Introduction
Cuckoo is an open source malware analysis sandbox tool, which allows you to analyze malware on systems with Windows, Linux and OSX Operating systems. It can help you see what a potential malicious file, URL, or hash will do when detonated within these environments.
The
setup process for Cuckoo is a bit complex, so the purpose of this guide is to
help you get it set up quickly and as easily as possible. The reason I wrote
this guide is because there was a lack of guides on the internet that were
accurate and up-to-date. I hope this information helps others out there
struggling with setting up Cuckoo and gets them well on their way!
It
can be used to analyze objects such as:
- Generic Windows executable
- DLL files
- PDF documents
- Microsoft Office documents
- URLs and HTML files
- PHP scripts
- CPL files
- Visual Basic (VB) scripts
- ZIP files
- Java JAR
- Python files
- and more!
Requirements
Cuckoo
requires a minimum of two computer systems to function – one acting as host and
the other one as guest. Guest systems will always be virtual
machines. I.e., my setup was:
Host:
- Ubuntu 17.04 (installed on
     spare laptop)
- 4GB RAM
- VirtualBox 5.1.22
- Cuckoo Sandbox 2.0.4a5
Guest:
- Windows 7 SP1
- 1GB RAM
You
can use any configuration you'd like, but I recommend a system with no less
than 1GB of RAM for a guest VM and 4GB of RAM for a host machine. VMs can run
Windows, Linux, and OSX, but for the purpose of this guide we will be using
Windows 7 SP1.
This
process can take anywhere from 2-3 hrs. to complete the first time through, so
make sure you set aside enough time to complete everything.
Now,
let's get started.
Installation
First,
be sure Ubuntu Desktop is installed on your host machine before you
begin. This is absolutely required. Throughout this guide, we'll be using
version 17.04 Ubuntu Desktop, and I recommend you use the same.  
NOTE: all commands in bold are to be entered into terminal.
Once
you have Ubuntu installed, update the OS by running the following commands in a
terminal session:
sudo
apt-get update -y
sudo
apt-get upgrade -y
Next,
install all python dependencies required for Cuckoo:
sudo
apt-get install -y python python-pip python-dev libffi-dev libssl-dev
libfuzzy-dev libtool flex autoconf libjansson-dev git
sudo
apt-get install -y python-virtualenv python-setuptools
sudo
apt-get install -y libjpeg-dev zlib1g-dev swig
To
utilize Cuckoo’s web reporting interface, install MongoDB:
sudo
apt-get install -y mongodb
Cuckoo’s
recommended database is PostgreSQL, install it:
sudo
apt-get install -y postgresql libpq-dev
Now
you can install VirtualBox.
IMPORTANT: In the first line of code executed for installing VirtualBox,
make sure to have the correct Linux package distribution. I.e., Zesty is
for Ubuntu 17.04 and Xenial is for 16.04. It should come after the
hyperlink and before the word 'contrib'. 
You
can find the package names at https://www.virtualbox.org/wiki/Linux_Downloads if you are using a different version of Ubuntu. If you are
using Ubuntu 17.04, use Zesty.  It is
already in the commands below:
echo
deb http://download.virtualbox.org/virtualbox/debian zesty contrib | sudo tee
-a /etc/apt/sources.list.d/virtualbox.list
wget
-q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key
add -
sudo
apt-get update -y
sudo
apt-get install -y virtualbox-5.1
If
you make a typo and did not create the virtualbox.list file with the correct
package name, you can always start over by running this command as it will
delete the virtualbox.list file:
sudo
rm /etc/apt/sources.list.d/virtualbox.list
Or (if you need to force delete for some
reason)
sudo
rm -r /etc/apt/sources.list.d/virtualbox.list
Once
you get VirtualBox installed, you will need to install all the downloadable
plugins that work with Cuckoo Sandbox (and there's A LOT). I recommend you
download them to your user profile Downloads folder located in /home/[username]/
to keep everything organized. Ubuntu is case sensitive for directories so
be sure you type "Downloads" with a capital D for example. Also keep
this tip in mind when changing directories and executing files from other
directories in Linux.
Change
your directory to Downloads by typing the command:
cd
Downloads
git
clone https://github.com/volatilityfoundation/volatility.git
cd
volatility
sudo
python setup.py build
sudo
python setup.py install
cd
..
sudo
-H pip install distorm3
sudo
-H pip install yara-python==3.6.3
Then
install ssdeep:
sudo
apt-get install -y ssdeep
Validate
ssdeep is installed by typing the command:
ssdeep
-V
2.13
Then
install Pydeep:
sudo
-H pip install pydeep
Validate
Pydeep is installed by typing the command:
pip
show pydeep
---
Name:
pydeep
Version:
0.2
Location:
/usr/local/lib/python2.7/dist-packages
Requires:
Install
Openpyxl:
sudo
-H pip install openpyxl
Install
UJSON:
sudo
-H pip install ujson
Install
Jupyter:
sudo
-H pip install jupyter
Install
TCPDump for packet capture analysis:
sudo
apt-get install tcpdump
sudo
apt-get install libcap2-bin
sudo
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap
/usr/sbin/tcpdump
If
you are using Ubuntu, make sure to disable AppArmor:
sudo
apt-get install -y apparmor-utils
sudo
aa-disable /usr/sbin/tcpdump
pip
install -U pip setuptools
Then install the latest stable version of Cuckoo enter the command:
sudo
-H pip install -U cuckoo
The
command above just installs the latest stable version of Cuckoo, which will
change over time.
Next,
run Cuckoo for the first time to create the default directories typing the
command:
cuckoo
Post-Installation
VirtualBox
Configuration
Now
you will have to configure Cuckoo after installing it, but before you can
configure Cuckoo itself, you need to correctly setup VirtualBox and its networking.
Without
configuring any VirtualBox’s network interfaces, you should only see the below
ifconfig output:
Run
the ifconfig command:
ifconfig
eno1     Link
encap:Ethernet HWaddr 5c:26:0a:32:f9:33 
         UP
BROADCAST MULTICAST MTU:1500 Metric:1
         RX
packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1000 
         RX
bytes:0 (0.0 B) TX bytes:0 (0.0 B)
         Interrupt:20
Memory:f5400000-f5420000 
lo       Link
encap:Local Loopback 
         inet
addr:127.0.0.1 Mask:255.0.0.0
         inet6
addr: ::1/128 Scope:Host
         UP
LOOPBACK RUNNING MTU:65536 Metric:1
         RX
packets:245 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:245 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1 
         RX
bytes:23242 (23.2 KB) TX bytes:23242 (23.2 KB)
wlp2s0   Link
encap:Ethernet HWaddr 00:27:10:b2:62:b8 
         inet
addr:192.168.1.192 Bcast:192.168.1.255 Mask:255.255.255.0
         inet6
addr: fe80::f4e6:df50:354:206c/64 Scope:Link
         UP
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
         RX
packets:1702 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:1205 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1000 
         RX
bytes:1383413 (1.3 MB) TX bytes:195228 (195.2 KB)
If
you get an error or are missing ifconfig from your Linux distro (Ubuntu 17.04
does not include net-tools), install it by typing the command:
sudo
apt install -y net-tools
Now
create a “Host-Only
Adapter” by running the following command:
vboxmanage
hostonlyif create
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Interface
'vboxnet0' was successfully created
Set
the IP address for the vboxnet0 interface.
vboxmanage
hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
Now
you should see “vboxnet0“ in your ifconfig output which will be used for your Guest
VM machine:
ifconfig
eno1     Link
encap:Ethernet HWaddr 5c:26:0a:32:f9:33 
         UP
BROADCAST MULTICAST MTU:1500 Metric:1
         RX
packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1000 
         RX
bytes:0 (0.0 B) TX bytes:0 (0.0 B)
         Interrupt:20
Memory:f5400000-f5420000 
lo       Link
encap:Local Loopback 
         inet
addr:127.0.0.1 Mask:255.0.0.0
         inet6
addr: ::1/128 Scope:Host
         UP
LOOPBACK RUNNING MTU:65536 Metric:1
         RX
packets:245 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:245 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1 
         RX
bytes:23242 (23.2 KB) TX bytes:23242 (23.2 KB)
wlp2s0   Link
encap:Ethernet HWaddr 00:27:10:b2:62:b8 
         inet
addr:192.168.1.192 Bcast:192.168.1.255 Mask:255.255.255.0
         inet6
addr: fe80::f4e6:df50:354:206c/64 Scope:Link
         UP
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
         RX
packets:1702 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:1205 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1000 
         RX
bytes:1383413 (1.3 MB) TX bytes:195228 (195.2 KB)
vboxnet0 Link
encap:Ethernet HWaddr 0a:00:27:00:00:00 
         inet
addr:192.168.56.1 Bcast:192.168.56.255 Mask:255.255.255.0
         UP
BROADCAST MULTICAST MTU:1500 Metric:1
         RX
packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX
packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0
txqueuelen:1000 
         RX
bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Next, create your virtual machine in VirtualBox with a Windows 7 SP1 OS image. PLEASE NOTE: You will need to provide your own Operating System license and installation media. Windows 7 SP1 works best for Windows malware analyses.
Once
you have your Guest VM OS up and running, configure the VM with the Host-Only Adapter. You may use the GUI to do this or command line, whichever is
easier for you.
The
command line option:
vboxmanage
modifyvm nameofVM --hostonlyadapter1 vboxnet0
vboxmanage
modifyvm nameofVM --nic1 hostonly
Or
GUI option
Next,
you will need to configure IP forwarding so an internet connection gets routed
from the host machine to the guest VM. We will use iptables to set these
network forwarding rules:
Implement
the following forwarding rules with these commands:
sudo
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack
--ctstate NEW -j ACCEPT
sudo
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo
iptables -A POSTROUTING -t nat -j MASQUERADE
Check
your rules again and ensure they display as below:
sudo
iptables -L
Chain
INPUT (policy ACCEPT)
target    prot
opt source              destination        
Chain
FORWARD (policy ACCEPT)
target    prot
opt source              destination        
ACCEPT    all – 192.168.56.0/24     anywhere            ctstate
NEW
ACCEPT    all -- anywhere            anywhere            ctstate
RELATED,ESTABLISHED
Chain
OUTPUT (policy ACCEPT)
target    prot
opt source              destination
Next,
enable IP forwarding in the kernel so that these settings are set to Active
(required for WWW Internet access):
echo
1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
sudo
sysctl -w net.ipv4.ip_forward=1
You
can make the iptables persistent upon reboot so your iptables settings are
saved. Do this by installing iptables-persistent with the following command:
sudo
apt-get install -y iptables-persistent
To
enable IP forwarding at startup after reboot (Ubuntu 17.04 requires this) edit
the sysctl.conf file by issuing the command:
sudo
gedit /etc/sysctl.conf
Then
uncomment the line below in the sysctl.conf file by removing the # sign and
then saving the file:
OPTIONAL
(RECOMMENDED): You can also enforce the VirtualBox
vboxnet0 network interface to initialize after every reboot. If you do not set
this up to be persistent after reboot, you will manually have to create the
network interface every time you reboot your host. Please see APPENDIX A for
instructions on setting this up.
Configuring the Guest
VM
Now
it's time to customize your Windows 7 SP1 VM and make it Cuckoo-ready. Follow
the steps below to configure your Windows guest virtual machine:
- Configure your Ethernet network
     adapter IPv4 settings with the following parameters:
IP Address – 192.168.56.1
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.56.1
- Disable Windows Update and
     Windows Firewall
- Install python 2.7 for Windows
     - You can download python 2.7 from: https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
- Disable UAC
- Install your
     preferred versions of Adobe Reader, Adobe Flash Player, Microsoft
     Office, and Java.
- Start Adobe and Internet
     Explorer to rid them of prompts that could interfere with analyses
- Upload the agent.py file from your Cuckoo host which can be found in the ~/.cuckoo/agent directory on your Ubuntu machine. Note this is only available if you have created the default Cuckoo directories.
Place
it in the Windows 7 Startup folder located at:
“C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup”
IMPORTANT:
If you haven’t already, enable the
VM Guest Additions functionality so you can create a sharable drive between
your Guest VM OS and your host machine.
- Go to Device-Insert Guest
     Additions CD image…
- Go to settings of the Guest VM
     – shared folders – Add host folder (browse)
- Go to Guest VM – open command
     prompt (cmd.exe)
- Type “net use x: \\vboxsvr\NAME
     OF FOLDER YOU SHARED
i.e. If I shared \home\cuckoo\Desktop, the
command would be:
net
use x: \\vboxsvr\Desktop
The
drive will then show up in Computer under mapped drives.
Lastly,
uninstall VM Guest Additions when you have transferred all files necessary to
the guest VM. This will also help avoid VM detection from malware (that looks
at installed programs).
OPTIONAL
(RECOMMENDED): To take advantage of the Cuckoo Sandbox
Screenshots feature, you must install Pillow on your Windows guest VM using
python. See APPENDIX B for instructions on setting this up.
Cuckoo Software
Configuration
The
configuration files for Cuckoo Sandbox define the behavior of the tool. It
is REQUIRED for them to be configured correctly so the
sandbox works correctly without any errors.
All
Cuckoo configuration files are located in the ~/.cuckoo/conf directory.
The
files highlighted below are the ones that need modification from their original
state. Match the parameters shown for each .conf file below exactly.
Edit
the file following parameters using your favorite text editor:
cuckoo.conf
[cuckoo]
memory_dump
= yes
machinery
= virtualbox
[resultserver]
ip
= 192.168.56.1
auxiliary.conf
[sniffer]
enabled
= yes
virtualbox.conf
Note
for this file, where it says cuckoo1 below, change it to match your guest VM
name.
[virtualbox]
mode
= gui
machines
= cuckoo1
[cuckoo1]
label
= cuckoo1
platform
= windows
ip
= 192.168.56.101
snapshot
= Snapshot1
processing.conf
[memory]
enabled
= yes
memory.conf
This
.conf file configures Volatility
[basic]
guest_profile
= “Win7SP1x64”
For a list of other volatility guest profiles, run the command below:
vol.py
--info |grep Profiles -A48
  ~/.cuckoo/conf $ vol.py --info |grep Profiles
-A48
Volatility
Foundation Volatility Framework 2.6
Profiles
--------
VistaSP0x64          
- A Profile for Windows Vista SP0 x64
VistaSP0x86          
- A Profile for Windows Vista SP0 x86
VistaSP1x64          
- A Profile for Windows Vista SP1 x64
VistaSP1x86          
- A Profile for Windows Vista SP1 x86
VistaSP2x64          
- A Profile for Windows Vista SP2 x64
VistaSP2x86          
- A Profile for Windows Vista SP2 x86
Win10x64             
- A Profile for Windows 10 x64
Win10x64_10586       
- A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393       
- A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86            
 - A Profile for Windows 10 x86
Win10x86_10586       
- A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393       
- A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86        
- A Profile for Windows 2003 SP0 x86
Win2003SP1x64        
- A Profile for Windows 2003 SP1 x64
Win2003SP1x86        
- A Profile for Windows 2003 SP1 x86
Win2003SP2x64        
- A Profile for Windows 2003 SP2 x64
Win2003SP2x86        
- A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64     
 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64      
- A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418
- A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64        
- A Profile for Windows 2008 SP1 x64
Win2008SP1x86        
- A Profile for Windows 2008 SP1 x86
Win2008SP2x64        
- A Profile for Windows 2008 SP2 x64
Win2008SP2x86        
- A Profile for Windows 2008 SP2 x86
Win2012R2x64         
- A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340   
- A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64           
- A Profile for Windows Server 2012 x64
Win2016x64_14393     
- A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64           
- A Profile for Windows 7 SP0 x64
Win7SP0x86           
- A Profile for Windows 7 SP0 x86
Win7SP1x64           
- A Profile for Windows 7 SP1 x64
Win7SP1x64_23418     
- A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86
           - A Profile for
Windows 7 SP1 x86
Win7SP1x86_23418     
- A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64           
- A Profile for Windows 8.1 Update 1 x64
Win81U1x86           
- A Profile for Windows 8.1 Update 1 x86
Win8SP0x64           
- A Profile for Windows 8 x64
Win8SP0x86           
- A Profile for Windows 8 x86
Win8SP1x64           
- A Profile for Windows 8.1 x64
Win8SP1x64_18340     
- A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86  
         - A Profile for Windows
8.1 x86
WinXPSP1x64          
- A Profile for Windows XP SP1 x64
WinXPSP2x64          
- A Profile for Windows XP SP2 x64
WinXPSP2x86          
- A Profile for Windows XP SP2 x86
WinXPSP3x86          
- A Profile for Windows XP SP3 x86
IMPORTANT: It is crucial you have defined the correct guest profiles if using volatility in this configuration file.
reporting.conf
[singlefile]
#
Enable creation of report.html?
enabled
= yes
[mongodb]
enabled
= yes
Cuckoo Usage
Finally
Cuckoo is ready to be used! Update Cuckoo’s scoring signatures by typing the
command:
cuckoo
community
Then,
start Cuckoo and the Django web interface by typing in the following two
commands in two separate terminal windows:
Terminal
#1: cuckoo
Terminal
#2: cuckoo web runserver
Next,
go to localhost:8000 in the your Firefox browser to get to the web interface of
Cuckoo. This is where you can start uploading files and using Cuckoo to do the
reverse malware engineering for you!
The
web interface will look like so or similar when loaded:
Congratulations!
You have now set up a working Cuckoo Sandbox! Enjoy!
Also if you have any suggestions/recommendations for this guide, please leave them in the comment boxes below.
Also if you have any suggestions/recommendations for this guide, please leave them in the comment boxes below.
References
Sources used for
creating this document:
Github links for
Cuckoo plugins:
APPENDIX A
Auto start VirtualBox
network interface on Ubuntu 17.04
To
enforce VirtualBox vboxnet0 network interface initializes at startup for Ubuntu
17.04, follow the steps below:
1.      Install
vim
sudo
apt-get install -y vim
2.      Create
the /opt/system/vboxhostonly directory and create the bash script to run the
vboxmanage commands
sudo
mkdir /opt/systemd/
vim
/opt/systemd/vboxhostonly
Copy
in the text below and save with vim (hit esc key and type “:w” and hit enter)
#!/bin/bash
vboxmanage
hostonlyif create
vboxmanage
hostonlyif ipconfig vboxnet0 --ip 192*168*56*1
3.      Go
to the directory where you saved the vboxhostonly file and make the file
executable
cd
/opt/systemd/
sudo
chmod a+x vboxhostonly
4.      Next
create the vboxhostonlynic.service file in /etc/systemd/system/ directory
sudo
touch /etc/systemd/system/vboxhostonlynic.service
5.      Open
the text editor as Administrator to edit the vboxhostonlynic.service file
sudo
gedit /etc/systemd/system/vboxhostonlynic.service
6.      Copy
in the code below and save the file
Description=Setup
VirtualBox Hostonly Adapter
After=vboxdrv.service
[Service]
Type=oneshot
ExecStart=/opt/systemd/vboxhostonly
[Install]
WantedBy=multi-user.target
7. Now install the systemd service and enable it so it will be executed at boot time:
systemctl
daemon-reload
systemctl
enable vboxhostonlynic.service
8.      Verify
the service is working properly:
systemctl
start vboxhostonlynic.service
APPENDIX B
Install dependencies
in Windows for Pillow (Cuckoo's screenshot feature)
1.      Download
the get-pip.py script from https://bootstrap.pypa.io and save it as a python script file (.py) in C:\python27.
2.      Open
command prompt and change directory to c:\python27
3.      Install
pip and setuptools for Windows Python by typing the command:
python
get-pip.py
4.      Change
directory to scripts folder by typing the command:
cd
scripts
5.      Install
Pillow for Windows Python by typing the command:
easy_install
pillow







 
Quick edit that worked for me, not sure if it will work for others.
ReplyDeleteIf you are having trouble accessing the internet from your VM, the MASQUERADE setting in your IPTables may be a little off!
I used
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
and was successful with that!
Thanks for the comment. I will consider this during my next revision of this post!
DeleteAfter using below commands I got internet access to guest machine (windows). But the issue is , internet connect was lost on host machine. Can someone help please?
DeleteCommands:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
You will also probably want to install mysql-server, create a db and update cuckoo.conf to reflect that db:
ReplyDeletecuckoo.conf
[database]
connection = mysql://user:password@localhost/dbname
Thanks for the comment chea. Why do you recommend this step?
DeleteHi Tom,
ReplyDeleteI am in love with the Cuckoo project and my only downside is I have only done research about how to get it up and running. So I have come across documentation that suggets that you should install YARA from source code first before installing Yara-Python with pip.
Could you compare notes with Warunika Amali - Medium.com on his Cuckoo sandbox installation guide.
I've loved your installation steps as they are very description and indepth. I should have started my research here to save me a whole day's work of reading up on Cuckoo.
Impresive work sir!
@Michael Kasede, I'll take a look at the YARA piece you described. I actually never got that far when I wrote this guide to actually test the YARA functionality, so thanks for pointing that out. I've been meaning to update this documentation for awhile so I will consider your comments and those above in the next revision. I'm glad this documentation has helped you with setting up Cuckoo, as I myself struggled to find detailed documentation on the tool, which is why I wrote my own because of the amount of steps required. I only found bits and pieces from the other useful user-written guides out there and discovered a lot myself through trial-and-error, support from github and other private research. I'm hoping to maintain this guide as necessary to keep it accurate and simple to follow as the Cuckoo project changes. Look out for an update soon. Thanks for the comments everyone!
DeleteHi Tom,
ReplyDeleteAbout Yara, it comes pre-packed in the cuckoo installation at least as of Cuckoo version 2.06. Please update this post because its by far the best on the Cuckoo installation. Many of us could use this information.
I have run into a problem actually. Cuckoo is installed and all configurations are applied as you describe. However, when I run cuckoo I get the following error:
2018-11-28 16:49:54,293 [cuckoo] ERROR: IOError: [Errno 13] Permission denied: '/opt/cuckoo/pidfiles/cuckoo.pid'
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 233, in main
cuckoo_init(level, ctx)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 125, in cuckoo_init
pidfile.create()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/misc.py", line 229, in create
with open(self.filepath, "wb") as f:
IOError: [Errno 13] Permission denied: '/opt/cuckoo/pidfiles/cuckoo.pid'
Can you please help with this.
@Michael Kaseda
ReplyDeleteI am having trouble in installing get-pip.py and pillow...
Can you share setup VM of cuckoo...
If the default policy of FORWARD Table is ACCEPT, why do we need to specify more policies?
ReplyDeleteHi Tom, it's 2021 and I am still using cuckoo and mostly making reference to your steps to set it up. I last did this in 2018 and it has been working for me since. I am now considering moving to Ubuntu 18.04.5 with the latest cuckoo version.
ReplyDeleteCheck out this blog, they've really tried to simplify the installation - https://hatching.io/blog/cuckoo-sandbox-setup/. Cheers mate.