• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Deploy Your Own Cuckoo Sandbox

Author avatar of Kevin BottomleyKevin Bottomley
Updated — April 1, 2021 • 6 minute read
View blog >

Enter the mighty Cuckoo Sandbox

cuckoo sandbox

Whether you’re an amateur cyber-sleuth or a seasoned reverse engineer, having the right tools in the toolbox is essential for the task. Running samples on your main system is just, in general, a bad idea all around. I won’t attempt to cover all of possible items out there, as the list is long. I will, however, go over a simple setup involving Cuckoo Sanbox that will allow you to get some good insight into malware behavior.

So you wanna play with some malware huh?

A popular tool among security professionals is the open-source Cuckoo Sandbox. Cuckoo Sandbox will allow you to submit files and URLs, analyze the data, and return the results in nicely laid out format. There are a few different forks out there, but in this case, we’re going to stick with the original, which can be cloned from here. One might ask: “But aren’t there already publicly facing versions out there that will do this for me?”, and the answer to that is: yes. The people over at Malwr have kindly deployed one of these said instances, and it works amazing. However, there are a couple downsides to using cloud based analysis tools.

The first and foremost issue is that when you upload samples to places such as Malwr and VirusTotal, malware authors, who can also use these same services, may see that their work has been captured, and make changes to the code, thus, giving them an edge to alter detection methods. The second downside is that the 3rd Party tool you are using might itself be down for any one of various reasons. Or number three, perhaps you are like me, and like to keep all your samples and data close by. At this point, we’re going to go with item three, and deploy our own sandbox to play in.

Cuckoo has great detailed documentation about how to install it, and works quite well out of the box. Along with the documentation, there is also a wealth of articles out there you can read. Yet, one thing I noticed is that a lot these articles are a bit old (in Internet years that is). While building up my sandbox, I spent a number of hours that lead into days scouring the Internet for various ways of deploying and hardening the system. I’ll save you all of the time and instead give you what I learned during my trial and error period.

You could go through all the docs from the aforementioned link, and install all of the needed library’s, modules, and databases individually, and that is fine. However, while doing my research, I discovered that David Reguera (@fr33project) was already nice enough to take the majority of this work and put it all into a nice, tidy, bash script. The script will install, clone, and setup all of the basic necessities to get up and running. It will also make a new user named ‘cuckoo’ for you to run the sandbox under. A couple points of note: 1) on line 41 of the script, you will want to change ‘debian'(if you are not using Debian that is) to whichever distro of choice you are using, i.e. if you decided to use Ubuntu as your host machine, you should change that line to reflect said distro, and 2) if you decided to change the new user name to your existing user, the permissions in the script will bork you out of your admin access if you have not already added yourself to the visudo file, and you will spend the next several minutes having to hack around your box to regain your admin privileges, so be forewarned.

Upon completion of the script you will also have VirtualBox installed (if it’s not already), which you will use to house your guest (read: target) virtual machine(s). You can also use VMWare, but the default configuration files for Cuckoo are already setup for VirtualBox. Your guest Operating System(s) can be whatever you choose. I recommend using as many different ones as possible, and have, at the very least, a nice, highly vulnerable Windows XP going. If you have the space on your hard drive, it’s recommend the size of the Guest OS be greater than 60GB. For Cuckoo to work, the guest OS requires a script called ‘agent.py’, which you can find in the /path/to/cuckoo/agent directory. Now would be a good time to install the VirtualBox Guest Additions to make importing this script a bit easier. By putting the agent.py script in your guest OS system under the users Startup folder and renaming it to ‘agent.pyw’, it will start up automatically every time(the ‘w’ makes it so the script starts up hidden). For this to work, you will also have to install Python, and it is also recommended to install the Python Imaging Library.

At this point, it’s a good idea to take a snapshot of the system and restart the guest OS and run task manager to make sure the agent script is running the way it should be. If all that looks good, it’s time to move on and add some vulnerable applications for your samples to try and exploit. Heading over to oldapps.com, you can find a plethora of software to choose from. Here the choice is yours on what to install, but you should stick with old versions of Internet Explorer, Flash, Silverlight, and Reader at the bare minimum. Take a new snapshot at this point so Cuckoo will use everything you have just installed. So far, the following should have been done:

  1. Run script to install and setup cuckoo
  2. Installed Guest OS into VirtualBox
  3. Installed agent.py script into Guest OS
  4. Installed some old, vulnerable applications
  5. Take a snapshot

Once all of the above steps are completed, you should now change the network settings of the Guest OS. The first step is to change the IP of the Guest from DHCP to something static, with 192.168.56.101 being the default in the /path/to/cuckoo/conf/virtualbox.conf file, so I recommend to just go with that. Next change the network settings of VirtualBox from NAT to Host-Only, and change, at the least, the first six bits of the MAC address to anything other than 080027, as some malware will check this, and determine it’s running in a VirtualBox environment.

Harden your sandbox against VM detecting malware

The next stop in the process is to harden up your Guest OS from vm-aware malware. Yes, this is a real thing. Some malware will actually detect it’s running in a sandbox, and perform differently, if at all. You can see for yourself by running this executable written by Alberto Ortega (@a0rtega). You’ll be able to see, most likely, a bunch of red ‘traced!’ items in the command window that appears on the Guest OS after uploading the sample. This is bad, and means that real malware will also detect you are trying to analyze it. No fun.
Fear not though, for there is a .dll for that! With the Cuckoo community being what it is, and the open-source awesomeness that also comes along with it, there are all kinds of ways to expand your Cuckoo installation. Mark Doe(@mark_ed_doe) created this cuckoomon.dll patch to make the VM less detectable. For this, I copied the original cuckoomon.dll found in /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll to: original_cuckoomon.dll and then copied the new .dll into the same directory. Make sure you:
$ chmod -x cuckoomon.dll

If you are all done with the VirtualBox Guest Additions, you should now uninstall it from the Guest OS to help mitigate any residual VirtualBox giveaways. Snapshot time again! Let’s run the pafish.exe again. This time, you should see a lot less red, and a lot more green. This is where we want to be, as you’ve now made your sandbox less detectable. One part I haven’t been able to figure out yet is the mouse integration detection, but I think if you turn off mouse integration this might do the trick. Unfortunately it’s kind of a pain to scroll back up in the command window while running the pafish.exe with the integration turned off to see if this does indeed help against that detection.

You can deploy more than one VM, but you will have to use a different database than the default setup, as well as a couple other modifications that you can read about in the docs(you should read the docs anyway, as they are way more verbose about the integrals of how Cuckoo works).

You are now ready to start running samples through your sandbox, if you don’t have any yet, or want to expand, there are a couple of places you can go and retrieve some. A couple of good places to start are the sites malware-traffic-analysis.net and kernelmode.info.

Sources:
http://www.cuckoosandbox.org/
http://www.wired.com/2014/09/how-hackers-use-virustotal/
https://github.com/buguroo/cuckooautoinstall/blob/master/cuckooautoinstall.sh
https://github.com/a0rtega/pafish/blob/master/pafish.exe
https://github.com/markedoe/cuckoo-sandbox/blob/master/cuckoomon.dll
http://www.oldapps.com/

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella