This afternoon I decided it was time to update my Cuckoo malware analysis setup, and while I was at it, I figured it would make sense to write it up in case anyone else wants to create one !
Cuckoo Sandbox is a superb project, but as with all technical open source ones it can be a bit fiddly to get running.
I first start off with a clean Kali Linux installation, and ensure that it is fully patched (apt-get upgrade / apt-get dist-upgrade). After that, install the pre-requisites for Cuckoo:
apt-get install python-pip python-dev libffi-dev libssl-dev
python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig
apt-get install mongodb
apt-get install virtualbox
apt-get install tcpdump apparmor-utils
And then some config tidy up:
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
Now, you should at this point create a user for Cuckoo, but you can (not advisable!) continue and run it as root.
usermod -a -G vboxusers cuckoo
Install the required Python modules
pip install -U pip setuptools
pip install -U cuckoo
You need to load the current community definitions up by running this command
And then its time to setup the actual virtual machines the malware is analysed in.
Start VirtualBox: virtualbox at the console.
Then File > Preferences, Network, Host-only networks.
Create a new network - this will create the default vboxnet0 network
Create a new VM; in my setup I started with Windows 10. Connect the CD-ROM through to your installation media and complete your install as you would normally.
Install Python 2.7 and Pillow; Install the agent as documented and ensure that you start it as Administrator.
On your Kali machine, you need to edit the virtualbox.conf file as appropriate (you will find this in $HOME/.cuckoo/conf). I changed mode = gui instead of headless as I like to see whats going on, and then scrolled down to the cuckoo1 entry and changed the label to match the name of the VM I'd created, set snapshot to CuckooBase and then changed the osprofile as appropriate. Make a note of the IP address assigned while you are here.
Back in VirtualBox, ensure that you are on Host Only networking (on vboxnet0) and set the IP Address on the adapter in your virtual machine to be the IP address from the virtualbox.conf file. Subnet will likely need to be 255.255.255.0.
Take a snapshot of the machine powered on and in this state, and call it CuckooBase.
And now you are ready to use the Cuckoo setup!
At a console type
cuckoo submit <file> to submit the analysis job, and then
cuckoo to run the process.
There is a LOT more you can do with Cuckoo, and this is really the only very basic steps to get a working environment, but it should give you a good starting point!