual Machine. Log back in as the same user (do not log in as the cuckoo user)

Step 101: Now to use Cuckoo you first need to update Cuckoo’s scoring signatures so open a Terminal and type cuckoo community

Step 102: Now open VirtualBox Manager and start your cuckoo1 Virtual Machine. Log in so you have the blank command window showing and then minimize the Virtual Machine.

Step 103: Now in Terminal window 1 type cuckoo and press enter. You will get the starting cuckoo screen and it will sit waiting for analysis tasks.

Step 104: In the second Terminal window type cuckoo web runserver 0.0.0.0:8000

Step 105: Now you can visit the Cuckoo Web Server via 127.0.0.1:8000 or the Virtual Machine IP Address on your local network via your browser.

Finally a Fully operational Cuckoo Sandbox. Their are lots more settings within the Cuckoo conf files and you can hook up MISP and other services directly to it.

I hope this tutorial is helpful and comments are always welcome. You can either leave a comment below or contact me.