Enter the mighty Cuckoo Sandbox

cuckoo sandboxWhether you’re an amateur cyber-sleuth or a seasoned reverse engineer, having the right tools in the toolbox is essential for the task. Running samples on your main system is just, in general, a bad idea all around. I won’t attempt to cover all of possible items out there, as the list is long. I will, however, go over a simple setup involving Cuckoo Sanbox that will allow you to get some good insight into malware behavior.

So you wanna play with some malware huh?

A popular tool among security professionals is the open-source Cuckoo Sandbox. Cuckoo Sandbox will allow you to submit files and URLs, analyze the data, and return the results in nicely laid out format. There are a few different forks out there, but in this case, we’re going to stick with the original, which can be cloned from here. One might ask: “But aren’t there already publicly facing versions out there that will do this for me?”, and the answer to that is: yes. The people over at Malwr have kindly deployed one of these said instances, and it works amazing. However, there are a couple downsides to using cloud based analysis tools.

The first and foremost issue is that when you upload samples to places such as Malwr and VirusTotal, malware authors, who can also use these same services, may see that their work has been captured, and make changes to the code, thus, giving them an edge to alter detection methods. The second downside is that the 3rd Party tool you are using might itself be down for any one of various reasons. Or number three, perhaps you are like me, and like to keep all your samples and data close by. At this point, we’re going to go with item three, and deploy our own sandbox to play in.

Cuckoo has great detailed documentation about how to install it, and works quite well out of the box. Along with the documentation, there is also a wealth of articles out there you can read. Yet, one thing I noticed is that a lot these articles are a bit old (in Internet years that is). While building up my sandbox, I spent a number of hours that lead into days scouring the Internet for various ways of deploying and hardening the system. I’ll save you all of the time and instead give you what I learned during my trial and error period.

You could go through all the docs from the aforementioned link, and install all of the needed library’s, modules, and databases individually, and that is fine. However, while doing my research, I discovered that David Reguera (@fr33project) was already nice enough to take the majority of this work and put it all into a nice, tidy, bash script. The script will install, clone, and setup all of the basic necessities to get up and running. It will also make a new user named ‘cuckoo’ for you to run the sandbox under. A couple points of note: 1) on line 41 of the script, you will want to change ‘debian'(if you are not using Debian that is) to whichever distro of choice you are using, i.e. if you decided to use Ubuntu as your host machine, you should change that line to reflect said distro, and 2) if you decided to change the new user name to your existing user, the permissions in the script will bork you out of your admin access if you have not already added yourself to the visudo file, and you will spend the next several minutes having to hack around your box to regain your admin privileges, so be forewarned.

Upon completion of the script you will also have VirtualBox installed (if it’s not already), which you will use to house your guest (read: target) virtual machine(s). You can also use VMWare, but the default configuration files for Cuckoo are already setup for VirtualBox. Your guest Operating System(s) can be whatever you choose. I recommend using as many different ones as possible, and have, at the very least, a nice, highly vulnerable Windows XP going. If you have the space on your hard drive, it’s recommend the size of the Guest OS be greater than 60GB. For Cuckoo to work, the guest OS requires a script called ‘agent.py’, which you can find in the /path/to/cuckoo/agent directory. Now would be a good time to install the VirtualBox Guest Additions to make importing this script a bit easier. By putting the agent.py script in your guest OS system under the users Startup folder and renaming it to ‘agent.pyw’, it will start up automatically every time(the ‘w’ makes it so the script starts up hidden). For this to work, you will also have to install Python, and it is also recommended to install the Python Imaging Library.

At this point, it’s a good idea to take a snapshot of the system and restart the guest OS and run task manager to make sure the agent script is running the way it should be. If all that looks good, it’s time to move on and add some vulnerable applications for your samples to try and exploit. Heading over to oldapps.com, you can find a plethora of software to choose from. Here the choice is yours on what to install, but you should stick with old versions of Internet Explorer, Flash, Silverlight, and Reader at the bare minimum. Take a new snapshot at this point so Cuckoo will use everything you have just installed. So far, the following should have been done:

1) Run script to install and setup cuckoo

2) Installed Guest OS into VirtualBox

3) Installed agent.py script into Guest OS

4) Installed some old, vulnerable applications

5) Take a snapshot

Once all of the above steps are completed, you should now change the network settings of the Guest OS. The first step is to change the IP of the Guest from DHCP to something static, with being the default in the /path/to/cuckoo/conf/virtualbox.conf file, so I recommend to just go with that. Next change the network settings of VirtualBox from NAT to Host-Only, and change, at the least, the first six bits of the MAC address to anything other than 080027, as some malware will check this, and determine it’s running in a VirtualBox environment.

Harden your sandbox against VM detecting malware

The next stop in the process is to harden up your Guest OS from vm-aware malware. Yes, this is a real thing. Some malware will actually detect it’s running in a sandbox, and perform differently, if at all. You can see for yourself by running this executable written by Alberto Ortega (@a0rtega). You’ll be able to see, most likely, a bunch of red ‘traced!’ items in the command window that appears on the Guest OS after uploading the sample. This is bad, and means that real malware will also detect you are trying to analyze it. No fun.

Fear not though, for there is a .dll for that! With the Cuckoo community being what it is, and the open-source awesomeness that also comes along with it, there are all kinds of ways to expand your Cuckoo installation. Mark Doe(@mark_ed_doe) created this cuckoomon.dll patch to make the VM less detectable. For this, I copied the original cuckoomon.dll found in /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll to: original_cuckoomon.dll and then copied the new .dll into the same directory. Make sure you:

$ chmod -x cuckoomon.dll

If you are all done with the VirtualBox Guest Additions, you should now uninstall it from the Guest OS to help mitigate any residual VirtualBox giveaways. Snapshot time again! Let’s run the pafish.exe again. This time, you should see a lot less red, and a lot more green. This is where we want to be, as you’ve now made your sandbox less detectable. One part I haven’t been able to figure out yet is the mouse integration detection, but I think if you turn off mouse integration this might do the trick. Unfortunately it’s kind of a pain to scroll back up in the command window while running the pafish.exe with the integration turned off to see if this does indeed help against that detection.

You can deploy more than one VM, but you will have to use a different database than the default setup, as well as a couple other modifications that you can read about in the docs(you should read the docs anyway, as they are way more verbose about the integrals of how Cuckoo works).

You are now ready to start running samples through your sandbox, if you don’t have any yet, or want to expand, there are a couple of places you can go and retrieve some. A couple of good places to start are the sites malware-traffic-analysis.net and kernelmode.info.








This post is categorized in: