Cuckoo Sandbox 101
It’s a while since I’ve found time to add a new tool to my malware environment, so when a ISC post highlighted a new update to Cuckoo sandbox it served as a good reminder that I hadn’t got around to trying Cuckoo, something that has now changed. For those that don’t know, from it’s own site:
[...] Cuckoo Sandbox is a malware analysis system.
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.
Considering Cuckoo is the combined product of several tools, mostly focused around VirtualBox, I found install and setup was largely trouble free, mostly thanks to the detailed installation instructions from the tools online documentation. I only encountered a couple of snags.
No VMs
[2011-12-29 17:21:56,470] [Core.Init] INFO: Started.
[2011-12-29 17:21:56,686] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 17:21:56,688] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 17:21:56,703] [VirtualMachine] ERROR: Virtual machine “cuckoo1″ not found: 0x80bb0001 (Could not find a registered machine named ‘cuckoo1′)
[2011-12-29 17:21:56,704] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2011-12-29 17:21:56,705] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.
The online documentation specifies creating a dedicated user for the cuckoo process. Sound advice, but if you create your virtual guest machines under a different user (like I did, under a standard user account), then the cuckoo process cannot interact with the virtualbox guests. Either changing ownership of cuckoo, or specifically creating the guest VMs as the cuckoo user will solve the issue.
Creating Database
Last problem encountered was Cuckoo’s database, which if it doesn’t exist when the process will create a blank database. Which (obviously, in hindsight) will fail if the running user doesn’t have permissions to write to Cuckoo’s base directory.
cuckoo.py
With problems out of the way, Cuckoo runs quite nicely, with three main parts. the cuckoo.py script does the bulk of the heavy lifting and needs to be running before doing anything else. If all is well it should run through some initialisation and wait for further instructions:
/opt/cuckoo $ ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.1www.cuckoobox.org
Copyright (C) 2010-2011[2011-12-29 20:27:17,120] [Core.Init] INFO: Started.
[2011-12-29 20:27:17,719] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 20:27:17,720] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 20:27:17,779] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1″ information:
[2011-12-29 20:27:17,780] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2011-12-29 20:27:17,781] [VirtualMachine.Infos] INFO: | ID: 9a9dddd8-f7d6-40ea-aed3-9a0dc0f30e79
[2011-12-29 20:27:17,782] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2011-12-29 20:27:17,784] [VirtualMachine.Infos] INFO: | State: Saved
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | Current Snapshot: “cuckoo1_base”
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:BD:9C:4F
[2011-12-29 20:27:17,786] [Core.Init] INFO: 1 virtual machine/s added to pool.
submit.py
The submit.py script is one of the ways for getting cuckoo to analysis files:
python submit.py –help
Usage: submit.py [options] filepathOptions:
-h, –help show this help message and exit
-t TIMEOUT, –timeout=TIMEOUT Specify analysis execution time limit
-p PACKAGE, –package=PACKAGE Specify custom analysis package name
-r PRIORITY, –priority=PRIORITY Specify an analysis priority expressed in integer
-c CUSTOM, –custom=CUSTOM Specify any custom value to be passed to postprocessing
-d, –download Specify if the target is an URL to be downloaded
-u, –url Specify if the target is an URL to be analyzed
-m MACHINE, –machine=MACHINE Specify a virtual machine you want to specifically use for this analysis
Most of the options above are self-explanatory, just make sure to select the relevant analysis package depending on what you’re working with; possibilities are listed here.
web.py
Finally, web.py provides a web interface for reviewing the results of all analysis performed by cuckoo, bound to localhost:8080.
I’d like to thank the team that developed and continue to develop the cuckoo sandbox. I look forward to getting more automated results going forward and hopefully getting to a point where I’m able to add back to the project; until then I’d recommend getting your hands dirty, from my initial experiments I doubt you’ll be disappointed. But if you won’t take my word for it, watch Cuckoo in action analysing Zeus here.
– Andrew Waite
Nice review. I just installed Cuckoo last night for the first time. I ran in to the snag you did regarding creating the VM under a different user, etc. I also failed to set the setup folder in the shared folders as read only, which caused a problem. However, after getting around my errors, I got it running and am very impressed with it.
Thanks Ken, always good to know I’m not the only one to make what seem like daft mistake as I’m setting up new tools
let me know if you get any interesting results, a lot of the samples I’ve had to hand recently are getting dated so analysis hasn’t been as interesting as I would like.
I hadn’t used Cuckoo for awhile and tried to use it today. Oddly enough, even though it worked just fine last time I used it, now I get the “Could not find a registered machine named ‘Cuckoo1″ message. Not sure what the problem is, but may have to reinstall everything.
Just a quick follow up. I figured out what happened, though don’t know why it happened. For some reason, my virtual machine got unregistered, so I had to re-register it and now all is fine.
Thanks for the update Ken, glad you got it sorted. Have you had any interesting results, or just getting setup for a rainy day?
I haven’t really had anything interesting to analyze lately. I brought home a sample from work to try it in Cuckoo, but it really didn’t produce any results.
Andrew, mind posting which version of cuckoo you are using? I’m running into issues with 0.3.2 (the latest stable release) that are pretty…inarticulate. Something like:
[VirtualMachine.Execute] ERROR: Cuckoo analyzer exited with code 4294967295 on virtual machine “cuckooclient-winxp-sp3″.
when submitting a file. I may try the latest from the repo to see if it works any better, but if anyone has any ideas, I’m all ears.
Looks like your ahead of the game (or at least me) I’m afraid; I’m still using 0.3.1.