Cuckoo Sandbox 101

It’s a while since I’ve found time to add a new tool to my malware environment, so when a ISC post highlighted a new update to Cuckoo sandbox it served as a good reminder that I hadn’t got around to trying Cuckoo, something that has now changed. For those that don’t know, from it’s own site:

[…] Cuckoo Sandbox is a malware analysis system.
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

Considering Cuckoo is the combined product of several tools, mostly focused around VirtualBox, I found install and setup was largely trouble free, mostly thanks to the detailed installation instructions from the tools online documentation. I only encountered a couple of snags.
No VMs

[2011-12-29 17:21:56,470] [Core.Init] INFO: Started.
[2011-12-29 17:21:56,686] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 17:21:56,688] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 17:21:56,703] [VirtualMachine] ERROR: Virtual machine “cuckoo1” not found: 0x80bb0001 (Could not find a registered machine named ‘cuckoo1’)
[2011-12-29 17:21:56,704] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2011-12-29 17:21:56,705] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.

The online documentation specifies creating a dedicated user for the cuckoo process. Sound advice, but if you create your virtual guest machines under a different user (like I did, under a standard user account), then the cuckoo process cannot interact with the virtualbox guests. Either changing ownership of cuckoo, or specifically creating the guest VMs as the cuckoo user will solve the issue.
Creating Database
Last problem encountered was Cuckoo’s database, which if it doesn’t exist when the process will create a blank database. Which (obviously, in hindsight) will fail if the running user doesn’t have permissions to write to Cuckoo’s base directory.
cuckoo.py
With problems out of the way, Cuckoo runs quite nicely, with three main parts. the cuckoo.py script does the bulk of the heavy lifting and needs to be running before doing anything else. If all is well it should run through some initialisation and wait for further instructions:

/opt/cuckoo $ ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.1
www.cuckoobox.org
Copyright (C) 2010-2011
[2011-12-29 20:27:17,120] [Core.Init] INFO: Started.
[2011-12-29 20:27:17,719] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 20:27:17,720] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 20:27:17,779] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1” information:
[2011-12-29 20:27:17,780] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2011-12-29 20:27:17,781] [VirtualMachine.Infos] INFO: | ID: 9a9dddd8-f7d6-40ea-aed3-9a0dc0f30e79
[2011-12-29 20:27:17,782] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2011-12-29 20:27:17,784] [VirtualMachine.Infos] INFO: | State: Saved
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | Current Snapshot: “cuckoo1_base”
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:BD:9C:4F
[2011-12-29 20:27:17,786] [Core.Init] INFO: 1 virtual machine/s added to pool.

submit.py
The submit.py script is one of the ways for getting cuckoo to analysis files:

python submit.py –help
Usage: submit.py [options] filepath
Options:
-h, –help show this help message and exit
-t TIMEOUT, –timeout=TIMEOUT              Specify analysis execution time limit
-p PACKAGE, –package=PACKAGE           Specify custom analysis package name
-r PRIORITY, –priority=PRIORITY              Specify an analysis priority expressed in integer
-c CUSTOM, –custom=CUSTOM                 Specify any custom value to be passed to postprocessing
-d, –download                                                   Specify if the target is an URL to be downloaded
-u, –url                                                                Specify if the target is an URL to be analyzed
-m MACHINE, –machine=MACHINE          Specify a virtual machine you want to specifically use for this analysis

Most of the options above are self-explanatory, just make sure to select the relevant analysis package depending on what you’re working with; possibilities are listed here.
web.py
Finally, web.py provides a web interface for reviewing the results of all analysis performed by cuckoo, bound to localhost:8080.
I’d like to thank the team that developed and continue to develop the cuckoo sandbox. I look forward to getting more automated results going forward and hopefully getting to a point where I’m able to add back to the project; until then I’d recommend getting your hands dirty, from my initial experiments I doubt you’ll be disappointed. But if you won’t take my word for it, watch Cuckoo in action analysing Zeus here.
— Andrew Waite

Join the conversation

16 Comments

  1. Nice review. I just installed Cuckoo last night for the first time. I ran in to the snag you did regarding creating the VM under a different user, etc. I also failed to set the setup folder in the shared folders as read only, which caused a problem. However, after getting around my errors, I got it running and am very impressed with it.

    1. Thanks Ken, always good to know I’m not the only one to make what seem like daft mistake as I’m setting up new tools 😉 let me know if you get any interesting results, a lot of the samples I’ve had to hand recently are getting dated so analysis hasn’t been as interesting as I would like.

  2. I hadn’t used Cuckoo for awhile and tried to use it today. Oddly enough, even though it worked just fine last time I used it, now I get the “Could not find a registered machine named ‘Cuckoo1” message. Not sure what the problem is, but may have to reinstall everything.

  3. Just a quick follow up. I figured out what happened, though don’t know why it happened. For some reason, my virtual machine got unregistered, so I had to re-register it and now all is fine.

      1. I haven’t really had anything interesting to analyze lately. I brought home a sample from work to try it in Cuckoo, but it really didn’t produce any results.

  4. Andrew, mind posting which version of cuckoo you are using? I’m running into issues with 0.3.2 (the latest stable release) that are pretty…inarticulate. Something like:
    [VirtualMachine.Execute] ERROR: Cuckoo analyzer exited with code 4294967295 on virtual machine “cuckooclient-winxp-sp3”.
    when submitting a file. I may try the latest from the repo to see if it works any better, but if anyone has any ideas, I’m all ears.

  5. Hi All,
    I am badly stuck with a problem. I am new to cuckoo but when i try to start cuckoo.py, it shows the following errors. Can you please guide me thats how to fix them,
    [2012-03-30 13:08:00,783] [Core.Init] INFO: Started.
    [2012-03-30 13:08:01,155] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.10”, good!
    [2012-03-30 13:08:01,157] [Core.Init] INFO: Populating virtual machines pool…
    [2012-03-30 13:08:01,518] [VirtualMachine.Restore] INFO: Virtual machine “win_xp” successfully restored to current snapshot.
    [2012-03-30 13:08:02,243] [VirtualMachine.Infos] INFO: Virtual machine “win_xp” information:
    [2012-03-30 13:08:02,247] [VirtualMachine.Infos] INFO: \_| Name: win_xp
    [2012-03-30 13:08:02,250] [VirtualMachine.Infos] INFO: | ID: 84ec716e-37b6-4e71-b080-21d29671b4fd
    [2012-03-30 13:08:02,252] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
    [2012-03-30 13:08:02,255] [VirtualMachine.Infos] INFO: | Memory Size: 385 MB
    [2012-03-30 13:08:02,257] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
    [2012-03-30 13:08:02,257] [VirtualMachine.Infos] INFO: | State: Powered Off
    [2012-03-30 13:08:02,265] [VirtualMachine.Infos] INFO: | Current Snapshot: “win_xp_clean”
    [2012-03-30 13:08:02,266] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:1A:1F:CF
    [2012-03-30 13:08:02,266] [Core.Init] INFO: 1 virtual machine/s added to pool.
    [2012-03-30 13:08:02,269] [Core.Dispatcher] INFO: Acquired analysis task for target “/home/waseem/Malwares/66a3dc95ddd4c95d85fdf1581e484d66.bin”.
    [2012-03-30 13:08:02,322] (Task #1) [Core.Analysis.Run] INFO: Acquired virtual machine “cuckoo1”.
    [2012-03-30 13:08:02,623] [VirtualMachine.Restore] INFO: Virtual machine “win_xp” successfully restored to current snapshot.
    [2012-03-30 13:08:03,777] [VirtualMachine.Restore] INFO: Virtual machine “win_xp” successfully restored to current snapshot.
    [2012-03-30 13:08:04,443] [VirtualMachine.Start] ERROR: Cannot start virtual machine “win_xp”, wrong state: 1.
    [2012-03-30 13:08:04,443] (Task #1) [Core.Analysis.Run] ERROR: Virtual machine start up failed. Analysis is aborted. Review previous errors.
    [2012-03-30 13:08:04,540] (Task #1) [Core.Analysis.Processing] INFO: Analysis results processor started with PID “6893”.
    Cuckoo Operational Error: failed to start the selected virtual machine

    1. Hi Waseem,
      at first glance I’d suggest that the first [Error] log line indicates that the virtual machine isn’t configured properly. As it’s claiming wrong state, did you fully follow these steps in the setup instructions?
      If this doesn’t resolve the issue, I’d suggest you post the question direct to the Cuckoo devs (contact details at bottom of this page). In my experience, they’ve always been very quick and efficient to answer queries.
      Hope this helps.
      –Andrew

  6. Hi Andrew,
    First of all great post! I’m running into the error you mentioned below. I created the VMs using my standard account. Changed the ownership to root and standard account but no luck. I created the VMs within virtualbox. Any help/tips you can provide will be appreciated.
    [VirtualMachine] ERROR: Virtual machine “cuckoo1″ not found: 0x80bb0001 (Could not find a registered machine named ‘cuckoo1′)
    Thanks!!

    1. Thanks for the feedback.
      I’ll be honest, I feel like I cheated with my fix: I simply changed ownership of the Cuckoo package to my standard user and ran as normal. Obviously not ideal in all circumstances in case of sandbox/vm breakout, but as I built my Cuckoo instance as a standalone system shouldn’t be a problem. If you’ve got a similar setup this should be sufficient to get you running.
      If you’ve followed the Cuckoo installations I believe that if you change ownership to the ‘Cuckoo’ user created through the process this may resolve the issue. If not, I know a few users who used the workaround of logging in/su’ing as the cuckoo user and building a fresh XP instance. Bit extra work, but if it’s a one off aspect and have a working Cuckoo instance can pay off quickly.
      Hope this helps,
      Andrew

      1. Seems like you haven’t edited the “cuckoo.conf” correctly. Under the VM’s section, make sure that all the fields have been edited to reflect the name of your VM as it appears in VirtualBox.

  7. so i really have not been able to solve the “ERROR: Virtual machine “cuckoo1” not found. Step by step help would be appreciated.
    I did create the Virtualbox and tried a number of fixed. How about step by step documentation?

Leave a comment

Your email address will not be published. Required fields are marked *