What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.
What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
- Execute the script: sh cuckooautoinstall.sh
- Add a password for the user ‘cuckoo’ created by the script. Use: passwd cuckoo command.
- Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines using VBoxManage import virtual_machine.ova
- Add to the virtual machines with HostOnly option using vboxnet0: vboxmanage modifyvm “virtual_machine” –hostonlyadapter1 vboxnet0 (use this command to list the VMs: VBoxManage list vms)
- Configure cuckoo: cuckoo/conf/cuckoo.conf, cuckoo/conf/auxiliary.conf & cuckoo/conf/virtualbox.conf
- Execute cuckoo (check the image output): cd cuckoo && python cuckoo.py
- Execute also webpy (default port 8080): cd cuckoo/utils && python web.py
- Execute also django using port 6969: cd cuckoo/web && python manage.py runserver 0.0.0.0:6969
It installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django …
It installs the last versions of: ssdeep, yara, pydeep-master & jansson.
It tries to solve common problems during the installation: ldconfigs, autoreconfs…
It installs by default virtualbox and creates the hostonlyif.
It creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1
It enables run tcpdump from nonroot user:
sudo apt-get -y install libcap2-bin sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
It creates the ‘cuckoo’ user in the system and it is also added this user to vboxusers group.
It enables mongodb in conf/reporting.conf
It fix the “TEMPLATE_DIRS setting must be a tuple” error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py:
TEMPLATE_DIRS = ( "templates" ) For: TEMPLATE_DIRS = ( ("templates"), )