Skip to content

Cuckoo Sandbox Setup for Malware Analysis

image

Setting up Cuckoo Sandbox in a Proxmox VM

For my homelab, I wanted to setup Cuckoo Sandbox for local malware analysis. I use Proxmox for my homelab, so the goal was to have Cuckoo run in a Proxmox VM.

There are a few guides for how to set up Cuckoo, but none of them covered all aspects of setup required to get it to work with my Proxmox setup, so I'm documenting it here for others.

Some of the commands below are from: https://reversingfun.com/posts/cuckoo-3-installation-guide/ (This guide nearly worked in my Proxmox setup, but needed a few modifications)

Getting vmcloak to work with cuckoo3 required a fix from https://www.hamza-megahed.com/cuckoo3/

Steps

Start with Ubuntu 20.04, and run:

# update and upgrade the system 
sudo apt update && sudo apt upgrade -y

# install dependencies
sudo apt install git build-essential python3-dev python3.8-venv libhyperscan5 libhyperscan-dev libjpeg8-dev zlib1g-dev unzip p7zip-full rar unace-nonfree cabextract yara tcpdump genisoimage qemu-system-x86 qemu-utils qemu-system-common qemu-kvm libssl-dev -y

Add the cuckoo user and configure:

# add cuckoo user
sudo adduser cuckoo
# might not be safe, but easier for setup...
sudo usermod -aG sudo cuckoo
sudo adduser cuckoo kvm
sudo chmod 666 /dev/kvm

Set network capture and apparmor settings:

# allow cap for non root users
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

# disable apparmor
sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.sbin.tcpdump
# reload apparmor
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.tcpdump

Switch to cuckoo user before doing the following commands

su cuckoo

As cuckoo, install Cuckoo:

# install cuckoo from source
sudo chown cuckoo /opt && cd /opt
git clone https://github.com/cert-ee/cuckoo3
cd cuckoo3

# make new venv
python3 -m venv venv
source venv/bin/activate
pip install wheel

# install
./install.sh

# setup cuckoo:
# Create Cuckoo working directory (CWD)
cuckoo createcwd

# Install the stager and monitoring binaries
cuckoo getmonitor monitor.zip

# Extract cuckoo signatures to the right location
unzip signatures.zip -d ~/.cuckoocwd/signatures/cuckoo/

VMCloack

Optional, simplifies VM creation and config:

Clone the repo:

git clone https://github.com/hatching/vmcloak.git && cd vmcloak

Fix a few files: Edit vmcloak/setup.py and Change pefile version in install_requires to

"pefile<2023.0.0",

Edit vmcloak/platforms/qemu.py and change _create_snapshot_disk_ function to

subprocess.check_call(["qemu-img", "create", "-F", "qcow2", "-o",
                    "lazy_refcounts=on,cluster_size=2M", "-b",
                    image_path, "-f", "qcow2", path])

Then Install vmcloak:

pip install . && cd ..

# Configuring QEMU network interface 
# Create a new brige with the name br0 and range 192.168.30.1/24 (NOTE: check vm network settings for conflicts)
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24

# Append the line 'allow br0' to the file bridge.conf
sudo mkdir -p /etc/qemu
echo 'allow br0' | sudo tee /etc/qemu/bridge.conf

# Change the permissions for qemu-bridge-helper script. It needs a special SUID bit for creation of new interfaces
sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper

Setting up the VM:

# Using vmcloak, download the Windows 10 ISO (build 1703).
vmcloak isodownload --win10x64 --download-to ~/win10x64.iso

# Mount the image as read only
sudo mkdir /mnt/win10x64
sudo mount -o loop,ro /home/cuckoo/win10x64.iso /mnt/win10x64

#Install Windows as a new base image win10base with all the specs configured. This base image is going to be used later on to spin up live VMs
# NOTE: THIS WILL TAKE A WHILE (10 ish mins)
# Note the IPs for your setup
vmcloak --debug init --win10x64 --hddsize 128 --cpus 2 --ramsize 4096 --network 192.168.30.0/24 --vm qemu --ip 192.168.30.2 --iso-mount /mnt/win10x64 win10base br0

# Optionally install some basic utilities for better simulation of the real system.
vmcloak --debug install win10base dotnet:4.7.2 java:7u80 vcredist:2013 vcredist:2019 edge carootcert wallpaper disableservices

# Now the base image is ready. Next, spin up runnable instances from this image. Here is an example to run 5 instances/snapshots. Each VM will have its own IP starting from 192.168.30.20 in this example
vmcloak --debug snapshot --count 5 win10base win10vm_ 192.168.30.20

Window 10 setup is finished. If you want, setup Win7 as well (optional):

vmcloak isodownload --win7x64 --download-to ~/win7x64.iso
sudo mkdir /mnt/win7x64
sudo mount -o loop,ro /home/cuckoo/win7x64.iso /mnt/win7x64
vmcloak --debug init --win7x64 --hddsize 128 --cpus 2 --ramsize 4096 --network 192.168.30.0/24 --vm qemu --ip 192.168.30.3 --iso-mount /mnt/win7x64 win7base br0
vmcloak --debug install win7base dotnet:4.7.2 java:7u80 vcredist:2013 vcredist:2019 edge carootcert wallpaper disableservices
vmcloak --debug snapshot --count 5 win7base win7vm_ 192.168.30.30

Now, import the VMs into Cuckoo:

cuckoo machine import qemu ~/.vmcloak/vms/qemu

# Delete default exemplary template
cuckoo machine delete qemu example1

# Initialize the cuckoo DB. (can ignore errors for now if they aren't critical)
cuckoomigrate database all

Configure the correct IP of the result server in the file ~/.cuckoocwd/conf/cuckoo.yaml

# listen IP and port. Make sure the IP is off a network interface that is part of the analysis machine network or route/forward traffic between the analysis machines and the resultserver
resultserver:
-  listen_ip: 192.168.30.101
+  listen_ip: 192.168.30.1
   listen_port: 2042

MISP integration (optional):

# Optionally we can configure MISP by adding the API key and URL of the MISP instance.

# The following file has to be changed ~/.cuckoocwd/conf/processing/misp.yaml
 # Enable the usage of MISP queries in pre and post  processing for
 # the discovered IOCs.
# enabled: False
enabled: True

 # The MISP API url. Is also used as the base URL for creating links to
 # events.
# url: null
url: <your_misp_url>

 # Verify if the configured MISP server is using a valid TLS certificate.
 # Disable this your certificate is self-signed or no certificate is used.
verify_tls: True

 # The API key to access the MISP api.
# key: null
key: <misp_api_key>

Enabling VirusTotal (Optionally add your VT API key to file ~/.cuckoocwd/conf/processing/virustotal.yaml):

 # The VirusTotal API key to use
key: <vt_api_key>

Starting Cuckoo 

# quick way to start cuckoo via dev server (`--debug`` option), for production-ready see Post-installation 

# Start the cuckoo daemon
cuckoo --debug

# Launch the cuckoo internal webserver (personally not using this - note the host IP)
cuckoo web --host 10.0.1.101 --port 8080

Post installation for production use:

# Build the docs 
cd /opt/cuckoo3/docs
# Install dependencies
pip install -r requirements.txt
# Build the docs with mkdocs and copy
mkdocs build
cp -R site ../web/cuckoo/web/static/docs

# Install uwsgi / nginx
pip install uwsgi
sudo apt-get install uwsgi uwsgi-plugin-python3 nginx -y

# Generate the conf file for uswgi
cuckoo web generateconfig --uwsgi > cuckoo-web.ini
sudo mv cuckoo-web.ini /etc/uwsgi/apps-available/
sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/cuckoo-web.ini

# Add cuckoo to www-data group
sudo adduser www-data cuckoo

# In the file ~/.cuckoocwd/web/web_local_settings.py change the STATIC_ROOT so that it points to the folder with static assets

# Uncomment and set this path to a path all static files should be copied to when running 'cuckoo web djangocommand collectstatic'. These files should be served by a web server:
# #STATIC_ROOT = ""
# becomes:
# STATIC_ROOT = "/opt/cuckoo3/web/cuckoo/web/static"

# Generate the nginx conf files
cuckoo web generateconfig --nginx > cuckoo-web.conf

# Configure the server to listen on port 80
 server {
-     listen 127.0.0.1:8000;
+     listen 80;

# Add the conf file to nginx folder and create a symbolic link

sudo mv cuckoo-web.conf /etc/nginx/sites-available/cuckoo-web.conf
sudo ln -s /etc/nginx/sites-available/cuckoo-web.conf /etc/nginx/sites-enabled/cuckoo-web.conf

# Remove the default welcoming page from nginx and restart both services

sudo rm /etc/nginx/sites-enabled/default
sudo systemctl restart nginx uwsgi

Launcher Script

Here's a script from https://reversingfun.com/posts/cuckoo-3-installation-guide/ that shows one way of launching cuckoo in quiet mode using tmux:

#!/bin/bash
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24
source /opt/cuckoo3/venv/bin/activate
tmux new-session -d -s cuckoo 'cuckoo --quiet'

Can re-attach to the cuckoo session using:

tmux a

IP TABLES for Internet

To give internet access to the VM (be carfeul!), use these iptables rules (note the IP):

iptables -A FORWARD -o ens19 -i br0 -s 192.168.30.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sysctl -w net.ipv4.ip_forward=1