Post by ZF on Jul 27, 2015 1:04:16 GMT -5
Installed on Ubuntu 14
Linux 3.16.0-44-generic #59~14.04.1-Ubuntu x86_64
Note: Both the VM and the host needs to be configured.
PREPARING THE HOST MACHINE
==========================
sudo apt-get install python
sudo apt-get install python-sqlalchemy
udo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile ssdeep
sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev
//pydeep Installation from github
cd /opt
git clone github.com/kbandla/pydeep.git pydeep
cd /opt/pydeep/
python setup.py build
sudo python setup.py install
//Yara Installation
sudo apt-get install automake
sudo apt-get install libjansson-dev
cd /opt
git clone github.com/plusvic/yara.git
cd /opt/yara
./bootstrap.sh
./configure --enable-cuckoo --enable-magic
make
sudo make install
apt-get install tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
//Setting up cuckoo
git clone github.com/cuckoobox/cuckoo.git
sudo apt-get install linux-headers-$(uname -r)
PREPARING THE VIRTUAL MACHINE/SANDBOX
=====================================
Connect vm to your preferred vmnet.
In this setup, vmnet1 is chosen.
Set vmnet1 to host only, Edit->Virtual Network Editor
Check host-only
Check "Connect a host virtual adapter (vmnet1) to this network
Choose an appropriate subnet IP. 192.168.81.0 is used in this setup.
Click save
VM->Settings
At the Network Adapter Device, check "Custom: Specific virtual network" and chosse /dev/vmnet1
Boot up the VM and set a static IP.
192.168.81.200 is chosen
Gateway is the host ip, 192.168.81.1
Once done, boot the machine up and take a snapshot. Name it "Snapshot1"
This will be used in the cuckoo configuration file.
Take note of the Virtual Machine Name.
This will be used in the cuckoo configuration file as well.
In this setup, it is cuckooxp1
Setup a share drive on the VM
Download and install the following thru the share.
python.org/download
www.pythonware.com/products/pil/
Turn off Windows Firewall and Updates
If required, install outdated application such as MSOffice 2003/2007 and Adobe Reader 9.5, Firefox 3.6 from www.oldapps.com
Go to the HOST cuckoo directory and copy <cuckoo-dir>/agent/agent.py to the network share drive.
On the VM, rename agent.py to agent.pyw
Copy agent.pyw to C:\Document and settings\<USERNAME>\Start Menu\Programs\Startup
Double click agent.pyw and use netstat -anp to verify that there is a listening port 8000
ON THE HOST, configure IPTABLES to forward packet for monitoring.
Take note of the network adapter name and ipaddress ranges.
iptables -L
iptables -F
iptables -A FORWARD -o eth0 -i vmnet1 -s 192.168.93.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
PREPARING CUCKOO
================
Go to the cuckoo directory
<cuckoo>/conf
Edit cuckoo.conf
version_check = off
machinery = vmware
ip = 192.168.81.1
Edit vmware.conf
mode = nogui
path = /usr/bin/vmrun
//Note that if the machines is called cuckoo1, the next name of the section must match it!
e.g gundam1
[gundam1] and not [cuckoo1]
machines = cuckoo1
[cuckoo1]
vmx_path = /opt/cuckoo/cuckooxp1/cuckooxp1.vmx
//name we saved just now for the snapshot
snapshot = Snapshot1
platform = windows
ip = 192.168.81.200
Edit auxiliary.conf
interface = vmnet1
Edit kvm.conf
machines = cuckooxp1
[cuckooxp1]
label = cuckooxp1
platform = windows
ip = 192.168.81.200
Edit processing.conf, add your own VirusTotal API key
Remove dropped to prevent seg fault
[dropped]
enabled = no
After done, go to cuckoo directory
./cuckoo.py
It should show:
[lib.cuckoo.core.scheduler] INFO: Using "vmware" machine manager
[lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
[lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
To include debug message
./cuckoo.py --debug
To clean up all investigation
./cuckoo.py --clean
To upload a binary,
Go to cuckoo directory <cuckoo>/utils
Local Binary submission:
./submit.py <binary>
For submitting an URL:
./submit.py --url www.google.com
For submitting a local binary and specifying a custom analysis timeout of 2 minutes:
./submit.py --timeout 120 <binary>
For submitting a local binary and specifying a custom analysis package such as applet/bin/dll/doc/exe/html/ie/jar/pdf/xls/zip:
./submit.py --package dll <dll binary>
For submitting a local binary, custom analysis package with a command line input
./submit.py --package exe --options arguments=--dosomething <binary>
For submitting a local binary and taking a full memory dump of the analysis machine:
./submit.py --memory <binary>
To start up the web service interface of cuckoo sandbox for team concurrent upload effort
python utils/web.py
Browse to http://<Host IP address>:8080
Upon completion of analysis, you should see:
[lib.cuckoo.core.scheduler] INFO: Using "vmware" machine manager
[lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
[lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
[lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/cases/
[lib.cuckoo.core.scheduler] INFO: Task #1: acquired machine cuckoo1 (label=/opt/cuckoo/cuckooxp1/cuckooxp1.vmx)
[modules.auxiliary.sniffer] INFO: Started sniffer with PID 12999 (interface=vmnet1, host=192.168.81.200, dump path=/opt/cuckoo/storage/analyses/1/dump.pcap)
tcpdump: listening on vmnet1, link-type EN10MB (Ethernet), capture size 65535 bytes
[lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.81.200)
[lib.cuckoo.core.scheduler] INFO: Task #1: reports generation completed (path=/opt/cuckoo/storage/analyses/1)
[lib.cuckoo.core.scheduler] INFO: Task #1: analysis procedure completed
Brwose to /opt/cuckoo/storage/analyses/1/reports for the full report.
For Windows 7, use a scheduled task to run "agent.pyw"
Remove all UAC
Linux 3.16.0-44-generic #59~14.04.1-Ubuntu x86_64
Note: Both the VM and the host needs to be configured.
PREPARING THE HOST MACHINE
==========================
sudo apt-get install python
sudo apt-get install python-sqlalchemy
udo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile ssdeep
sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev
//pydeep Installation from github
cd /opt
git clone github.com/kbandla/pydeep.git pydeep
cd /opt/pydeep/
python setup.py build
sudo python setup.py install
//Yara Installation
sudo apt-get install automake
sudo apt-get install libjansson-dev
cd /opt
git clone github.com/plusvic/yara.git
cd /opt/yara
./bootstrap.sh
./configure --enable-cuckoo --enable-magic
make
sudo make install
apt-get install tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
//Setting up cuckoo
git clone github.com/cuckoobox/cuckoo.git
sudo apt-get install linux-headers-$(uname -r)
PREPARING THE VIRTUAL MACHINE/SANDBOX
=====================================
Connect vm to your preferred vmnet.
In this setup, vmnet1 is chosen.
Set vmnet1 to host only, Edit->Virtual Network Editor
Check host-only
Check "Connect a host virtual adapter (vmnet1) to this network
Choose an appropriate subnet IP. 192.168.81.0 is used in this setup.
Click save
VM->Settings
At the Network Adapter Device, check "Custom: Specific virtual network" and chosse /dev/vmnet1
Boot up the VM and set a static IP.
192.168.81.200 is chosen
Gateway is the host ip, 192.168.81.1
Once done, boot the machine up and take a snapshot. Name it "Snapshot1"
This will be used in the cuckoo configuration file.
Take note of the Virtual Machine Name.
This will be used in the cuckoo configuration file as well.
In this setup, it is cuckooxp1
Setup a share drive on the VM
Download and install the following thru the share.
python.org/download
www.pythonware.com/products/pil/
Turn off Windows Firewall and Updates
If required, install outdated application such as MSOffice 2003/2007 and Adobe Reader 9.5, Firefox 3.6 from www.oldapps.com
Go to the HOST cuckoo directory and copy <cuckoo-dir>/agent/agent.py to the network share drive.
On the VM, rename agent.py to agent.pyw
Copy agent.pyw to C:\Document and settings\<USERNAME>\Start Menu\Programs\Startup
Double click agent.pyw and use netstat -anp to verify that there is a listening port 8000
ON THE HOST, configure IPTABLES to forward packet for monitoring.
Take note of the network adapter name and ipaddress ranges.
iptables -L
iptables -F
iptables -A FORWARD -o eth0 -i vmnet1 -s 192.168.93.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
PREPARING CUCKOO
================
Go to the cuckoo directory
<cuckoo>/conf
Edit cuckoo.conf
version_check = off
machinery = vmware
ip = 192.168.81.1
Edit vmware.conf
mode = nogui
path = /usr/bin/vmrun
//Note that if the machines is called cuckoo1, the next name of the section must match it!
e.g gundam1
[gundam1] and not [cuckoo1]
machines = cuckoo1
[cuckoo1]
vmx_path = /opt/cuckoo/cuckooxp1/cuckooxp1.vmx
//name we saved just now for the snapshot
snapshot = Snapshot1
platform = windows
ip = 192.168.81.200
Edit auxiliary.conf
interface = vmnet1
Edit kvm.conf
machines = cuckooxp1
[cuckooxp1]
label = cuckooxp1
platform = windows
ip = 192.168.81.200
Edit processing.conf, add your own VirusTotal API key
Remove dropped to prevent seg fault
[dropped]
enabled = no
After done, go to cuckoo directory
./cuckoo.py
It should show:
[lib.cuckoo.core.scheduler] INFO: Using "vmware" machine manager
[lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
[lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
To include debug message
./cuckoo.py --debug
To clean up all investigation
./cuckoo.py --clean
To upload a binary,
Go to cuckoo directory <cuckoo>/utils
Local Binary submission:
./submit.py <binary>
For submitting an URL:
./submit.py --url www.google.com
For submitting a local binary and specifying a custom analysis timeout of 2 minutes:
./submit.py --timeout 120 <binary>
For submitting a local binary and specifying a custom analysis package such as applet/bin/dll/doc/exe/html/ie/jar/pdf/xls/zip:
./submit.py --package dll <dll binary>
For submitting a local binary, custom analysis package with a command line input
./submit.py --package exe --options arguments=--dosomething <binary>
For submitting a local binary and taking a full memory dump of the analysis machine:
./submit.py --memory <binary>
To start up the web service interface of cuckoo sandbox for team concurrent upload effort
python utils/web.py
Browse to http://<Host IP address>:8080
Upon completion of analysis, you should see:
[lib.cuckoo.core.scheduler] INFO: Using "vmware" machine manager
[lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
[lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
[lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/cases/
[lib.cuckoo.core.scheduler] INFO: Task #1: acquired machine cuckoo1 (label=/opt/cuckoo/cuckooxp1/cuckooxp1.vmx)
[modules.auxiliary.sniffer] INFO: Started sniffer with PID 12999 (interface=vmnet1, host=192.168.81.200, dump path=/opt/cuckoo/storage/analyses/1/dump.pcap)
tcpdump: listening on vmnet1, link-type EN10MB (Ethernet), capture size 65535 bytes
[lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.81.200)
[lib.cuckoo.core.scheduler] INFO: Task #1: reports generation completed (path=/opt/cuckoo/storage/analyses/1)
[lib.cuckoo.core.scheduler] INFO: Task #1: analysis procedure completed
Brwose to /opt/cuckoo/storage/analyses/1/reports for the full report.
For Windows 7, use a scheduled task to run "agent.pyw"
Remove all UAC