2012
01.25

CuckooBox 0.3 on Ubuntu

Category: Cuckoobox / Tag:  / Add Comment

This is continuing a series of posts on CuckooBox. It is more or less the same setup as previous posts.

First install the dependencies:

sudo apt-get install python python-dev python-mako python-dpkt python-magic tcpdump git

wget http://download.virtualbox.org/virtualbox/4.1.8/virtualbox-4.1_4.1.8-75467~Ubuntu~oneiric_i386.deb
wget http://download.virtualbox.org/virtualbox/4.1.8/Oracle_VM_VirtualBox_Extension_Pack-4.1.8-75467.vbox-extpack
sudo dpkg -i virtualbox-4.1_4.1.8-75467~Ubuntu~oneiric_i386.deb
vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.8-75467.vbox-extpack

Configure tcpdump to run without needing root priv’s:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

And now to install the latest development version of CuckooBox:

cd /opt/
git clone https://github.com/cuckoobox/cuckoo.git

Create a VM in virtual box to detonate the malware on:

VBoxManage createvm --name "CuckooBox_Node_1" --ostype WindowsXP --register

Make sure to:
Install a base operating system (in this case Windows XP)
Install VirtualBox GuestAdditions
Install Python2.7
Install Python Image Library (Used by Cuckoo to capture screenshots during execution)
Install WinAppDbg (Used for the Tracer package)
Install distorm3 (Used for the Tracer package)
Install Additional Software (Acrobat, Office, FireFox, etc)

Turn Off Windows Firewall as well as Windows Update. Now clone the VM to reduce configuration as well as increase number of nodes in your CuckooBox analysis pool.


VBoxManage controlvm "CuckooBox_Node_1" poweroff
VBoxManage clonevm "CuckooBox_Node_1" --name "CuckooBox_Node_2" --registervm
VBoxManage clonevm "CuckooBox_Node_1" --name "CuckooBox_Node_3" --registervm

Enable NIC Tracing for each VM allowing CuckooBox to capture any network traffic observed during malware execution.

VBoxManage modifyvm "CuckooBox_Node_1" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap
VBoxManage modifyvm "CuckooBox_Node_2" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo2/dump.pcap
VBoxManage modifyvm "CuckooBox_Node_3" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo3/dump.pcap

Enable file sharing between the nodes and CuckooBox software.

cp -R /opt/cuckoo/shares/cuckoo1/ /opt/cuckoo/shares/cuckoo2
cp -R /opt/cuckoo/shares/cuckoo1/ /opt/cuckoo/shares/cuckoo3

VBoxManage sharedfolder add "CuckooBox_Node_1" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_1" --name "cuckoo1" --hostpath "/opt/cuckoo/shares/cuckoo1"
VBoxManage sharedfolder add "CuckooBox_Node_2" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_2" --name "cuckoo2" --hostpath "/opt/cuckoo/shares/cuckoo2"
VBoxManage sharedfolder add "CuckooBox_Node_3" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_3" --name "cuckoo3" --hostpath "/opt/cuckoo/shares/cuckoo3"

Power On an log into each VM. Make any necessary last minute changes (rename the machine, specify either static or DHCP addresses, etc) and make a snapshot of the VM.


VBoxManage snapshot "CuckooBox_Node_1" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_1" poweroff
VBoxManage snapshot "CuckooBox_Node_1" restorecurrent
VBoxManage snapshot "CuckooBox_Node_2" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_2" poweroff
VBoxManage snapshot "CuckooBox_Node_2" restorecurrent
VBoxManage snapshot "CuckooBox_Node_3" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_3" poweroff
VBoxManage snapshot "CuckooBox_Node_3" restorecurrent

Finally install SSDeep as well as PySSDeep for FuzzyHashing.

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.7/ssdeep-2.7.tar.gz
tar -xvzf ssdeep-2.7.tar.gz
cd ssdeep-2.7
./configure
make
sudo make isntall
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
sudo python setup.py build
sudo python setup.py install

Now that CuckooBox is installed and configured, it is time for execution. Open up three tabs in your terminal (or use screen)

cd /opt/cuckoo
python cuckoo.py - tab1
python web.py - tab2

In tab 3 – submit.py:

Usage: submit.py [options] filepath

Options:
  -h, --help            show this help message and exit
  -t TIMEOUT, --timeout=TIMEOUT
                        Specify analysis execution time limit
  -p PACKAGE, --package=PACKAGE
                        Specify custom analysis package name
  -r PRIORITY, --priority=PRIORITY
                        Specify an analysis priority expressed in integer
  -c CUSTOM, --custom=CUSTOM
                        Specify any custom value to be passed to postprocessing
  -d, --download        Specify if the target is an URL to be downloaded
  -u, --url             Specify if the target is an URL to be analyzed
  -m MACHINE, --machine=MACHINE
                        Specify a virtual machine you want to specifically use for this analysis

Once the malware has completed execution – point your browser to http://localhost:8080. If all went well you should see something similar to the following:

Thanks again to all the developers at CuckooBox

Happy Hunting

No Comment.

Add Your Comment

Your Comment

CAPTCHA Image
*