Malware testing using Cuckoo

This afternoon I decided it was time to update my Cuckoo malware analysis setup, and while I was at it, I figured it would make sense to write it up in case anyone else wants to create one !

Cuckoo Sandbox is a superb project, but as with all technical open source ones it can be a bit fiddly to get running.

I first start off with a clean Kali Linux installation, and ensure that it is fully patched (apt-get upgrade / apt-get dist-upgrade). After that, install the pre-requisites for Cuckoo: 

apt-get install python-pip python-dev libffi-dev libssl-dev
python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig

apt-get install mongodb

apt-get install virtualbox

apt-get install tcpdump apparmor-utils

And then some config tidy up:

setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Now, you should at this point create a user for Cuckoo, but you can (not advisable!) continue and run it as root.

adduser cuckoo

usermod -a -G vboxusers cuckoo

Install the required Python modules

pip install -U pip setuptools

pip install -U cuckoo

You need to load the current community definitions up by running this command

cuckoo community

And then its time to setup the actual virtual machines the malware is analysed in.

Start VirtualBox: virtualbox at the console.

Then File > Preferences, Network, Host-only networks.
Create a new network - this will create the default vboxnet0 network

Create a new VM; in my setup I started with Windows 10. Connect the CD-ROM through to your installation media and complete your install as you would normally.

Install Python 2.7 and Pillow; Install the agent as documented and ensure that you start it as Administrator. 

On your Kali machine, you need to edit the virtualbox.conf file as appropriate (you will find this in $HOME/.cuckoo/conf). I changed mode = gui instead of headless as I like to see whats going on, and then scrolled down to the cuckoo1 entry and changed the label to match the name of the VM I'd created, set snapshot to CuckooBase and then changed the osprofile as appropriate. Make a note of the IP address assigned while you are here.

Back in VirtualBox, ensure that you are on Host Only networking (on vboxnet0) and set the IP Address on the adapter in your virtual machine to be the IP address from the virtualbox.conf file. Subnet will likely need to be 255.255.255.0.

Take a snapshot of the machine powered on and in this state, and call it CuckooBase.

And now you are ready to use the Cuckoo setup!

At a console type cuckoo submit <file> to submit the analysis job, and then cuckoo to run the process.

There is a LOT more you can do with Cuckoo, and this is really the only very basic steps to get a working environment, but it should give you a good starting point!

Importing SQL Azure database to SQL Express

This one frustrated me, but I have to say, it's pretty common to get issues it seems bringing a database down from SQL Azure to the on premise version. 

If you follow the normal route of exporting the database, downloading the bacpac, then importing it you might hit this error:

TITLE: Microsoft SQL Server Management Studio
------------------------------
Could not import package. Warning SQL72012: The object [data] exists in the
target, but it will not be dropped even though you selected the 'Generate drop statements
for objects that are in the target database but that are not in the source' check box.
Warning SQL72012: The object [log] exists in the target, but it will not be
dropped even though you selected the 'Generate drop statements for objects that are in the
target database but that are not in the source' check box. Error SQL72014: .Net SqlClient
Data Provider: Msg 33161, Level 15, State 1, Line 1 Database master keys without password
are not supported in this version of SQL Server. Error SQL72045: Script execution error.
The executed script: CREATE MASTER KEY; (Microsoft.SqlServer.Dac)
------------------------------
BUTTONS: OK
------------------------------

The cause? Well in this case it's not because you are not running a current version of SQL Server (in my case, 2016 SP1), but because SQL Azure supports a Master Key with no encryption specified - to resolve this you need to run a piece of T-SQL against your SQL Azure database to set the master key password BEFORE you export the database: 

ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD = '<password>';

After that, export as normal and you should be able to import your database.