InfraSec Solutions Posts

During a cybersecurity investigation, time is of the essence.  The goal here is to identify the security impact, contain and eradicate it.  That can be a time-consuming exercise, therefore, having effective tools to assist with identification is imperative to assist with a timely investigation. One such tool I recommend in an investigators toolbox is Cuckoo. It is an open source sandbox used for malware analysis.  An investigator can use this tool when analyzing malicious code that had not been detected by antivirus or Intrusion Prevention Tools tools. A zero-day. One can identify Indicators of Compromise quickly to use when scanning the environment to identify what other systems have been infected.

It can be challenging to install and configure Cuckoo even though there is documentation out there on the web. I went through my challenges. This article was written in the hope it helps someone else have an easier time installing Cuckoo and also as a refresher for me if and when I have to install Cuckoo again.

Prerequisites

  1. Ubuntu 17.10
  2. Virtual Box
  3. Windows 7 SP1 as the guest virtual machine (VM) used for analysis

Install Ubuntu 17.10

  1. Install Ubuntu 17.10 desktop on a physical system like a laptop or a desktop. I have read you can install on a hypervisor like ESXi but I went with installing it on an older laptop. Create a user named cuckoo.
  2. Ensure Virtualization is enabled in the BIOS otherwise you may not be able to install a 64-bit guest VM. Ubuntu 17.10 desktop can be found here.
  3. Update the operating system after it is stalled to ensure you have all the necessary updates by typing the following in a shell.
     sudo apt-get update -y && apt-get upgrade -y

Install tools on Ubuntu 17.10

  1. Cuckoo is entirely written in Python and therefor a number of python prerequisites need to be installed.
     sudo apt-get install -y python python-pip python-dev libffi-dev libssl-dev libfuzzy-dev libtool flex autoconf libjansson-dev git
     sudo apt-get install -y python-virtualenv python-setuptools

     sudo apt-get install -y libjpeg-dev zlib1g-dev swig

Configure Ubuntu 17.10

  1. Cuckoo recommends using postgresql as its backend database. Install it using the following command
     sudo apt-get install -y postgresql libpq-dev 

2. Cuckoo uses mongo database to pull information into the web reporting interface. Install mongo DB using the      following  command

     sudo apt-get install -y mongodb   

Install the necessary tools necessary for Cuckoo to conduct an analysis

There are many tools needed to be installed which cuckoo needs in order to run. I have to thank  Tom Churchill’s blog as I used that as a starting point when making the decision to install Cuckoo.

Create a separate folder to download the necessary tools to.

Tcpdump

Install and configure tcpdump. It is used to capture network traffic initiated by the malware

   sudo apt get install tcpdump

Configure tcpdump so it can be run as cuckoo user

   setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

If setcap is not installed, then run the following

   sudo apt-get install libcap2-bin

Verify tcpdump can run as a non root user

   getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Volatility

Download volatility

   git clone https://github.com/volatilityfoundation/volatility.git

Install Volatility

   python setup.py install 

Install Volatility’s dependencies
1. Distorm3 – Powerful Disassembler Library For x86/AMD64
  sudo -H pip install distorm3
2. Yara – Assists with identifying and classify malware
  sudo -H pip install yara-python==3.6.3
3. Pydeep and its dependency used for fuzzy hashing

First, install ssdeep which is used by pydeep for malware analysis

  sudo apt-get install -y ssdeep

Now, install pydeep

  sudo -H pip install pydeep
4. Install Distorm which allows for advanced binary analysis
  sudo -H pip install distorm3
Install Openpyxl – used to read  and write Excel 2007 files
  sudo -H pip install openpyxl
Install Openpyxl – used to read  and write Excel 2007 files
  sudo -H pip install openpyxl
Install UJSON – JSON parsing tool
  sudo -H pip install ujson
Install Jupyter
  sudo -H pip install jupyter

Install VirtualBox

It is important to install the correct version of Virtualbox built for your Linux distribution however you may not find the distribution built for Ubuntu 17.10  Install VirtualBox as the cuckoo user and not as root. Use the VirtualBox package built for Zesty and install it under the cuckoo user profile. Do not install it as root.

Documentation reads the Virtualization package is supported for Zesty however my tests demonstrate it works well for 17.10 as well.  Download it here

Configure VirtualBox’s host only adapter

This adapter will allow the guest VM to have internet access.

1 Create the host only adapter

  vboxmanage hostonlyif create

2.  Configure the IP address on the hostonly interface

  vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

Type ifconfig and you will see the vboxnet0 interface assigned with 192.168.56.1

Note: if there is no ifconfig command available then install net tools.

   sudo apt install -y net-tools

** To configure the vboxnet0 IP address configuration to survive reboots, do the following:

First create a bash script to run the vboxmanage commands:

   mkdir /opt/systemd/
   vim /opt/systemd/vboxhostonly

   #!/bin/bash
   vboxmanage hostonlyif create
   vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

* make sure this file has executable permissions

Next create the vboxhostonlynic.service file in /etc/systemd/system/:

   Description=Setup VirtualBox Hostonly Adapter
   After=vboxdrv.service

   [Service]
   Type=oneshot
   ExecStart=/opt/systemd/vboxhostonly

   [Install]
   WantedBy=multi-user.target

Now install the systemd service unit and enable it so it will be executed at the boot time:

   systemctl daemon-reload
   systemctl enable vboxhostonlynic.service

You can check if it works properly by running:

   systemctl start vboxhostonlynic.service

Download and Install Cuckoo

  1. Install pip and setuptools which helps with packaging python projects
   pip install -U pip setuptools

2.Install cuckoo

    sudo -H pip install -U cuckoo

3. run cuckoo

    cuckoo  

Configure the Windows 7 SP1 Guest VM

Cuckoo requires a guest virtual machine to conduct an analysis of malicious code on. We will build a Windows 7 SP1 virtual machine. It will be up to you to get a copy of a licensed Windows 7 system. Once the operating system and service pack 1 is installed, then do NOT patch the system anymore.

Next, it is time to configure the guest. Ensure it is configured to auto login. No password required.

This may seem unusual from a security perspective but the objective here is to make the guest as vulnerable as possible. This allows the malware to run unabated.

  1. Install Service Pack 1.
  2. Install Microsoft Office and enable all macros on Word, Powerpoint, and Excel. Ensure it is activated.
  3. Install an older version of abobe reader and flash.
  4. Install an older version of Java.
  5. Disable the Windows Firewall. This can be done through the Control Panel

5. Disable User Account Control (UAC).

6. Disable Windows Updates

7.  Install VirtualBox guest additions

 

8. Create a shared folder between the host and the Windows 7 SP1 virtual machine

9. Install Python 27 32 bit. It can be downloaded here

10. Download get-pip.py from here and save it to  C:\Python27 directory.  Install the setup tools by opening up a command prompt and navigate to the C:\Python27 directory and run the following:

   python get-pip.py

Change directory to scripts and run the following to install pillow for Windows. This allows screenshots to be taken of the malware being executed.

   pip install --trusted-host pypl.org --trusted host files.pythonhosted.org pillow 

11. Copy the agent.py to the Windows 7 startup folder. It is located in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

12. Reboot the Virtual Machine and ensure the cuckoo agent starts on reboot otherwise the VM will not be used for malware analysis. The agent is running if you see a command window upon startup.

 

13. Open Adobe Reader, Flash, Java, Word, Excel, PowerPoint and accept all the pop-ups and other messages. The objective is ensuring there is no pop-up or any other message which pops when cuckoo uses the snapshot to analyze malware.

14. Uninstall VirtualBox guest additions. The objective is to not give malware any indication that this system may be a virtual machine. Some malware is designed not to detonate on a virtual machine.

 

Configure Virtual Machine’s networks settings through VirtualBox GUI

Set the VM to Host Only

Take a snapshot of the guest Virtual Machine

Once you confirmed your applications are activated wherever applicable, the cuckoo agent is running, and no pop ups or messages requiring manual intervention is popping up then it is time to create the snapshot. Do not power down the VM when taking the snapshot. Name is Snapshot1. Assuming the name of the Windows 7 SP image is Win7 then run the following command

vboxmanage snapshot "Win7" take "snapshot1" --pause
vboxmanage controlvm "Win7" poweroff
vboxmanage snapshot "Win7" restorecurrent

Configure IP Forwarding on the host cuckoo system

  1. ConfigureIP forwarding which will allow the guest Windows 7 system to communicate with the internet
 sudo sysctl -w net.ipv4.ip_forward=1

      2. To ensure IP forwarding survives reboots, then do the following:

   sudo gedit /etc/sysctl.conf

      Then uncomment the line below in the sysctl.conf file by removing the # sign and then saving the file:

   net.ipv4.ip_forward=1

Configure IP tables on the host cuckoo system

This is required to allow the guest VM to communicate with the internet. Run the following ommands but please read the bottom of this section as it is important from a functionality perspective.

   sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT

   sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

   sudo iptables -A POSTROUTING -t nat -j MASQUERADE

Important: I lost internet connectivity from my host when I added the last line of the iptables rules listed above. I did not spend too much time troubleshooting so, for now, you should delete the rule when starting cuckoo so it can check for updates and add it when cuckoo has started.

To delete the rule, run the following

sudo iptables -t nat -D POSTROUTING 1

Configuring Cuckoo

Here we configure cuckoo in order to get it to work correctly. The files needed to modify are located in ~/.cuckoo/conf/

  1. Cuckoo.conf
machinery = virtualbox
[resultserver]
ip = 192.168.56.1 #This is the IP address of the host

       2. auxillary.conf

[sniffer]
enabled = yes

      3. virtualbox.conf

Assume the name of the Windows 7 Virtual name is Win7

machines = Win7
[Win7]
label = Win7
platform = windows
ip = 192.168.56.101 # IP address of the guest

snapshot = snapshot1 # name of snapshot

    4. reporting.conf

[mongodb]
enabled = yes

5. processing.conf

[memory]

enabled = yes

6. memory.conf

[basic]

guest_profile = "Win7SP1x64"

6. reporting.conf

[singlefile]
enabled = yes

[mongodb] 
enabled = yes



Start Cuckoo

1. Start by updating cuckoo’s scoring signatures. Ensure the last IPTABLES rule is disabled

cuckoo community

Once the command is complete then re-add that IPTABLES rule.

2. Open two terminals. One will start cuckoo and the other will start the cuckoo web user interface

terminal 1, type: cuckoo
terminal 2, type: cuckoo run webserver

3. Browse to 127.0.0.1:8000

 

You can now begin analyzing malware. Submit some samples and start looking at similarities between them to get an idea on how to build effective defenses. Let me know what you think by leaving a comment.

 

 

 

Incident Response