Cuckoo - proprietary automated malware analysis lab

image
A month ago, the portal at my new job was hacked. Management wondered, “How?” During a short search and analysis of connections to the servers, the PC of the employee was found, from which the connection was established at about the same time. The employee did not know anything about hacking, but during the conversation he recalled one case; shortly before the hacking, he received a document from the “employee of the company” that did not open. The file was in exe format, and this is where the whole story began.

The management of the directorate set the task to analyze the file and understand what it is doing and what data could be left to the attacker. I have never encountered the topic of malware analysis, and the most logical thing was to find some information in Google.

Within a few days, I found and read a huge number of manuals on malware analysis, almost all manuals suggested analyzing the software manually, using sandboxes and various utilities, but malwr.com , the automatic file analysis service, turned out to be the easiest and fastest way to analyze the virus. sandbox. I registered, downloaded the virus, got in line and waited, only a day later the news appeared on the main page:

image

On July 24th in the afternoon, the service stopped working indefinitely due to the increasing load.

After looking at the pages of the site and the description, I came across a mention of the analysis platform used - Cuckoo Sandbox - and decided to find out more about the program.

What kind of animal is this “Cuckoo”?


Cuckoo Sandbox is a system for automatically researching malware, exploits, malicious scripts, documents, archives and links. The system is capable of checking pdf, doc, xls, rtf documents, Python scripts, JS, DLL libraries, binaries, jar and much more.

How does it work?


Python 2.7 is installed in a specially prepared virtual system, Cuckoo agent is added to autoload, which will interact with the sandbox, network interfaces are configured in a special way to intercept and further analyze network traffic. After all the manipulations, a snapshot of the file system is taken, it is also Snapshot. The sandbox downloads the test file, determines its type and, in accordance with the file type, performs the necessary manipulations, all changes inside the sandbox are recorded in the report. After work, the system restores the snapshot and the virtual system returns to its original state.

Cuckoo Sandbox is capable of:
  • Monitoring win32 API function calls
  • Network activity dump
  • Dump and memory analysis
  • Taking screenshots during analysis
  • Saving copies of all created files and downloaded during the verification process
  • Tracing instructions executed by a malicious process
  • Creating a convenient report in json, mmdef, maec, html-formats
  • Absolute isolation of the environment in which malware is launched

To warm the public’s interest, I’ll post a small screen of those signatures that the sandbox identified in one file attached to the spam email:

image

Agree, this gives much more information about any file than the classic Trojan.Gen antivirus response (you can think of it as “a stone in the garden Symantec).

Here I laid out the analysis of the file in HTML format , how it is created by the sandbox.

Cuckoo Sandbox is well documented and its installationincluding, on some sites, instructions for installing it are laid out, but at the moment, not a single instruction works exactly as it is written. During the setup, I encountered a considerable number of problems, after which I decided to write here a complete and up-to-date installation and configuration guide, with all the nuances, additions and modifications. For the laziest, I prepared a script that will configure and install the sandbox automatically, let's get started.

Install and configure Cuckoo, with all the intricacies and additional utilities.


All subsequent installation was carried out on the VPS Digitalocean (2GB Ram / 40GB SSD / Ubuntu 14.04 x32).
Note: if you decide to try building a sandbox on the same hosting - you should not choose the London DC, you will have problems accessing some links.

Ubuntu was selected on the recommendation of developers as the system on which the sandbox was directly tested.

The installation plan will look like this:
  1. Installing dependencies and packages required by utilities and sandbox
  2. Install Utilities and Cuckoo Sandbox
  3. Configure Cuckoo Sandbox
  4. Install and configure Virtualbox
  5. Install or load a virtual system, configure it
  6. Web interface
  7. Autoload
  8. Additional "buns" and features Cuckoo
  9. Ready-made script to install and configure Cuckoo
  10. Bonus


Installing dependencies and packages required by utilities and sandbox


If you are too lazy to do it yourself or read, go directly to the item Ready script . Please note that the script was tested and built only under Ubuntu 14.04 LTS x32, work on other operating systems is not guaranteed. If you decide to figure it out for yourself, then the next chapter is for you.

Install all the dependencies:

cd /tmp
apt-get update
apt-get install  git automake mongodb mingw32 dkms unzip wget python python-sqlalchemy python-bson python-pip python-dpkt python-jinja2 python-magic python-mysqldb python-gridfs python-libvirt python-bottle python-pefile python-chardet -y
apt-get install python-dev libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev zlib1g-dev libtool libpcre++-dev –y
apt-get install mariadb-server -y

It is advisable to do the following settings one at a time, as I wrote:
pip install lxml
pip install cybox==2.0.1.4
pip install maec==4.0.1.0
pip install django
pip install py3compat
pip install pymongo

Note: Install Pymongo only through PIP, if you install it through APT, the web interface will not work.

Install Utilities and Cuckoo Sandbox


SSDEEP

(ssdeep is a tool for recursively calculating and comparing contextual partial hashes, better known as fuzzy hashing)
apt-get install ssdeep python-pyrex subversion libfuzzy-dev -y
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
python setup.py build
python setup.py install
pip install pydeep


Yara

(YARA is a tool that helps virus analysts identify and classify malware examples)
cd /tmp
wget https://github.com/plusvic/yara/archive/v2.1.0.tar.gz
tar xzf v2.1.0.tar.gz
cd yara-2.1.0
chmod +x build.sh
./build.sh
make install
cd yara-python
python setup.py build
python setup.py install


Distorm3

(Distorm3 - disassembler)
cd /tmp
wget http://distorm.googlecode.com/files/distorm3.zip
unzip distorm3.zip
cd distorm3
python setup.py build
python setup.py install


Volatility

(Volatility is a Python framework designed to study operating system memory dumps)
add-apt-repository ppa:pi-rho/security
apt-get update
apt-get install volatility

Note: Do not collect the package from source (as described in some installation manuals for 2012-2013), install from a repo as in this article, otherwise web ui will not work, collected Volatility from any sources and any version will break report uploading in MongoDB ( without Mongo, the new web interface will not work), there is no such problem with the version from the repository.

Install Cuckoo Sandbox

First, add the user:
useradd cuckoo
usermod -a -G vboxusers cuckoo 
id cuckoo


Now install:
Stable
cd /opt
wget http://downloads.cuckoosandbox.org/1.1/cuckoo_1.1.tar.gz
tar xzf cuckoo_1.1.tar.gz

Dev
cd /opt
git clone https://github.com/cuckoobox/cuckoo.git

Note: In the example below, the stable version was used, I also recommend using the stable version.

Configure Cuckoo Sandbox


Set up Cuckoo community signatures

cd /opt/cuckoo
./utils/community.py --signatures --force

Now configure the Cuckoo database:

mysql -u root -p
> create database cuckoo;
> grant all privileges on cuckoo.* to cuckoo@localhost identified by 'cuck00pass' ;
> flush privileges;
> quit;

Customize cuckoo

  1. File /opt/cuckoo/conf/cuckoo.conf
    Turn on the memory dump entry:
    memory_dump = on

    Configure the connection to the database:
    connection = mysql://cuckoo:cuck00pass\@localhost/cuckoo

    The server is weak, so increase the time limits:
    default = 240
    critical = 1200
    vm_state = 600
  2. File /opt/cuckoo/conf/memory.conf
    There is only 40 GB on the server, so we turn off the storage of memory dumps:
    delete_memdump = yes
  3. File /opt/cuckoo/conf/processing.conf Turning
    on the analysis of RAM:
    memory = yes

    Note: in the key parameter you can enter your own virustotal.com service key API
  4. vim /opt/cuckoo/conf/virtualbox.conf
    Change the Virtualbox mode:
    mode = headless
    

    Change the name of the virtual machine from cuckoo1 to WindowsXP:
    machines = WindowsXP
    	[WindowsXP]
    	label = WindowsXP
    
  5. File /opt/cuckoo/conf/reporting.conf Enable
    import of reports in MongoDB for the web interface
    [mongodb]
    	enabled = yes
    

This completes the setup of Cuckoo, now let's start with Virtualbox and the guest OS.

Install and configure Virtualbox


Virtualbox and all necessary components

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add –
sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian trusty contrib" >> /etc/apt/sources.list.d/virtualbox.list'
apt-get update
apt-get install virtualbox-4.3
cd /tmp
VBOX_LATEST_VERSION=$(curl http://download.virtualbox.org/virtualbox/LATEST.TXT)
wget http://download.virtualbox.org/virtualbox/${VBOX_LATEST_VERSION}/Oracle_VM_VirtualBox_Extension_Pack-{VBOX_LATEST_VERSION}.vbox-extpack
vboxmanage extpack install /tmp/Oracle_VM_VirtualBox_Extension_Pack-${VBOX_LATEST_VERSION}.vbox-extpack
cd /opt
wget http://dlc.sun.com.edgesuite.net/virtualbox/${VBOX_LATEST_VERSION}/VBoxGuestAdditions_${VBOX_LATEST_VERSION}.iso


Install or load a virtual system, configure it


We have 2 options for installing the OS:
  1. Download it from the site
  2. Install manually

The first option is the fastest, but also not the most stable. Use of this OS for non-commercial purposes is permitted and there will be no problems with the license.
The second option is longer and more reliable, I chose the latter, but I will describe both in order.

Download virtual OS from the site
wget https://az412801.vo.msecnd.net/vhd/VMBuild_20131127/VirtualBox/IE6_WinXP/Linux/IE6.WinXP.For.LinuxVirtualBox.sfx
chmod +x IE6.WinXP.For.LinuxVirtualBox.sfx
./IE6.WinXP.For.LinuxVirtualBox.sfx
vboxmanage import IE6\ -\ WinXP.ova --vsys 0 --unit 10 --disk=/root/VirtualBox\ VMs/WindowsXP/WindowsXP.vmdk --memory 1024 --vmname WindowsXP


Manual OS installation
vboxmanage createvm --name "WindowsXP" --ostype WindowsXP --register
vboxmanage modifyvm "WindowsXP" --memory 1000 --acpi on --boot1 dvd
vboxmanage createhd --filename "WindowsXP.vdi" --size 20000
vboxmanage storagectl "WindowsXP" --name "IDE" --add ide --controller PIIX4
vboxmanage storageattach "WindowsXP" --storagectl "IDE" --port 0 --device 0 --type hdd --medium "WindowsXP.vdi"


Note: The following instructions are equally applicable to both methods.

We set up a network
vboxmanage hostonlyif create
vboxmanage modifyvm "WindowsXP" --nic1 hostonly --hostonlyadapter1 vboxnet0 --nicpromisc1 allow-all --hwvirtex off --vtxvpid off


Configure shared folders
mkdir -p /opt/cuckoo/shares/setup
mkdir -p /opt/cuckoo/shares/WindowsXP
vboxmanage sharedfolder add "WindowsXP" --name "WindowsXP" --hostpath /opt/cuckoo/shares/WindowsXP --automount
vboxmanage sharedfolder add "WindowsXP" --name setup --hostpath /opt/cuckoo/shares/setup --automount --readonly
vboxmanage modifyvm "WindowsXP" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/WindowsXP/dump.pcap


Enable RDP Access
vboxmanage modifyvm "WindowsXP" --vrdeport 5000 --vrde on

You can specify any port.

The configuration of virtual containers is completely finished, it remains to configure iptables, tcpdump and if you chose to install from scratch - actually install Windows.

Iptables rules and kernel parameter change
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT  
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
iptables -A POSTROUTING -t nat -j MASQUERADE  
sysctl -w net.ipv4.ip_forward=1

tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump

Raise the interface
ifconfig vboxnet0 192.168.56.1


Now go directly to the guest OS itself:

Installing Windows
Upload your image to the server and connect it to the virtual machine:
vboxmanage storageattach "WindowsXP" --storagectl "IDE" --port 0 --device 1 --type dvddrive --medium /patch/to/licensed/windows.iso

Turn on
vboxmanage startvm "WindowsXP" --type headless

After this command, you can connect to the virtual OS via RDP on port 5000 and install it. After installation, connect and install VBoxGuestAdditions:
vboxmanage storageattach "WindowsXP" --storagectl "IDE" --port 0 --device 1 --type dvddrive --medium /opt/VBoxGuestAdditions_4.3.14.iso

Note: the version of your add-ons may be different.
If you downloaded a ready-made virtual system, then in any case you need to update GuestAdditions.
After installation, we reboot.

We insist guest OS
  1. Configure the network connection in the following way (you can specify any dns):

    image
  2. Install VboxTools from the disk that is connected to the system.
  3. Install Pyton 2.7: http://python.org/download/
  4. Install http://www.activestate.com/activepython
  5. Install the PIL Python module to take screenshots: http://www.pythonware.com/products/pil/
  6. Turn off the automatic update of Windows.
  7. Turn off the firewall.
  8. We copy the agent from the setup network folder to the folder C: \ Python27, put the
    agent at startup, for this we add the string parameter
    Name: 'Agent to the registry branch (start-> execute-> regedit) HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run '
    Type:' REG_SZ '
    Contents: "C: \ Python27 \ agent.pyw"

    image
  9. We turn on IE, in the settings we set the home page to an empty tab, if desired, turn off all protective mechanisms in the browser properties.
  10. Disable SSDP: start-> execute-> msconfig and disable the "SSDP Discovery Service" in the service section to prevent network requests from this service in reports.

    image

  11. We reboot and in the window that appears when loading, select "Do not display this message on reboot" and OK.
  12. After rebooting the guest OS, start-> execute-> cmd and in the console we type netstat –na and see if there is an agent on the 8000th port

    image

  13. At will, we install various vulnerable software of older versions (browsers, Flash player, Java, Acrobat Reader ...): http://www.oldapps.com
    Note: if you have an office license, it’s better to install it, and it’s better to install it all in all, skype, ICQ, email client, one way or another, some malware is trying to collect data from these applications or to exploit them. For example, a hacker who hacked our site, after several unsuccessful attempts to get into the network again, collected a virus exploiting the vulnerability CVE2012-0158, without Microsoft Office it would not have been possible to calculate this.

This completes the installation of the guest OS.
Making a snapshot (without turning off the guest OS)
vboxmanage snapshot "WindowsXP" take "WindowsXPSnap01" --pause

And turn off:
vboxmanage controlvm "WindowsXP" poweroff


Web interface


Cuckoo Sandbox has 2 web interfaces, new and old. The one that is older is less informative, has less features and is much less convenient than the new one:
Old interface:

image

New interface: The

image

old interface rises without a database, without Django, just by running the web.py script from the utils folder, so if this is enough for you, use it but I recommend spending 5 minutes of your precious time and raising a new web interface.
Install Apache:
apt-get install apache2

Apache chose because I know him better and worked longer with him, you can configure Nginx or Unicorn if you wish.
The file /etc/apache2/sites-enabled/000-default.conf is deleted.
We create the file /etc/apache2/sites-enabled/cuckoo.conf with the following contents:
<VirtualHost *:80>
	ServerName cuckoo.local
	ServerAdmin webmaster@localhost
	DocumentRoot /opt/cuckoo/web
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	WSGIScriptAlias / /opt/cuckoo/web/web/wsgi.py
	<Directory /opt/cuckoo/web/web>
		<Files wsgi.py>
			Require all granted
		</Files>
	</Directory>
	Alias /static /opt/cuckoo/web/static
	<Directory /opt/cuckoo/web/static/>
		Require all granted
	</Directory>
</VirtualHost> 

In the file /opt/cuckoo/web/web/wsgi.py we find:
import os
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings")

And change to:
import os, sys
sys.path.append('/opt/cckoo')
sys.path.append('/opt/cuckoo/web')
os.chdir('/opt/cuckoo/web/')
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings")

fix the rights:
chown -R cuckoo:cuckoo /opt/cuckoo/

We change the user from whom apache will be launched in the file / etc / apache2 / envvars
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data

on
APACHE_RUN_USER=cuckoo
APACHE_RUN_GROUP=cuckoo

Install the wsgi support module:
aptitude install libapache2-mod-wsgi -y


Software startup


Interface startup

In the file /etc/rc.local before the line exit 0, write:
VBoxManage list vms > /dev/null
ifconfig vboxnet0 192.168.56.1


Sandbox Startup

apt-get install supervisor

We create the file /etc/supervisor/conf.d/cuckoo.conf with the following contents:
[program:cuckoo]
command=python cuckoo.py
directory=/opt/cuckoo
[program:cuckoo-api]
command=python api.py
directory=/opt/cuckoo/utils

We carry out:
supervisord -c /etc/supervisor/supervisord.conf
supervisorctl -c /etc/supervisor/supervisord.conf reload


Autoload iptables rules

apt-get install iptables-persistent


Done, now after rebooting all services will start and everything will work.

Additional "buns" and features Cuckoo


PEID Signatures

We’ll install a new signature database, in the new database there are 2 times more of them:
cd /tmp
wget http://research.pandasecurity.com/blogs/images/userdb.txt
mv userdb.txt /opt/cuckoo/data/peutils/UserDB.TXT


ClamAV rules in Yara + AlienVault Labs APT threat signatures

Note: when trying to download the ClamAV-Yara rules conversion script from the London digitalocean center, the error “Request not allowed from your country That's all we know.”
apt-get install clamav -y
wget http://db.local.clamav.net/main.cvd
wget http://db.local.clamav.net/daily.cvd
sigtool -u main.cvd
sigtool -u daily.cvd
wget http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
python clamav_to_yara.py -f main.ndb -o main.yar
python clamav_to_yara.py -f daily.ndb -o daily.yar 
mkdir /opt/cuckoo/data/yara/clamav
mv *.yar /opt/cuckoo/data/yara/clamav/

The converted database will give an error, referring to the incorrect signature EOL_0_94_2, delete it:
from the file /opt/cuckoo/data/yara/clamav/main.yar delete the lines
«rule EOL_0_94_2
{
strings:
$a0 = { This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download }^M
condition:
$a0

Or simply execute the following commands:
RM_EOL=$(sed -n '/EOL_0_94_2/{=}' main.yar)
for n in {1..8}; do sed -i "${RM_EOL}d" main.yar; done

Next, set APT threat rules from AlienVaults:
git clone https://github.com/AlienVault-Labs/AlienVaultLabs.git 
mv AlienVaultLabs/malware_analysis/ /opt/cuckoo/data/yara/

And connect these rules to Cuckoo:
Write the following lines in the /opt/cuckoo/data/yara/index_binary.yar file:
include "clamav/main.yar"
include "clamav/daily.yar"
include "malware_analysis/CommentCrew/apt1.yara"
include "malware_analysis/FPU/fpu.yar"
include "malware_analysis/Georbot/GeorBotBinary.yara"
include "malware_analysis/Georbot/GeorBotMemory.yara"
include "malware_analysis/Hangover/hangover.yar"
include "malware_analysis/KINS/kins.yar"
include "malware_analysis/OSX_Leverage/leverage.yar"
include "malware_analysis/TheMask_Careto/mask.yar"
include "malware_analysis/Urausy/urausy_skypedat.yar"


Zer0m0n or hide our sandbox

Any malicious file may try to check for debuggers or a virtual environment before execution, the result will be disappointing. Here is what the Paranoid Fish test shows when downloading its executable file for verification:

image

This can be easily fixed using Zer0m0n.
zer0m0n is a driver for Cuckoo Sandbox that will perform kernel analysis during malware execution. It is able to almost completely hide the "virtuality" of the OS and allows you to bypass the detection of Cuckoo malicious files.

Install it:
cd /tmp
git clone https://github.com/conix-security/zer0m0n.git
cd zer0m0n/bin
cp cuckoo.patch /opt/cuckoo
cd /opt/cuckoo
patch -p1 < ./cuckoo.patch
cp /tmp/zer0m0n/bin/logs_dispatcher.exe /opt/cuckoo/analyzer/windows/dll/
cp /tmp/zer0m0n/bin/zer0m0n.sys /opt/cuckoo/analyzer/windows/dll/
cp -rf /tmp/zer0m0n/signatures/* /opt/cuckoo/modules/signatures/


Correct the rights:
chown -R cuckoo:cuckoo /opt/cuckoo/

After that, in the web interface it will be possible to select a scan in additional options, by default - Userland or with zer0m0n Kernelland:

image

If you run a scan through the console - use the kernel_analysis = yes option

Run the test again:

image

Ready-made script to install and configure Cuckoo


As promised, I post the finished script. It will automatically configure everything except the guest OS. After the script runs, you will need to return to the item on setting up the guest OS and configure it.
setup_cuckoo.sh
#!/bin/bash#-------------------------------------------## Устанавливаем Cuckoo Sandbox # Тестировалось только под Ubuntu 14.04#-------------------------------------------##Установим зависимостиcd /tmp
apt-get update
apt-get install  git automake mongodb mingw32 dkms unzip wget python python-sqlalchemy python-bson python-pip python-dpkt python-jinja2 python-magic python-gridfs python-mysqldb python-libvirt python-bottle python-pefile python-chardet -y
apt-get install python-dev libxml2-dev libxslt1-dev libevent-dev libpcre3 libpcre3-dev zlib1g-dev libtool libpcre++-dev -y
debconf-set-selections <<< 'mariadb-server-5.5 mysql-server/root_password password supersecretpassw0rd'
debconf-set-selections <<< 'mariadb-server-5.5 mysql-server/root_password_again password supersecretpassw0rd'
apt-get install mariadb-server -y
#Установим компоненты
pip install lxml
pip install cybox==2.0.1.4
pip install maec==4.0.1.0
pip install django
pip install py3compat
pip install pymongo
#Установим SSDEEP
apt-get install ssdeep python-pyrex subversion libfuzzy-dev -y
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
python setup.py build
python setup.py install
pip install pydeep
#Установим Yaracd /tmp
wget https://github.com/plusvic/yara/archive/v2.1.0.tar.gz
tar xzf v2.1.0.tar.gz
cd yara-2.1.0
chmod +x build.sh
./build.sh
make install
cd yara-python
python setup.py build
python setup.py install
#Установим Distorm3cd /tmp
wget http://distorm.googlecode.com/files/distorm3.zip
unzip distorm3.zip
cd distorm3/
python setup.py build
python setup.py install
#Устанавливаем Volatility
add-apt-repository ppa:pi-rho/security -y
apt-get update
apt-get install volatility -y
#Устанавливаем Cuckoo
useradd cuckoo
usermod -a -G vboxusers cuckoo 
cd /opt
wget http://downloads.cuckoosandbox.org/1.1/cuckoo_1.1.tar.gz
tar xzf cuckoo_1.1.tar.gz
#Устанавливаем сигнатуры Cuckoo (https://github.com/cuckoobox/community)cd /opt/cuckoo
./utils/community.py --signatures --force
#-------------------------------------------## Устанавливаем и настраиваем Virtualbox#-------------------------------------------#
wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian trusty contrib" >> /etc/apt/sources.list.d/virtualbox.list'
apt-get update
apt-get install virtualbox-4.3 -y
cd /tmp
VBOX_LATEST_VERSION=$(curl http://download.virtualbox.org/virtualbox/LATEST.TXT)
wget http://download.virtualbox.org/virtualbox/${VBOX_LATEST_VERSION}/Oracle_VM_VirtualBox_Extension_Pack-${VBOX_LATEST_VERSION}.vbox-extpack
vboxmanage extpack install /tmp/Oracle_VM_VirtualBox_Extension_Pack-${VBOX_LATEST_VERSION}.vbox-extpack
cd /opt
wget http://dlc.sun.com.edgesuite.net/virtualbox/${VBOX_LATEST_VERSION}/VBoxGuestAdditions_${VBOX_LATEST_VERSION}.iso
#конфигурируем Виртуальную машину
vboxmanage createvm --name "WindowsXP" --ostype WindowsXP --register
vboxmanage modifyvm "WindowsXP" --memory 1000 --acpi on --boot1 dvd
vboxmanage createhd --filename "WindowsXP.vdi" --size 20000
vboxmanage storagectl "WindowsXP" --name "IDE" --add ide --controller PIIX4
vboxmanage storageattach "WindowsXP" --storagectl "IDE" --port 0 --device 0 --type hdd --medium "WindowsXP.vdi"
vboxmanage hostonlyif create
vboxmanage modifyvm "WindowsXP" --nic1 hostonly --hostonlyadapter1 vboxnet0 --nicpromisc1 allow-all --hwvirtex off --vtxvpid off
#Настраиваем общие папки
mkdir -p /opt/cuckoo/shares/setup
mkdir -p /opt/cuckoo/shares/WindowsXP
vboxmanage sharedfolder add "WindowsXP" --name "WindowsXP" --hostpath /opt/cuckoo/shares/WindowsXP --automount
vboxmanage sharedfolder add "WindowsXP" --name setup --hostpath /opt/cuckoo/shares/setup --automount --readonly
vboxmanage modifyvm "WindowsXP" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/WindowsXP/dump.pcap
cp /opt/cuckoo/agent/agent.py /opt/cuckoo/shares/setup/agent.pyw
#включаем доступ по RDP на 5000 порт
vboxmanage modifyvm "WindowsXP" --vrdeport 5000 --vrde on
#настраиваем iptables
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE  
sysctl -w net.ipv4.ip_forward=1  
#Настраиваем tcpdumpsetcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
#настраиваем БД Cuckoo
mysql -uroot -psupersecretpassw0rd -e "create database cuckoo"
mysql -uroot -psupersecretpassw0rd -e "grant all privileges on cuckoo.* to cuckoo@localhost identified by 'cuck00pass'"
mysql -u root -psupersecretpassw0rd -e "flush privileges"#Настраиваем конфиг Cuckoo
sed -i -e "s@connection =@connection = mysql://cuckoo:cuck00pass\@localhost/cuckoo@" /opt/cuckoo/conf/cuckoo.conf
sed -i -e "s@memory_dump = off@memory_dump = on@" /opt/cuckoo/conf/cuckoo.conf
sed -i -e "s@default = 120@default = 240@" /opt/cuckoo/conf/cuckoo.conf
sed -i -e "s@critical = 600@critical = 1200@" /opt/cuckoo/conf/cuckoo.conf
sed -i -e "s@vm_state = 300@vm_state = 600@" /opt/cuckoo/conf/cuckoo.conf
sed -i -e "s@delete_memdump = no@delete_memdump = yes@" /opt/cuckoo/conf/memory.conf
sed -i -e "s@enabled = no@enabled = yes@" /opt/cuckoo/conf/processing.conf
sed -i -e "s@enabled = no@enabled = yes@" /opt/cuckoo/conf/reporting.conf
sed -i -e "s@enabled = no@enabled = yes@" /opt/cuckoo/conf/processing.conf
sed -i -e "s@mode = gui@mode = headless@" /opt/cuckoo/conf/virtualbox.conf
sed -i -e "s@cuckoo1@WindowsXP@" /opt/cuckoo/conf/virtualbox.conf
#Настраиваем Веб сервер
apt-get install apache2 -y
mv /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/000-default.conf.bak
cat > /etc/apache2/sites-enabled/cuckoo.conf <<DELIM
<VirtualHost *:80>
ServerName cuckoo.local
ServerAdmin webmaster@localhost
DocumentRoot /opt/cuckoo/web
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2//access.log combined
WSGIScriptAlias / /opt/cuckoo/web/web/wsgi.py
<Directory /opt/cuckoo/web/web>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
Alias /static /opt/cuckoo/web/static
<Directory /opt/cuckoo/web/static/>
Require all granted
</Directory>
</VirtualHost>
DELIM
aptitude install libapache2-mod-wsgi -y
mv /opt/cuckoo/web/web/wsgi.py /opt/cuckoo/web/web/wsgi.py.bak
cat > /opt/cuckoo/web/web/wsgi.py  <<DELIM
import os, sys
sys.path.append('/opt/cuckoo')
sys.path.append('/opt/cuckoo/web')
os.chdir('/opt/cuckoo/web/')
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings")
from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()
DELIM
chown -R cuckoo:cuckoo /opt/cuckoo/
#Настраиваем автозагрузку интерфейса vboxnet0
sed -i -e "s@exit 0@@" /etc/rc.local
echo'VBoxManage list vms > /dev/null' >> /etc/rc.local
echo'ifconfig vboxnet0 192.168.56.1' >> /etc/rc.local
echo'exit 0' >> /etc/rc.local
#Настраиваем автозагрузку Cuckoo
apt-get install supervisor -y
cat > /etc/supervisor/conf.d/cuckoo.conf <<DELIM
[program:cuckoo]
command=python cuckoo.py
directory=/opt/cuckoo
[program:cuckoo-api]
command=python api.py
directory=/opt/cuckoo/utils
DELIM
supervisord -c /etc/supervisor/supervisord.conf
supervisorctl -c /etc/supervisor/supervisord.conf reload
#Автозагрузка правил Iptables
cat > /etc/network/if-up.d/00-iptables  <<DELIM
#!/bin/sh
iptables-restore < /etc/firewall.conf
DELIM
iptables-save >/etc/firewall.conf
#Дополнительные сигнатуры PEiDcd /tmp
wget http://research.pandasecurity.com/blogs/images/userdb.txt
mv userdb.txt /opt/cuckoo/data/peutils/UserDB.TXT
#ClamAV  сигнатуры для Yaracd /tmp
apt-get install clamav -y
wget http://db.local.clamav.net/main.cvd
wget http://db.local.clamav.net/daily.cvd
sigtool -u main.cvd
sigtool -u daily.cvd
wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
python clamav_to_yara.py -f main.ndb -o main.yar
python clamav_to_yara.py -f daily.ndb -o daily.yar
#фикс, в ClamAV есть сигнатура EOL_0_94_2, которая конвертируется, но не валидна для Yara
RM_EOL=$(sed -n '/EOL_0_94_2/{=}' main.yar)
for n in {1..8}; do sed -i "${RM_EOL}d" main.yar; done
mkdir /opt/cuckoo/data/yara/clamav
mv *.yar /opt/cuckoo/data/yara/clamav/
git clone https://github.com/AlienVault-Labs/AlienVaultLabs.git
mv AlienVaultLabs/malware_analysis/ /opt/cuckoo/data/yara/
mv /opt/cuckoo/data/yara/index_binary.yar /opt/cuckoo/data/yara/index_binary.yar.bak
cat > /opt/cuckoo/data/yara/index_binary.yar <<DELIM
include "signatures/embedded.yar"
include "signatures/vmdetect.yar"
include "clamav/main.yar"
include "clamav/daily.yar"
include "malware_analysis/CommentCrew/apt1.yara"
include "malware_analysis/FPU/fpu.yar"
include "malware_analysis/Georbot/GeorBotBinary.yara"
include "malware_analysis/Georbot/GeorBotMemory.yara"
include "malware_analysis/Hangover/hangover.yar"
include "malware_analysis/KINS/kins.yar"
include "malware_analysis/OSX_Leverage/leverage.yar"
include "malware_analysis/TheMask_Careto/mask.yar"
include "malware_analysis/Urausy/urausy_skypedat.yar"
DELIM
#Zer0m0n
git clone https://github.com/conix-security/zer0m0n.git
cd zer0m0n/bin
cp cuckoo.patch /opt/cuckoo
cd /opt/cuckoo
patch -p1 < ./cuckoo.patch
cp /tmp/zer0m0n/bin/logs_dispatcher.exe /opt/cuckoo/analyzer/windows/dll/
cp /tmp/zer0m0n/bin/zer0m0n.sys /opt/cuckoo/analyzer/windows/dll/
cp -rf /tmp/zer0m0n/signatures/* /opt/cuckoo/modules/signatures/
chown -R cuckoo:cuckoo /opt/cuckoo/

Bonus


As a bonus, I will post instructions on integrating Cuckoo Sandbox with the Maltego program .
We will integrate the system with the REST API sandbox service that runs on our port 8090.
I work on the mac and performed the following actions on mac os 10.9.4, but on any Linux system everything should install and work the same way without problems:
For First, download from the Maltego website and unzip it into the application folder.
After we open the program:

image

It will offer to log in or register, register, log in (don’t mess with the captcha, enter anything, it doesn’t work), then download and install the files necessary for integrating the sandbox with Maltego from the developer's repository:

sudo -s
git clone https://github.com/bostonlink/cuckooforcanari.git
cd cuckooforcanari
python setup.py install
canari create-profile cuckooforcanari

Now you need to import the cuckoo config into Matlego:
Click on the program icon in the upper left corner -> import -> Import Configuration and select from the folder downloaded from github the configuration:

image

Import everything:

image

Done, now open the configuration file, enter the host, port and folder where you will put the malware:
vim ~/.canari/cuckooforcanari.conf

Done, now in the program we create a new schedule, drag the Cuckoo Malware Sample icon onto the schedule, rename the file to the name of your virus and upload it via Submit File For Analisys:

image

After downloading, you will see the task number:

image

After scanning, you can receive any data in the form Charts:

image

You can see more about this in the official video from the developer:



Another bonus, the book I found on the net , is a good guide on using Cuckoo Sandbox to analyze malicious files.

And if you use Symantec Endpoint Protection 12.1 antivirus at work, then you can use the console utility for Windows SEPQuarantineTool.zip, which is not officially supported by Symantec, but I found a link to it in their support . With this utility, you can pull out and restore files from quarantine, use curl for Windows to upload files to the server for scanning, using the REST API and put files back into quarantine with the same utility. Thus, automating the analysis of threats and making black lists of sites and servers where viruses break.

In conclusion, I want to say that this tool helped to complete all the tasks, and the logs and malicious files of the hacker that was mentioned at the very beginning of the article are now analyzed literally in a matter of minutes and allow you to understand the whole picture of the malware used by the hacker:

Thank you for your attention.

List of sources used


docs.cuckoosandbox.org
xakep.ru/articles/57409
lanswer.blogspot.ru/2012/11/add-cucksandbox-to-ubuntu-service.html
reverselab.info/page/cuckoo-sandbox
www.alienvault.com/blogs/ tag / yara
www.securitylab.ru/analytics/441524.php
www.modern.ie/ru-ru
www.aldeid.com/wiki/PEiD
blog.prowling.nu/2014/08/cuckoo-sandbox-django-interface- with.html
github.com/conix-security/zer0m0n
github.com/bostonlink/cuckooforcanari
santi-bassett.blogspot.ru/2013/01/installing-cuckoo-sandbox-on-virtualbox.html

Also popular now: