Monday, August 21, 2017

Setting up a Cuckoo Sandbox Step-by-Step









Introduction
Cuckoo is an open source malware analysis sandbox tool, which allows you to analyze malware on systems with Windows, Linux and OSX Operating systems. It can help you see what a potential malicious file, URL, or hash will do when detonated within these environments.

The setup process for Cuckoo is a bit complex, so the purpose of this guide is to help you get it set up quickly and as easily as possible. The reason I wrote this guide is because there was a lack of guides on the internet that were accurate and up-to-date. I hope this information helps others out there struggling with setting up Cuckoo and gets them well on their way!

This guide runs Cuckoo Sandbox on Ubuntu Desktop using VirtualBox.

It can be used to analyze objects such as:
  • Generic Windows executable
  • DLL files
  • PDF documents
  • Microsoft Office documents
  • URLs and HTML files
  • PHP scripts
  • CPL files
  • Visual Basic (VB) scripts
  • ZIP files
  • Java JAR
  • Python files
  • and more!


The sample network architecture diagram below shows how Cuckoo should be implemented:





Requirements
Cuckoo requires a minimum of two computer systems to function – one acting as host and the other one as guest. Guest systems will always be virtual machines. I.e., my setup was:


Host:
  • Ubuntu 17.04 (installed on spare laptop)
  • 4GB RAM
  • VirtualBox 5.1.22
  • Cuckoo Sandbox 2.0.4a5
Guest:
  • Windows 7 SP1
  • 1GB RAM
You can use any configuration you'd like, but I recommend a system with no less than 1GB of RAM for a guest VM and 4GB of RAM for a host machine. VMs can run Windows, Linux, and OSX, but for the purpose of this guide we will be using Windows 7 SP1.

This process can take anywhere from 2-3 hrs. to complete the first time through, so make sure you set aside enough time to complete everything.

Now, let's get started.


Installation
First, be sure Ubuntu Desktop is installed on your host machine before you begin. This is absolutely required. Throughout this guide, we'll be using version 17.04 Ubuntu Desktop, and I recommend you use the same. 

NOTE: all commands in bold are to be entered into terminal.

Once you have Ubuntu installed, update the OS by running the following commands in a terminal session:
sudo apt-get update -y
sudo apt-get upgrade -y

Next, install all python dependencies required for Cuckoo:
sudo apt-get install -y python python-pip python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev git
sudo apt-get install -y python-virtualenv python-setuptools
sudo apt-get install -y libjpeg-dev zlib1g-dev swig

To utilize Cuckoo’s web reporting interface, install MongoDB:
sudo apt-get install -y mongodb

Cuckoo’s recommended database is PostgreSQL, install it:
sudo apt-get install -y postgresql libpq-dev

Now you can install VirtualBox.


IMPORTANT: In the first line of code executed for installing VirtualBox, make sure to have the correct Linux package distribution. I.e., Zesty is for Ubuntu 17.04 and Xenial is for 16.04. It should come after the hyperlink and before the word 'contrib'. 

You can find the package names at https://www.virtualbox.org/wiki/Linux_Downloads if you are using a different version of Ubuntu. If you are using Ubuntu 17.04, use Zesty.  It is already in the commands below:
echo deb http://download.virtualbox.org/virtualbox/debian zesty contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
sudo apt-get update -y
sudo apt-get install -y virtualbox-5.1

If you make a typo and did not create the virtualbox.list file with the correct package name, you can always start over by running this command as it will delete the virtualbox.list file:
sudo rm /etc/apt/sources.list.d/virtualbox.list

Or (if you need to force delete for some reason)

sudo rm -r /etc/apt/sources.list.d/virtualbox.list

Once you get VirtualBox installed, you will need to install all the downloadable plugins that work with Cuckoo Sandbox (and there's A LOT). I recommend you download them to your user profile Downloads folder located in /home/[username]/ to keep everything organized. Ubuntu is case sensitive for directories so be sure you type "Downloads" with a capital D for example. Also keep this tip in mind when changing directories and executing files from other directories in Linux.

Change your directory to Downloads by typing the command:
cd Downloads

Start with installing Volatility:
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
sudo python setup.py build
sudo python setup.py install

Next, install Distorm3:
cd ..
sudo -H pip install distorm3

Then install Yara:
sudo -H pip install yara-python==3.6.3

Then install ssdeep:
sudo apt-get install -y ssdeep

Validate ssdeep is installed by typing the command:
ssdeep -V
2.13

Then install Pydeep:
sudo -H pip install pydeep

Validate Pydeep is installed by typing the command:
pip show pydeep
---

Name: pydeep

Version: 0.2

Location: /usr/local/lib/python2.7/dist-packages

Requires:


Install Openpyxl:
sudo -H pip install openpyxl

Install UJSON:
sudo -H pip install ujson

Install Jupyter:
sudo -H pip install jupyter

Install TCPDump for packet capture analysis:
sudo apt-get install tcpdump
sudo apt-get install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump

If you are using Ubuntu, make sure to disable AppArmor:
sudo apt-get install -y apparmor-utils
sudo aa-disable /usr/sbin/tcpdump


Finally, install Cuckoo Sandbox:

First install pip and setuptools python programs:
pip install -U pip setuptools

Then install the latest stable version of Cuckoo enter the command:
sudo -H pip install -U cuckoo

The command above just installs the latest stable version of Cuckoo, which will change over time.

Next, run Cuckoo for the first time to create the default directories typing the command:
cuckoo


Post-Installation
VirtualBox Configuration
Now you will have to configure Cuckoo after installing it, but before you can configure Cuckoo itself, you need to correctly setup VirtualBox and its networking.

Without configuring any VirtualBox’s network interfaces, you should only see the below ifconfig output:
Run the ifconfig command:
ifconfig

eno1     Link encap:Ethernet HWaddr 5c:26:0a:32:f9:33 

         UP BROADCAST MULTICAST MTU:1500 Metric:1

         RX packets:0 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

         Interrupt:20 Memory:f5400000-f5420000



lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536 Metric:1

         RX packets:245 errors:0 dropped:0 overruns:0 frame:0

         TX packets:245 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1

         RX bytes:23242 (23.2 KB) TX bytes:23242 (23.2 KB)



wlp2s0   Link encap:Ethernet HWaddr 00:27:10:b2:62:b8 

         inet addr:192.168.1.192 Bcast:192.168.1.255 Mask:255.255.255.0

         inet6 addr: fe80::f4e6:df50:354:206c/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

         RX packets:1702 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1205 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:1383413 (1.3 MB) TX bytes:195228 (195.2 KB)


If you get an error or are missing ifconfig from your Linux distro (Ubuntu 17.04 does not include net-tools), install it by typing the command:
sudo apt install -y net-tools

Now create a “Host-Only Adapter” by running the following command:
vboxmanage hostonlyif create

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

Interface 'vboxnet0' was successfully created

Set the IP address for the vboxnet0 interface.
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

Now you should see “vboxnet0“ in your ifconfig output which will be used for your Guest VM machine:
ifconfig

eno1     Link encap:Ethernet HWaddr 5c:26:0a:32:f9:33 

         UP BROADCAST MULTICAST MTU:1500 Metric:1

         RX packets:0 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

         Interrupt:20 Memory:f5400000-f5420000



lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536 Metric:1

         RX packets:245 errors:0 dropped:0 overruns:0 frame:0

         TX packets:245 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1

         RX bytes:23242 (23.2 KB) TX bytes:23242 (23.2 KB)



wlp2s0   Link encap:Ethernet HWaddr 00:27:10:b2:62:b8 

         inet addr:192.168.1.192 Bcast:192.168.1.255 Mask:255.255.255.0

         inet6 addr: fe80::f4e6:df50:354:206c/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

         RX packets:1702 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1205 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:1383413 (1.3 MB) TX bytes:195228 (195.2 KB)



vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00 

         inet addr:192.168.56.1 Bcast:192.168.56.255 Mask:255.255.255.0

         UP BROADCAST MULTICAST MTU:1500 Metric:1

         RX packets:0 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


Next, create your virtual machine in VirtualBox with a Windows 7 SP1 OS image.  PLEASE NOTE: You will need to provide your own Operating System license and installation media. Windows 7 SP1 works best for Windows malware analyses.

Once you have your Guest VM OS up and running, configure the VM with the Host-Only Adapter. You may use the GUI to do this or command line, whichever is easier for you.

The command line option:
vboxmanage modifyvm nameofVM --hostonlyadapter1 vboxnet0
vboxmanage modifyvm nameofVM --nic1 hostonly

Or

GUI option



Next, you will need to configure IP forwarding so an internet connection gets routed from the host machine to the guest VM. We will use iptables to set these network forwarding rules:

Implement the following forwarding rules with these commands:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

Check your rules again and ensure they display as below:
sudo iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source              destination        



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination        

ACCEPT    all – 192.168.56.0/24     anywhere            ctstate NEW

ACCEPT    all -- anywhere            anywhere            ctstate RELATED,ESTABLISHED



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

Next, enable IP forwarding in the kernel so that these settings are set to Active (required for WWW Internet access):
echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1

You can make the iptables persistent upon reboot so your iptables settings are saved. Do this by installing iptables-persistent with the following command:
sudo apt-get install -y iptables-persistent

To enable IP forwarding at startup after reboot (Ubuntu 17.04 requires this) edit the sysctl.conf file by issuing the command:
sudo gedit /etc/sysctl.conf

Then uncomment the line below in the sysctl.conf file by removing the # sign and then saving the file:
net.ipv4.ip_forward=1




OPTIONAL (RECOMMENDED): You can also enforce the VirtualBox vboxnet0 network interface to initialize after every reboot. If you do not set this up to be persistent after reboot, you will manually have to create the network interface every time you reboot your host. Please see APPENDIX A for instructions on setting this up.

Configuring the Guest VM
Now it's time to customize your Windows 7 SP1 VM and make it Cuckoo-ready. Follow the steps below to configure your Windows guest virtual machine:
  • Configure your Ethernet network adapter IPv4 settings with the following parameters:
IP Address – 192.168.56.1
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.56.1
DNS Servers – 8.8.8.8/8.8.4.4




  • Disable Windows Update and Windows Firewall
  • Install python 2.7 for Windows - You can download python 2.7 from: https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
  • Disable UAC
  • Install your preferred versions of Adobe Reader, Adobe Flash Player, Microsoft Office, and Java.
  • Start Adobe and Internet Explorer to rid them of prompts that could interfere with analyses
  • Upload the agent.py file from your Cuckoo host which can be found in the ~/.cuckoo/agent directory on your Ubuntu machine. Note this is only available if you have created the default Cuckoo directories.
Place it in the Windows 7 Startup folder located at:
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

You should then see the following window upon next reboot:




IMPORTANT: If you haven’t already, enable the VM Guest Additions functionality so you can create a sharable drive between your Guest VM OS and your host machine.
  • Go to Device-Insert Guest Additions CD image…
  • Go to settings of the Guest VM – shared folders – Add host folder (browse)
  • Go to Guest VM – open command prompt (cmd.exe)
  • Type “net use x: \\vboxsvr\NAME OF FOLDER YOU SHARED
i.e. If I shared \home\cuckoo\Desktop, the command would be:
net use x: \\vboxsvr\Desktop

The drive will then show up in Computer under mapped drives.

Lastly, uninstall VM Guest Additions when you have transferred all files necessary to the guest VM. This will also help avoid VM detection from malware (that looks at installed programs).

OPTIONAL (RECOMMENDED): To take advantage of the Cuckoo Sandbox Screenshots feature, you must install Pillow on your Windows guest VM using python. See APPENDIX B for instructions on setting this up.

Cuckoo Software Configuration
The configuration files for Cuckoo Sandbox define the behavior of the tool. It is REQUIRED for them to be configured correctly so the sandbox works correctly without any errors.

All Cuckoo configuration files are located in the ~/.cuckoo/conf directory.
The files highlighted below are the ones that need modification from their original state. Match the parameters shown for each .conf file below exactly.

Edit the file following parameters using your favorite text editor:
cuckoo.conf

[cuckoo]

memory_dump = yes
machinery = virtualbox

[resultserver]

ip = 192.168.56.1

auxiliary.conf
[sniffer]
enabled = yes



virtualbox.conf
Note for this file, where it says cuckoo1 below, change it to match your guest VM name.
[virtualbox]
mode = gui
machines = cuckoo1

[cuckoo1]

label = cuckoo1

platform = windows
ip = 192.168.56.101
snapshot = Snapshot1

processing.conf
[memory]
enabled = yes

memory.conf
This .conf file configures Volatility

[basic]
guest_profile = “Win7SP1x64”

For a list of other volatility guest profiles, run the command below:
vol.py --info |grep Profiles -A48

  ~/.cuckoo/conf $ vol.py --info |grep Profiles -A48
Volatility Foundation Volatility Framework 2.6
Profiles
--------
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
VistaSP1x64           - A Profile for Windows Vista SP1 x64
VistaSP1x86           - A Profile for Windows Vista SP1 x86
VistaSP2x64           - A Profile for Windows Vista SP2 x64
VistaSP2x86           - A Profile for Windows Vista SP2 x86
Win10x64              - A Profile for Windows 10 x64
Win10x64_10586        - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393        - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86              - A Profile for Windows 10 x86
Win10x86_10586        - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393        - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86         - A Profile for Windows 2003 SP0 x86
Win2003SP1x64         - A Profile for Windows 2003 SP1 x64
Win2003SP1x86         - A Profile for Windows 2003 SP1 x86
Win2003SP2x64         - A Profile for Windows 2003 SP2 x64
Win2003SP2x86         - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64       - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64       - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64         - A Profile for Windows 2008 SP1 x64
Win2008SP1x86         - A Profile for Windows 2008 SP1 x86
Win2008SP2x64         - A Profile for Windows 2008 SP2 x64
Win2008SP2x86         - A Profile for Windows 2008 SP2 x86
Win2012R2x64          - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340    - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64            - A Profile for Windows Server 2012 x64
Win2016x64_14393      - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64            - A Profile for Windows 7 SP0 x64
Win7SP0x86            - A Profile for Windows 7 SP0 x86
Win7SP1x64            - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418      - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86            - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418      - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64            - A Profile for Windows 8.1 Update 1 x64
Win81U1x86            - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64            - A Profile for Windows 8 x64
Win8SP0x86            - A Profile for Windows 8 x86
Win8SP1x64            - A Profile for Windows 8.1 x64
Win8SP1x64_18340      - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86            - A Profile for Windows 8.1 x86
WinXPSP1x64           - A Profile for Windows XP SP1 x64
WinXPSP2x64           - A Profile for Windows XP SP2 x64
WinXPSP2x86           - A Profile for Windows XP SP2 x86
WinXPSP3x86           - A Profile for Windows XP SP3 x86

IMPORTANT: It is crucial you have defined the correct guest profiles if using volatility in this configuration file.

reporting.conf

[singlefile]
# Enable creation of report.html?
enabled = yes

[mongodb]
enabled = yes


Cuckoo Usage
Finally Cuckoo is ready to be used! Update Cuckoo’s scoring signatures by typing the command:
cuckoo community

Then, start Cuckoo and the Django web interface by typing in the following two commands in two separate terminal windows:
Terminal #1: cuckoo
Terminal #2: cuckoo web runserver

Next, go to localhost:8000 in the your Firefox browser to get to the web interface of Cuckoo. This is where you can start uploading files and using Cuckoo to do the reverse malware engineering for you!


The web interface will look like so or similar when loaded:


Congratulations! You have now set up a working Cuckoo Sandbox! Enjoy!

Also if you have any suggestions/recommendations for this guide, please leave them in the comment boxes below.  




References
Sources used for creating this document:


Github links for Cuckoo plugins:



APPENDIX A
Auto start VirtualBox network interface on Ubuntu 17.04
To enforce VirtualBox vboxnet0 network interface initializes at startup for Ubuntu 17.04, follow the steps below:
1.      Install vim
sudo apt-get install -y vim

2.      Create the /opt/system/vboxhostonly directory and create the bash script to run the vboxmanage commands
sudo mkdir /opt/systemd/
vim /opt/systemd/vboxhostonly

Copy in the text below and save with vim (hit esc key and type “:w” and hit enter)
#!/bin/bash
vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192*168*56*1

3.      Go to the directory where you saved the vboxhostonly file and make the file executable
cd /opt/systemd/
sudo chmod a+x vboxhostonly

4.      Next create the vboxhostonlynic.service file in /etc/systemd/system/ directory
sudo touch /etc/systemd/system/vboxhostonlynic.service

5.      Open the text editor as Administrator to edit the vboxhostonlynic.service file
sudo gedit /etc/systemd/system/vboxhostonlynic.service

6.      Copy in the code below and save the file

Description=Setup VirtualBox Hostonly Adapter

After=vboxdrv.service



[Service]

Type=oneshot

ExecStart=/opt/systemd/vboxhostonly



[Install]

WantedBy=multi-user.target

7.  Now install the systemd service and enable it so it will be executed at boot time:
systemctl daemon-reload
systemctl enable vboxhostonlynic.service

8.      Verify the service is working properly:
systemctl start vboxhostonlynic.service


APPENDIX B
Install dependencies in Windows for Pillow (Cuckoo's screenshot feature)

1.      Download the get-pip.py script from https://bootstrap.pypa.io and save it as a python script file (.py) in C:\python27.
2.      Open command prompt and change directory to c:\python27
3.      Install pip and setuptools for Windows Python by typing the command:
python get-pip.py

4.      Change directory to scripts folder by typing the command:
cd scripts

5.      Install Pillow for Windows Python by typing the command:
easy_install pillow


11 comments:

  1. Quick edit that worked for me, not sure if it will work for others.

    If you are having trouble accessing the internet from your VM, the MASQUERADE setting in your IPTables may be a little off!

    I used
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    and was successful with that!

    ReplyDelete
    Replies
    1. Thanks for the comment. I will consider this during my next revision of this post!

      Delete
    2. After using below commands I got internet access to guest machine (windows). But the issue is , internet connect was lost on host machine. Can someone help please?

      Commands:
      sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
      sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      sudo iptables -A POSTROUTING -t nat -j MASQUERADE

      Delete
  2. You will also probably want to install mysql-server, create a db and update cuckoo.conf to reflect that db:

    cuckoo.conf
    [database]
    connection = mysql://user:password@localhost/dbname

    ReplyDelete
    Replies
    1. Thanks for the comment chea. Why do you recommend this step?

      Delete
  3. Hi Tom,
    I am in love with the Cuckoo project and my only downside is I have only done research about how to get it up and running. So I have come across documentation that suggets that you should install YARA from source code first before installing Yara-Python with pip.
    Could you compare notes with Warunika Amali - Medium.com on his Cuckoo sandbox installation guide.
    I've loved your installation steps as they are very description and indepth. I should have started my research here to save me a whole day's work of reading up on Cuckoo.
    Impresive work sir!

    ReplyDelete
    Replies
    1. @Michael Kasede, I'll take a look at the YARA piece you described. I actually never got that far when I wrote this guide to actually test the YARA functionality, so thanks for pointing that out. I've been meaning to update this documentation for awhile so I will consider your comments and those above in the next revision. I'm glad this documentation has helped you with setting up Cuckoo, as I myself struggled to find detailed documentation on the tool, which is why I wrote my own because of the amount of steps required. I only found bits and pieces from the other useful user-written guides out there and discovered a lot myself through trial-and-error, support from github and other private research. I'm hoping to maintain this guide as necessary to keep it accurate and simple to follow as the Cuckoo project changes. Look out for an update soon. Thanks for the comments everyone!

      Delete
  4. Hi Tom,
    About Yara, it comes pre-packed in the cuckoo installation at least as of Cuckoo version 2.06. Please update this post because its by far the best on the Cuckoo installation. Many of us could use this information.

    I have run into a problem actually. Cuckoo is installed and all configurations are applied as you describe. However, when I run cuckoo I get the following error:

    2018-11-28 16:49:54,293 [cuckoo] ERROR: IOError: [Errno 13] Permission denied: '/opt/cuckoo/pidfiles/cuckoo.pid'
    Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 233, in main
    cuckoo_init(level, ctx)
    File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 125, in cuckoo_init
    pidfile.create()
    File "/usr/local/lib/python2.7/dist-packages/cuckoo/misc.py", line 229, in create
    with open(self.filepath, "wb") as f:
    IOError: [Errno 13] Permission denied: '/opt/cuckoo/pidfiles/cuckoo.pid'

    Can you please help with this.

    ReplyDelete
  5. @Michael Kaseda
    I am having trouble in installing get-pip.py and pillow...
    Can you share setup VM of cuckoo...

    ReplyDelete
  6. If the default policy of FORWARD Table is ACCEPT, why do we need to specify more policies?

    ReplyDelete
  7. Hi Tom, it's 2021 and I am still using cuckoo and mostly making reference to your steps to set it up. I last did this in 2018 and it has been working for me since. I am now considering moving to Ubuntu 18.04.5 with the latest cuckoo version.
    Check out this blog, they've really tried to simplify the installation - https://hatching.io/blog/cuckoo-sandbox-setup/. Cheers mate.

    ReplyDelete