Cuckoo Installation on Ubuntu 20

This post is currently being updated to latest versions, including all the feedback received. Thanks for the support.

(Screenshots and Video coming soon)

This tutorial will give you a step by step guide to using Ubuntu 20 Desktop and VirtualBox to create a Cuckoo Malware Analysis environment.

Installation of Ubuntu 20 Desktop

Step 1: Go to and download the .iso.

Step 2: Using the hypervisor of your choice (VMWare Workstation / VirtualBox / VMWare ESXi etc) install the base Ubuntu 20 Desktop.

Make sure that you have set enough RAM and Hard Drive space for your Ubuntu 20 Desktop as you will be running a Windows 7 Virtual Machine inside it with a minimum 4GB RAM and 60 – 80GB Hard Drive.

Step 3: When installing make sure you don’t call your username “cuckoo” otherwise this may conflict with the installation later.

Step 4: Make sure that your Virtual Machine has the VT-x capability enabled. Also make sure you have assigned enough RAM as you will need at least 4GB for your Windows 7 Virtual Machine.

Step 5: Once your Ubuntu 20 Desktop is ready then log in.

Step 6: Click Activities (Top Left) and then type Terminal and click the Terminal icon to start it.

Step 7: You should now have a Terminal window.

Step 8: Make sure that your Ubuntu Desktop is fully updated by running

sudo apt-get update && sudo apt-get upgrade -y

Step 9: Enter your password to run the command as sudo root.

Step 10: If prompted select y to continue. Once the update and upgrade has finished you will be returned to the terminal prompt.

Step 11: It is good security practice to have a separate user to run the sandbox. Now we will create our user:

sudo adduser cuckoo

Step 12: Choose a password for your new user.

Step 13: Enter your user information in the fields as it requests. Alternatively you can just leave blank and press enter.

Step 14: Press Y to confirm the information entered. This will then return you to the terminal prompt.

Step 15: Now we are going to add that user to the sudo group. Type

sudo adduser cuckoo sudo

Step 16: Now we will install the prerequisites for cuckoo.

Step 17: We need to install curl so type

sudo apt-get install curl

and then we need to download the get python pip command, so type

curl -o

Step 18: Now we need to install python so type

sudo apt-get install python

Step 19: Now we need to install python-pip and this can be done using the downloaded file from step 17. So type

sudo python

Step 20: Now we are going to install the pre-requisites needed to install both VirtualBox and Cuckoo so type

sudo apt-get install -y python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev git

Step 21: Once these have installed now we need to install the Python supporting tools so type

sudo apt-get install -y python-setuptools

Step 22: Now we will install jpeg and interface supporting tools

sudo apt-get install -y libjpeg-dev zlib1g-dev swig

Step 23: Now to install mongodb by typing

sudo apt-get install -y mongodb

Step 24: Cuckoo’s recommended database is PostgreSQL so install it by running

sudo apt-get install -y postgresql libpq-dev

Step 25: Now we move on to installing VirtualBox. The current version of Virtual Box is 6.1.

Step 26: Now we will install Virtual Box 6.1 so type

sudo apt-get install -y virtualbox

Step 27: Now we will download and install all the plugins needed for cuckoo to work. Change to your Downloads folder by typing

cd Downloads/

or if you are not currently in your home directory type


Step 28: So now we start with installing Volatility type

git clone


cd volatility

Step 29: Next we are going to build it type

sudo python build

now install it

sudo python install

Step 30: Now go back up to your Downloads directory type

cd ..

Step 31: Now were going to install Distorm3 type

sudo -H pip install distorm3==3.4.4

Step 32: Now were going to install Yara so type

sudo -H pip install yara-python==3.6.3

Step 33: Now were going to install ssdeep so type

sudo apt-get install -y ssdeep

Now verify its installed by typing

ssdeep -V

You should get 2.14.1 as the version.

Step 34: Now we will install pydeep by typing

sudo -H pip install pydeep

we can check it installed ok by typing

pip show pydeep

Step 35: Now we will install openpyxl by typing

sudo -H pip install openpyxl

Step 36: Now install ujson by typing

sudo -H pip install ujson

Step 37: Now install jupyter by typing

sudo -H pip install jupyter

Step 38: Now we will install TCPDump to enable packet capture analysis. Type

sudo apt-get install tcpdump

it may already be installed. Now type

sudo apt-get install libcap2-bin

it may already be installed. Type

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

and then

getcap /usr/sbin/tcpdump

Step 39: We need to install and disable apparmor due to it silently protecting the Ubuntu operating system by securing applications and we want TCP Dump to run correctly by typing

sudo apt-get install -y apparmor-utils

and then type

sudo aa-disable /usr/sbin/tcpdump

Step 40: Now finally we can install Cuckoo Sandbox.

Step 41: Type

pip install -U pip setuptools

it may say that the requirements are already met.

Step 42: Now we will install Cuckoo so type

sudo -H pip install -U cuckoo

Step 43: Now to create the default directory’s for Cuckoo type


Step 44: Now we need to setup the virtualbox environment. We need to install net-tools so type

sudo apt install -y net-tools

Step 45: Now type


to find the IP address information of your Virtual machine.

Step 46: Now we want to create a host only network adapter so type

vboxmanage hostonlyif create

Step 47: We now want to set the IP address for the virtual interface so type

vboxmanage hostonlyif ipconfig vboxnet0 --ip

Step 48: Now if you run


again you will see your interface and IP address you have just set.

Step 49: We want to make these changes survive a reboot and set automatically during system startup. So we need to make a new directory so type

sudo mkdir /opt/systemd/


sudo nano /opt/systemd/vboxhostonly

and copy the following code into the file:

hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip

then Ctrl + X to exit , Y to save and enter to write file.

Step 50: Now we need to make the file executable so type

cd /opt/systemd/


sudo chmod a+x vboxhostonly

Step 51: now we need to create a service so type

sudo touch /etc/systemd/system/vboxhostonlynic.service

Step 52: Edit the file by typing

sudo nano /etc/systemd/system/vboxhostonlynic.service

and then typing in:

Description=Setup VirtualBox Hostonly Adapter



then Ctrl + X to exit , Y to save and enter to write file.

Step 53: Now to install the service and ensure it loads at boot time type:

systemctl daemon-reload
systemctl enable vboxhostonlynic.service

That is the networking complete.

Step 54: We are now going to create a Windows 7 SP1 x64 Virtual Machine using Virtual Box. *Please note you will need your own licence for this part

Step 55: Click on the Menu icon bottom left and then type or select Virtual Box.

Step 56: Once you have selected it the Oracle VirtualBox Manager should start.

Step 57: We are now going to create our Windows 7 Virtual Machine. So click on the New icon to create a new Virtual Machine.

Step 58: Enter a name, for ease we have called our Virtual Machine cuckoo1. Choose your OS that you are installing.

Step 59: Now click next. Choose the RAM size you want to allocate. Ideally minimum is 4GB. For my one I will set to 7024 MB (7GB ish).

Step 60: Click next. Create the virtual hard disk by clicking Create.

Step 61: Select VDI and click Next.

Step 62: Select Dynamically allocated and then click next.

Step 63: Choose your Hard Disk size. I have set to 80 GB.

Step 64: Now click Create.

Step 65: Now you need to mount the Windows 7 iso file to your Ubuntu Virtual Machine.

Step 66: Click Ok. THis will now mount the Windows 7 .iso into the Virtual Machine. Now click on Settings in VirtualBox and then go to Storage. Now click on the CD (Empty). TO the right or Optical Drive click the down arrow next to the CD and choose the Host Drive as the CD Choice.

Step 67: Click Ok to close, then start to start your Virtual Machine. Follow the normal Windows 7 Installation. I have called my Windows 7 Virtual Machine cuckoo1.

Step 68: Now your Windows 7 Virtual Machine is built log in. We are going to make some changes to make the Virtual Machine vulnerable on purpose. Go to start and type in Group. You should see the Edit Group Policy option.

Step 69: Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Scroll down to the User Account Control options.

Step 70: Right click the “User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode” and select Properties. Using the drop down menu select Elevate without prompting and click ok.

Step 71: Right click the “User Account Control: Detect application installations and prompt for elevation” and select Properties. Check the Disabled option and click ok.

Step 72: Right click the “User Account Control: Run all administrators in Admin Approval Mode” and select Properties. Check the Disabled option and click ok.

Step 73: Now we are going to disable the automatic install of Windows Updates. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update and right click Configure Automatic Updates and edit. Select Enabled, 2- Notify for download and notify for install, then click ok.

Step 74: Now we need to remove the Windows protection from the network. Go to Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall and change “Protect all network connections” to Disabled.

Step 75: Next we need to disable Windows Defender as we have no need for anti virus or malware protection. We do this by going to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus then set “Turn off Windows Defender Antivirus” to Enabled.

Step 76: The easiest way to get these files to your Windows 7 Virtual Machine is to install VirtualBox Guest Additions and create a shared folder.

You do this by clicking Devices in the VirtualBox window and choose install VirtualBox Guest Additions. This will then mount a CD into your Virtual Machine and you can then you can run from the CD in your Virtual Machine.

Once you have set up the shared folder reboot your Windows 7 Virtual Machine and then login and you can go to File explorer in Windows and type \\vboxsvr\*Downloads and this will take you to the mapped shared folder. *I shared my Ubuntu Downloads folder.

Step 77: Now we need to install Python 2.7 for windows. You can download it from Place this .msi into your shared folder and run from your Windows 7 Virtual Machine. Next download Python Pillow from Place this .msi into your shared folder and run from your Windows 7 Virtual Machine.

Step 78: Now install Adobe Reader, Flash, Java and Microsoft Office (Optional) and any other applications you think yo may need.

Step 79: Open up Internet Explorer and Adobe Reader and any other application that may have a splash screen which may interfere with the operation of the cuckoo client.

Step 80: Upload the file from your Ubuntu host which can be found in the


directory on your Ubuntu machine. You can do this by copying it into the Downloads or shared folder with your Virtual Machine.

cd ~/.cuckoo/agent


cp ~/Downloads

Step 81: Copy the file and place it in C:\Users\*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup this will then start the on boot up of the Virtual Machine. On the Windows 7 Virtual Machine you will need to Show hidden files and folders for the AppData folder to be seen.

You can do this by going to file explorer and then Organizse > Folder Options.

Step 82: Once you are happy that you have all the required software installed reboot the Windows 7 Virtual Machine and log in. You should get a blank command window appear. If you get a network popup click allow.

Step 83: You can now minimise the Virtual Machine down.

Step 84: So now we have created our Windows 7 Virtual Machine we need to set up the networking to create the sandbox environment. Click on the VirtualBox Manager and click settings for the Windows 7 Virtual Machine. Select Network and then change Attached to: Host-only Adapter and select vboxnet0 in the Name. Click OK.

Step 85: Now you need to make this persistent. Type

sudo apt-get install -y iptables-persistent

and choose yes when it prompts you to save current config

Step 86: Now we need to configure IP forwarding so an internet connection gets routed from the host machine to the guest Virtual Machine. We will use iptables to set these network forwarding rules:

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s -m conntrack --ctstate NEW -j ACCEPT


sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Step 87: You can check your rules by running

sudo iptables -L

Step 88: Now enable IP forwarding in the kernel so that these settings are set to Active (required for WWW Internet access):

echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward


sudo sysctl -w net.ipv4.ip_forward=1

Step 89: Now we need to make sure that the IP forwarding starts up after a reboot. Type

sudo nano /etc/sysctl.conf

and remove the # from


then Ctrl + X to exit , Y to save and enter to write file. Now run

sudo su –


iptables-save > /etc/iptables/rules.v4

Step 90: Now we need to configure our Windows 7 Virtual Machine IP Address information. Open the network adapters in and set up the following information:

Step 91: Once you click OK and OK you should then get internet connectivity again.

Step 92: We now want to take a snapshot of the Virtual Machine, so click Machine > Take Snapshot. Name it Snapshot 1 and click ok.

Step 93: We now need to finish off the configuration of the Cuckoo services on our Ubuntu 20 workstation. All the Cuckoo configuration files are located in the


or from your home directory

cd .cuckoo/


Step 94: Change into the config directory type

cd ~/.cuckoo/conf

Edit the cuckoo.conf file by 

sudo nano cuckoo.conf

Ensure that the following are set: 

machinery = virtualboxmemory_dump = yes

and resultserver

resultserver ip =

then Ctrl + X to exit , Y to save and enter to write file.

Step 95: Edit the auxiliary.conf file by 

sudo nano auxiliary.conf

ensure that the sniffer is

enabled = yes

then Ctrl + X to exit , Y to save and enter to write file.

Step 96: Edit the virtualbox.conf file by

sudo nano virtualbox.conf

and ensure that virtualbox

mode = gui


machines = cuckoo1

(change name to your Windows 7 Virtual Machine Name if required and

label = cuckoo1


platform = windows


ip =


snapshot = Snapshot 1

then Ctrl + X to exit , Y to save and enter to write file.

Step 97: Edit the processing.conf file by

sudo nano processing.conf

and ensure that memory

enabled = yes

then Ctrl + X to exit , Y to save and enter to write file.

Step 98: Edit the memory.conf file by

sudo nano memory.conf

and ensure that basic

guest_profile = Win7SP1x64

then Ctrl + X to exit , Y to save and enter to write file.

Step 99: If you require another Operating System then you can get a full list of the supported profiles by running --info |grep Profiles -A48

Step 100: Edit reporting.conf file by

sudo nano reporting.conf

and ensure that singlefile Enable creation of report.html

enabled = yes

and mongodb

enabled = yes

then Ctrl + X to exit , Y to save and enter to write file.

Step 101: Now shutdown your Windows 7 Virtual Machine, then reboot your Ubuntu Virtual Machine. Log back in as the same user (do not log in as the cuckoo user)

Step 102: Now to use Cuckoo you first need to update Cuckoo’s scoring signatures so open a Terminal and type

cuckoo community

Step 103: Now open VirtualBox Manager and start your cuckoo1 Virtual Machine. Log in so you have the blank command window showing and then minimize the Virtual Machine.

Step 104: Now in Terminal window 1 type


and press enter. You will get the starting cuckoo screen and it will sit waiting for analysis tasks.

Step 105: In the second Terminal window type

cuckoo web runserver

Step 106: Now you can visit the Cuckoo Web Server via or the Virtual Machine IP Address on your local network via your browser.

Finally a Fully operational Cuckoo Sandbox. Their are lots more settings within the Cuckoo conf files and you can hook up MISP and other services directly to it.

I hope this tutorial is helpful and comments are always welcome.