TLDR: As part of our SANS SEC599 development efforts, we updated (fixed + added some new features) an existing Cuckoo Auto Install script by Buguroo Security to automate Cuckoo sandbox installation (& VM import). Download it from our Github here.
Intro
As a blue team member, you often have a need to analyze a piece of malware yourself. For example, if you discover a malware sample in your network and suspect it might be part of a targeted attack. There’s a few options in this case: you could reverse the sample or do some static analysis, but maybe you want to get a “quick” insight by running it in a sandbox… It is often not desirable to submit your samples to public, online malware analysis services, as this might tip off your adversaries. So… How to proceed?
In the SANS training SEC599 that we’ve co-developed at NVISO (āDefeating Advanced Adversaries – Implementing Kill Chain Defensesā), we decided we wanted to show students how analysis can be performed usingĀ Cuckoo sandbox, a popular open source automated malware analysis system (We do love Cuckoo!).
After re-deploying manually Cuckoo a number of times in different environments, I (Erik speaking here) figured there must be a better way… After doing some Google’ing, I found the CuckooAutoinstallĀ script created by Buguroo Security!
An excellent effort indeed, but it hadn’t been updated for a while, so we decided to update this script to include some additional features and enabled it to run with the latest version of Ubuntu (16.04 LTS) and Cuckoo (2.0.5). You can find it on our GitHub repository.
Preparing your sandbox
Before we do a walk-through of this script, letās pause a moment to consider what it takes to set up a malware analysis environment. The type of analysis performed by Cuckoo can be classified as dynamic analysis: the malware sample is executed in a controlled environment (a Virtual Machine) and its behavior is observed. As most malware targets the Windows operating system and/or the applications running on it, you will need to create a Windows VM for Cuckoo.
You will need to step out of your role as a blue team member to prepare this VM: this VM has to be as vulnerable as possible! To increase the chances of malware executing inside the VM, you will have to disable most of the protections and hardening you would implement on machines in your corporate network. For example, you will not install an anti-virus in this VM, disable UAC, don’t install patches,…
To properly analyze malicious Office documents, you will use an older, unpatched version of Microsoft Office and you will disable macro security: you want the macros to run as soon as the document is opened, without user interaction.
Take your hardening policies and guidelines, and then …, do the opposite! It will be fun (they said…)!
Using CuckooAutoinstall
Installing Cuckoo with CuckooAutoinstall is easy: prepare your VM and export it to the OVA format, update the script with your VM settings, and execute it as root. We will discuss how you can create Cuckoo analysis VMs in a follow-up blogpost!
Itās best that your Ubuntu OS is up-to-date before you launch the script, otherwise you might encounter errors when CuckooAutoinstall will install the necessary dependencies, like this error on Ubuntu:
Updating the script with your VM settings is easy, these are the parameters you can change:
CUCKOO_GUEST_IMAGE=”/tmp/W7-01.ova”
CUCKOO_GUEST_NAME=”vm”
CUCKOO_GUEST_IP=”192.168.87.15″
INTERNET_INT_NAME=”eth0″
Then execute the script as root. It will take about 15 minutes to execute, depending on your Internet speed and size of your VM. If you are interested in seeing the progress of the script step by step, use option āverbose.
When the script finishes execution, you want to see only green check-marks:
Testing your Cuckoo installation
To start Cuckoo, you execute the cuckoo-start.sh script created by CuckooAutoinstall for you:
Then you can use a web browser to navigate to port 8000 on the machine where you installed Cuckoo:
Submit a sample, and let it run:
After a minute, youāll be able to view the report. Make sure you do this, because if you get the following message, your guest VM is not properly configured for Cuckoo:
The best way to fix issues with your guest VM, is to log on with the cuckoo user (credentials can be found & modified in the CuckooAutoinstall script), start VirtualBox and launch your VM from the ācleanā snapshot.
Once you have troubleshooted your VM (for example, fix network issues), you take a snapshot and name this snapshot ācleanā (and remove the previous ācleanā snapshot). Then try to submit again (for each analysis, Cuckoo will launch your VM from the ācleanā snapshot).
This will give you a report without errors:
Conclusion
Although installing Cuckoo can be difficult, the CuckooAutoinstall script will automate the installation and make it easy, provided you configured your guest VM properly. We plan to address the configuration of your guest VM in an upcoming blog post, but for now you can use Cuckooās recommendations.
It is possible to install Cuckoo (with CuckooAutoinstall) on Ubuntu running in a virtual environment. We have done this with AWS and VMware. There can be some limitations though, depending on your environment. For example, it could be possible that you can not configure more than one CPU for your Cuckoo guest VM. As there are malware samples that try to evade detection by checking the number of CPUs, this could be an issue, and you would be better off using a physical Cuckoo install.
Want to learn more? Please do join us at one of the upcoming SEC599 SANS classes, which was co-authored by NVISOās experts!
About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter andĀ LinkedIn.
Erik Van Buggenhout is a co-founder of NVISO with vast experience in penetration testing, red teaming and incident response. He is also a Certified Instructor for the SANS Institute, where he is the co-author of SEC599. You can find Erik onĀ Twitter andĀ LinkedIn.
Thanks for this,
Although I am getting this error where the script gives an error after displaying (Creating snapshot ‘Clean’) and two red ‘x” instead of a tick.
I went in and did some investigation (I am still learning), i tried runing the command:
runuser -l cuckoo -c “vboxmanage snapshot /tmp/Win7 take clean”
and got the following error:
VBoxManage: error: Could not find a registered machine named ‘/tmp/Win7’
It seemed like the user ‘cuckoo’ was unable to access the vms.
when i try to find out which vm this user has created (through cript), with following command:
runuser -l cuckoo -c “VBoxManage list vms” (spits out nothing)
I tried runing the same command by swithing user to ‘cuckoo’, nothing showed up.
Can you help me? I m kina lost her for why the script is not working for me beyond this point.
Thank You.
Hi Awais! It seems this might be linked to not having properly installed the Cuckoo VM in VirtualBox. Note that the VirtualBox command doesn’t require an absolute path (so not “/tmp/Win7”), it requires the name of the VM (how it is registered in VirtualBox). Did you already import your VM in VirtualBox?
We are planning to release another blog post on how to set up the analysis VM for VirtualBox, which will also describe this part of the process!
Hello – any update on this blog post for setting up the analysis VM’s? Thanks.
I get the red X’s also.
This might be caused by the virtualbox drivers/kernel modules that were not loaded at boot.
Edit the file “/etc/modules” and add the different vbox* kernel modules (one per line: vboxpci, vboxnetadp, vboxnetflt, vboxdrv)
Hi Awais…
Can you share this VM, I am having problem while setting up the VMs.
try this , painful thing would be to download a 22Gig file https://github.com/ashemery/CuckooVM. Also change the CPU and RAM values according to your system
Hello !
Script stops on step “Creating snapshot ‘Clean'”.
What do I wrong? thx
so in verbose mode i see output:
runuser: may not be used byb non-root users
runuser: may not be used by non-root user
What user account do you use?
tryied as root and as user – the same
And what OS/version? That I can try to reproduce your problem.
Ubuntu 16.04.3 LTS
Ok let me tell my issue
I make vm with network settigs : ( getting up network and interface, hostname vm )
and save W7-01.ova in /tmp/ directory
When i start sript, it says ” virualbox is already running” ,but no live process at this time.
I make ” apt-get purge virtualbox” and sript starts.
But at the step ” make snapshot Clean” it stops.
Output:
ā Allowing tcpdump for normal users
0%…
Progress state: E_ACCESSDENIED
VBoxManage: error: Appliance read failed
VBoxManage: error: Error opening the OVA file ‘/tmp/W7-01.ova’ (VERR_ACCESS_DENIED)
VBoxManage: error: Details: code E_ACCESSDENIED (0x80070005), component ApplianceWrap, interface IAppliance
VBoxManage: error: Context: “RTEXITCODE handleImportAppliance(HandlerArg*)” at line 307 of file VBoxManageAppliance.cpp
VBoxManage: error: Could not find a registered machine named ‘vm’
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: “FindMachine(Bstr(a->argv[0]).raw(), machine.asOutParam())” at line 506 of file VBoxManageModifyVM.cpp
ā Importing specified VirtualBoxVM
VBoxManage: error: Could not find a registered machine named ‘vm’
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: “FindMachine(Bstr(pszVM).raw(), machine.asOutParam())” at line 573 of file VBoxManageMisc.cpp
ā Launching imported VM
VBoxManage: error: Could not find a registered machine named ‘vm’
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: “FindMachine(bstrMachine.raw(), pMachine.asOutParam())” at line 326 of file VBoxManageSnapshot.cpp
ā Creating snapshot ‘Clean’
VBoxManage: error: Could not find a registered machine named ‘vm’
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: “FindMachine(Bstr(a->argv[0]).raw(), machine.asOutParam())” at line 96 of file VBoxManageControlVM.cpp
VBoxManage: error: Could not find a registered machine named ‘vm’
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: “FindMachine(bstrMachine.raw(), pMachine.asOutParam())” at line 326 of file VBoxManageSnapshot.cpp
ā
Plz help, dunno what to do -.-
Guys have the same error => https://github.com/NVISO-BE/SEC599/issues/3
So I had successfully got my cuckoo instance working thanks to the script. Kudos to you guys for making it! The problem I am having now is with the DNS. After I run the cuckoo-start.sh, no DNS queries are being processed from both the vulnerable VM and from the main machine itself. The problem persists after I run the cuckoo-kill, but not between reboots. Had anyone experienced similar issues and found a solution?
Hi fellows , I am having the same error as “Cryptoparty”…
@ Administrator ,Will not be possible to share VMs as it will save time and efforts of all of us.
I am not getting all green checks on the following three components
1) Downloading community rules
2) Cuckoo config files
3) Cuckoo Startup scripts
while running “cuckoo-install.sh” according to your third screen shots in the blog.
One more thing , I have installed Ubuntu on the physical machine not as a Virtual Machine.
kindly help…
Hey team,
Question for you guys. What about malware that detects that it is in a Virtual environment/host. And, it decides not to do anything or takes awhile (days) before it does something due to knowing it’s in a VM.
What do you happen to do in that case ?
This is one reason why I feel manual analysis needs to be done.
I’m getting:
syntax error: newline unexpected
Anyone run into this when running the script and have a fix?
assume you are using linux:
What do you see when you type: head cuckoo-install.sh?
does is start with
#!/bin/bash
or does is start with
if it starts with ” , try pulling the raw content from github.
https://raw.githubusercontent.com/NVISO-BE/SEC599/master/cuckoo-install.sh
Looks like my script was corrupt. After finishing the install, my ubuntu machine is unable to resolve DNS to get cuckoo updates. Anyone know the fix for this?
I keep getting the error:
[cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
I am using Ubuntu 19 and the latest Cuckoo with virtualbox. My guest is windows 7.
I am able to ping my guest at 192.168.87.15 from the Ubuntu host and I can ping the ubuntu host from the Windows 7 vm.
I can curl to the agent from the Ubunut box. Results are below:
cuckoo@cbox:~$ curl 192.168.87.15:8000
{“message”: “Cuckoo Agent!”, “version”: “0.10”, “features”: [“execpy”, “pinning”, “logs”, “largefile”, “unicodepath”]}
Anyone have any idea how to deal with this?
For anybody getting issues with virtualbox machine creation/configurations (2 red Xs) keep in mind that you should configure the script with these values
CUCKOO_GUEST_IMAGE=”/tmp/W7-01.ova” #location where the ova file is actually stored
CUCKOO_GUEST_NAME=”vm” #MUST remain vm. This is not the name you
#gave to the vm. Your vm will be imported
#with this name
CUCKOO_GUEST_IP=”192.168.56.15″. #change 87 to 56. Seems newer versions of
#virtualbox switched to 192.168.56.0/24 for
#the only host network
INTERNET_INT_NAME=”eth0″ #the host network interface that connects to
#the Internet
contact me at @theblackph0en1x for help
I get a red X on “creating snapshot ‘Clean.’ Any way around this?
Is there already a snapshot with name “clean”?