Installing Cuckoo Sandbox on bare metal VMWare ESX

Posted on by

Cuckoo Sandbox is a fantastic open source tool used to manage virtual machines and analyze malware in bulk, providing easy to understand post-analysis results. However, it’s a bit dated at this time. A lot of guides have been written about setting it up, and each time I build a new Cuckoo environment, I have to scour the internet looking for information on how to install again. Each time, I take notes for the future, but then I can never find those notes again. So here’s a battle tested (as of October, 2020) guide to installing Cuckoo Sandbox on a bare metal server running VMWare ESX.

The Cuckoo server will be running in a virtual machine in the ESX environment. It will manage other virtual machines running in the ESX environment.

Due to the age of Cuckoo, a lot of ‘adjustments’ need to be made to get everything going.

Cuckoo Host

To start, build a new VM running Ubuntu server 16.04. Newer versions of Ubuntu and Debian may be incompatible with Cuckoo. I chose 64 bit. Also, just a note: Cuckoo works only with Python2.7. A lot of the python modules will be a little older.

Edit the /etc/network/interfaces file with your favorite editor (I like vim!)

Give your host a static IP and set DNS to fit in your network. These are the settings in my environment. Yours will probably be different, but I wanted to list it as configured in my sandbox for context:

# The primary network interface
allow-hotplug ens160
auto ens160
iface ens160 inet static
address 192.168.1.101
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1

# The cuckoo monitoring and management interface - these are the settings I have in the analysts DMZ environment:
auto ens192
iface ens192 inet static
    address 192.168.56.1
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 192.168.1.1

In the ESX admin page in my network, the cuckoo VM has two interfaces:

For your environment, you’ll need to know which interface in the VM is tied to which ESX interface.

Start the installation on the VM that will be the Cuckoo host

Install Linux stuff:

sudo apt-get install git mongodb libffi-dev build-essential python-django python python-dev python-pip python-pil python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump samba-common-bin libjpeg-dev python-virtualenv python-setuptools zlib1g-dev swig postgresql libpq-dev libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd -y

Tcpdump normally requires root privileges. However since Cuckoo is not going to run as root we need to configure it properly.

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Yara:

sudo apt-get install autoconf libtool libjansson-dev libmagic-dev libssl-dev -y
wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz && tar -zxf yara-3.4.0.tar.gz && cd yara-3.4.0
./bootstrap.sh
./configure --with-crypto --enable-cuckoo --enable-magic && make && sudo make install

Yara python extension:

cd yara-python && python setup.py build
sudo python setup.py install

Installing Pydeep – Pydeep depends on ssdeep 2.8+

cd && wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz && tar -zxf ssdeep-2.13.tar.gz && cd ssdeep-2.13
./configure && make && sudo make install
pip install pydeep

Volatility

pip install openpyxl ujson pycrypto distorm3 pytz
cd && git clone https://github.com/volatilityfoundation/volatility.git && cd volatility
python setup.py build
sudo python setup.py install
pip install distorm3

Installing Cuckoo

sudo pip install m2crypto==0.24.0 # Install here. Has to be installed after 'swig' is installed (in the first sudo apt-get install line)
sudo pip install jsonschema
sudo pip instal SFlock
pip install cuckoo # Not sure why I have to pip install it and then install it from the repo, but whatever...
cd && git clone https://github.com/cuckoosandbox/cuckoo.git && cd cuckoo
sudo python stuff/monitor.py
sudo python setup.py sdist
sudo python setup.py install

add user for cuckoo:

sudo useradd cuckoo

For PDF report generation:

pip install cairocffi==0.9.0
cd && wget https://files.pythonhosted.org/packages/2d/f9/695a50d7017debb5829c52ce09cb99a83b6b41e1db29c115df6dee335eaa/tinycss-0.3.tar.gz
tar -zxf tinycss-0.3.tar.gz && cd tinycss-0.3/
sudo python setup.py install

Cuckoo uses python 2 and newer tinycss2 and supporting module versions don’t support python 2 anymore. These are the last versions I found which are supported

cd && wget https://files.pythonhosted.org/packages/d2/d7/1d49d80b6e5f656719985a3d03039c7f67be72ad7765437d4c3e44f1f556/tinycss2-0.6.1.tar.gz
tar -xvf tinycss2-0.6.1.tar.gz
cd tinycss2-0.6.1/
sudo python setup.py install

cd && wget https://files.pythonhosted.org/packages/ed/f0/4fa1aa613bd8da257578146e14fe76379108ee52d8949bbefd039af89d12/cssselect2-0.2.1.tar.gz
tar -zxf cssselect2-0.2.1.tar.gz
cd cssselect2-0.2.1/
sudo python setup.py install

cd && wget https://files.pythonhosted.org/packages/7e/4c/cf2ec7abf7f84a2d1325d01dcac1d4bcb77f41117101fe564eb76952c65f/WeasyPrint-0.42.3.tar.gz
tar -zxf WeasyPrint-0.42.3.tar.gz
cd WeasyPrint-0.42.3/
sudo python setup.py install

Adjust TCPDump permissions – On Ubuntu with AppArmor enabled (default configuration) tcpdump doesn’t have write permission to dot-directories in $HOME, causing the permission denied message and preventing Cuckoo from capturing PCAP files.

sudo apt-get install apparmor-utils -y
sudo aa-disable /usr/sbin/tcpdump

There’s an issue with python-magic and x64 systems. This is a module that is able to identify the type of file you’re working with. Here’s the work-around, which was very painful to figure out:

1: Remove all traces of python-magic.

You may need to enter a python shell and:

import magic

if it succeeds, type:

magic.__file__

That will print the location it got it from, which will look something like this:

/usr/local/lib/python2.7/dist-packages/python_magic_bin-0.4.14-py2.7.egg/magic/__init__.pyc

Exit the python shell and delete that version:

sudo rm -rf /usr/local/lib/python2.7/dist-packages/python_magic_bin-0.4.14-py2.7.egg/magic/

Try again by going back into python and repeating those steps until you can’t import magic again.

2: Once you’re able to type

import magic

in the python shell and it doesn’t succeed with a message like this:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named magic

you can install the one that works: 

git clone https://github.com/julian-r/python-magic cd python-magic sudo python setup.py install

3: Then, you can install the pip version again. 

sudo pip install python-magic==0.4.12

Why this all works the way it does is some linux/python oddness, but it does work.

Using mysql if running multiple malware virtual machines 

sudo apt install mysql-server

You’ll be prompted for a mysql root password.

When done, secure mysql with: 

mysql_secure_installation

Follow the prompts to secure it.

Install the python module needed to work with it: 

sudo pip install pymysql

Log into mysql: 

mysql -uroot -p

you’ll be prompted for the mysql root password you just created.

Create the database and user: 

create database cuckoo; grant all privileges on cuckoo.* to cuckoo@localhost identified by 'password'; # replace 'password' with your root mysql password 
flush privileges; 
quit;

Configuration – Conf files are in: ~/.cuckoo/conf

Run cuckoo. This will create what cuckoo calls the ‘CWD’, or ‘Current working directory’:

cuckoo

Run it again to get the community rules with this command:

cuckoo community

Edit ~/.cuckoo/conf/cuckoo.conf:

vim ~/.cuckoo/conf/cuckoo.conf

And change these options and any other you might want: version_check = no

Default machinery is virtualbox. This guide uses ESXi, so change to: machinery = esx

Change to yes if you want to turn on Volatility for memory analysis. This will take a full snapshot of the VM’s memory, which could eat up your space quickly. memory_dump = no

In the database section:

connection = mysql://cuckoo:password@localhost/cuckoo # Enter your cuckoo user mysql password

Edit ~/.cuckoo/conf/reporting.conf:

vim ~/.cuckoo/conf/reporting.conf 

[singlefile]
# Enable creation of report.html?
enabled = yes

[mongodb]
enabled = yes

Under the section for [resultserver]: ip = <ip of your ESX monitor interface>

Edit ~/.cuckoo/conf/esx.conf:

vim ~/.cuckoo/conf/esx.conf 

dsn = esx://<ip for esx host>/?no_verify=1
username = <username for esx>
password = <password for esx>

machines = analysis1 # can be whatever you want

If you did name your first machine analysis1, you want to name the configuration section the same. That starts here: 

[analysis1]
label = <name of your VM> # in the case of the installation I did in the analyst environment, it's called malwarevm

snapshot = readyforcuckoo   # the name of the snapshot you created.

ip = <ip of your VM>

Below that, you specify each machine. In the example above, I have 1 machine (analysis1). If you’ve got more machines, the above field would be something like analysis1,analysis2. You would then need to 2 repeat the information for the second machine.

Getting rid of all the comments in esx.conf, it would look like this for 1 machine: 

machines = analysis1
interface = ens192

[analysis1]
label = malwarevm
platform = windows
snapshot =readyforcuckoo
ip = 192.168.56.100
interface = <Leave blank>
resultserver_ip = <Leave blank>
resultserver_port = <Leave blank>
tags = <Leave blank>
osprofile = <Leave blank>

Getting rid of all the comments in esx.conf, it would look like this for 2 machines: 

machines = analysis1,analysis2
interface = ens192

[analysis1]
label = malwarevm
platform = windows
snapshot =readyforcuckoo
ip = 192.168.56.100
interface = <Leave blank>
resultserver_ip = <Leave blank>
resultserver_port = <Leave blank>
tags = <Leave blank>
osprofile = <Leave blank>

[analysis2]
label = malwarevm2
platform = windows
snapshot =readyforcuckoo
ip = 192.168.56.101
interface = <Leave blank>
resultserver_ip = <Leave blank>
resultserver_port = <Leave blank>
tags = <Leave blank>
osprofile = <Leave blank>

Malware VM Configuration

If using Windows, you want to disable a bunch of stuff. I’ll leave the majority of it up to you, but you want to disable things like Windows Firewall, Defender, any anti virus software, and more. One tool that makes a lot of these changes easy is blackbird. Get that and run it on the VM, rebooting after. Then run it again just to make sure (I’ve found that the second run turns off even more services).

Configure the VM’s with static IP’s in the same newtork as the hostonly network IP 192.168.56.100 Netmask: 255.255.255.0 Gateway: 192.168.56.1 DNS: 192.168.56.1

Install 32 bit version of python 2.7

Download and install python 32 bit

Install dependencies in Windows for Pillow (Cuckoo’s screenshot feature) Open the command prompt and change directory to c:\python27\scripts and run: pip install pillow

Install old software. Things like Office, acrobat reader, etc. Open each one to get past any first screens

Copy ‘~/.cuckoo/agent/agent.py’ from the cuckoo host to the VM, and put it in the startup folder. If you don’t want the command window to be visible, change the extension to .pyw and put it in the startup folder to automatically start with the system.

I like a litte more control and choose to run it in a command prompt. Some malware will look for python running and exit, so I made a copy of the python.exe file as something else, like just p, and also changed the name of agent.py to something like ‘a’. Then in hte terminal, I just run it with: p a and I minimize the terminal.

Testing

See if you can ping the cuckoo host from the VM: ping 192.168.56.1 See if you can ping the VM from the cuckoo host: ping 192.168.56.100 (or whatever IP you gave the VM) See if you can reach the agent from the cuckoo host: telnet 192.168.56.100 8000 you should see a successful connection. Quit that and, if all is well, make a snapshot of the VM:

On the cuckoo server, test that cuckoo runs and loads the VM by running the cuckoo command in the terminal: cuckoo

Hopefully, you’ll see: 

2020-10-08 10:48:56,725 [cuckoo.core.scheduler] INFO: Using "esx" as machine manager
2020-10-08 10:48:57,151 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2020-10-08 10:48:57,175 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Press cmd c or ctrl c to exit

Running cuckoo

Startup scripts don’t exist for running it. I plan on trying to get it going with supervisord, but you can also run things in TMUX. You need to start four things: 1: The cuckoo rooter 2: cuckoo 3: the cuckoo web server 4: the cuckoo API (optional, but nice if you want to send data with scripts)

Cuckoo Rooter: This routes network traffic through cuckoo from the VMs: Create a new TMUX instance: tmux new -s cuckoorooter

Start the rooter: sudo cuckoo rooter -g username # probably your username, since you're the person who installed cuckoo. If running as a different user, maybe that. press ctrl + b, then let go of those keys and press the ‘d’ key to detach from the ‘cuckoo’ tmux session. Cuckoo will keep running in that session.

Cuckoo: 

tmux new -s cuckoo
cuckoo

press ctrl + b, then let go of those keys and press the ‘d’ key to detach from the ‘cuckoo’ tmux session. Cuckoo will keep running in that session.

Web: 

tmux new -s cuckooweb
cuckoo web runserver 0.0.0.0:8080

press ctrl + b, then let go of those keys and press the ‘d’ key to detach from the ‘cuckoo’ tmux session. Cuckoo will keep running in that session.

API: 

tmux new -s cuckooapi
cuckoo api

press ctrl + b, then let go of those keys and press the ‘d’ key to detach from the ‘cuckoo’ tmux session. Cuckoo will keep running in that session.

If you need to reattach to restart or stop either service, use the following: NOTE: ‘tmux ls’ will list running tmux sessions 

tmux attach-session -t cuckooweb # attach to the tmux session running cuckoo rooter
tmux attach-session -t cuckoo # attach to the tmux session running cuckoo
tmux attach-session -t cuckooweb # attach to the tmux session running cuckoo web server
tmux attach-session -t cuckooweb # attach to the tmux session running cuckoo API

And you can submit things, view previous submissions, etc…

If you want to submit a lot of files or via the command line, on the cuckoo server: cuckoo submit directory or cuckoo submit file.exe

If you want to clear out all the past analysis: On the server: cuckoo clean

Using cuckoo

Now, you can visit the web interface to submit things by going to the following address in your web browser: ipofthecuckooserver:8080