Malware analysis is an interesting topic that all Information security engineers are quite aware of. In manual malware analysis, malware samples are taken and moved to an isolated machine called Sandbox, where in-depth analysis is carried out. The processes followed to find out the attributes of the malwares are usually the same, so it is obviously a necessity to automate the analysis process to save time. One such automated analysis that I would like to showcase in this article is with the help of Cuckoo.
Cuckoo is an open source system which automates malware analysis. It is used to automatically execute and analyze a given file, thereby collecting a comprehensive analysis of the overall behavior of the malware while running inside an isolated Windows OS.
It can analyze and retrieve the following type of results:
- Traces of API calls (Win32) performed by all processes exploited by the malware.
- Files that are created, downloaded or even deleted by the malware during the execution.
- Memory dumps and full machine dumps.
- Network traffic trace (PCAP format).
- Automatically taken screenshots of Windows desktop during the execution of the malware.
Cuckoo is designed in such a way that it can be used both as a standalone application as well as to be integrated in larger frameworks.
It can be used to analyze:
- Generic Windows executables
- DLL files
- PDF documents
- Microsoft Office documents
- PHP scripts
Cuckoo Sandbox consists of CMS (central management software) which handles sample execution and analysis. Each analysis is automatically launched in a fresh isolated virtual machine. Cuckoo’s architecture is composed of a Host machine (the management software) and a number of Guest machines (virtual machines for analysis). The Host handles and runs the core component of the sandbox that manages the whole analysis process, while the Guest operating systems are the isolated environments where the malwares or executables are actually executed safely and analyzed.
The following picture explains Cuckoo’s main architecture:
Preparing the Host
Cuckoo sandbox can run seamlessly on any operating system, but Cuckoo is actually supposed to run on a Linux OS. The best choice for the installation of Cuckoo Sandbox will be on the latest Ubuntu LTS server operating system. Before proceeding on how to configure Cuckoo, we have to install all the required dependencies and libraries.
Installing Python libraries
Cuckoo host components are written fully in Python; therefore we have to make sure we have an appropriate Python version installed.
For the current release of Cuckoo, Python 2.7 is preferred.
Install Python on Ubuntu:
For the proper function of Cuckoo SQLAlchemy is to be installed.
Install with apt-get:
Install with pip:
The following dependencies and libraries are recommended for the smooth working of Cuckoo Sandbox:
- Dpkt – for extracting relevant information from PCAP files.
- Jinja2 – for rendering the HTML reports and the web interface.
- Magic – for identifying files’ formats (otherwise use “file” command line utility).
- Pydeep – for calculating ssdeep fuzzy hash of files.
- Pymongo – for storing the results in a MongoDB database.
- Yara and Yara Python – for matching Yara signatures (use the svn version).
- Libvirt – for using the KVM machine manager.
- Bottlepy – for using the api.py and web.py utilities.
- Pefile – used for static analysis of PE32 binaries.
In order to have a peek and to dump the network activities performed by the malware during its execution, we have to configure a network sniffer properly to capture the traffic and dump it to a file. By default, Cuckoo uses tcpdump, the most prominent open source solution.
Installing it on Ubuntu:
Tcpdump requires root privileges, but since we don’t want Cuckoo to execute as root, we have to set specific Linux capabilities into the binary:
we can verify the results of last command with:
Now we can proceed with the download and installation.
Create a new user exclusive for handling Cuckoo Sandbox:
$ sudo adduser cuckoo
If we are using VirtualBox, the new user should be added to the “vboxusers” group.
$ sudo usermod -G vboxusers cuckoo
Install Cuckoo by extracting cuckoo into a desired path and proceed with further configuration steps.
Cuckoo relies on four main configuration files:
- cuckoo.conf: for configuring general behavior and analysis options.
- machinemanager.conf: for defining the options for your virtualization software.
- processing.conf: for enabling and configuring processing modules.
- reporting.conf: for enabling or disabling report formats.
Preparing the Guest
At this point we should have configured the Cuckoo host component, and we should have designed and defined the number and the names of the virtual machines we are going to use for malware execution.
Now we can create such machines and configure them properly.
Creation of the Virtual Machine
Once we have properly installed your virtualization software, we can proceed to creating all the virtual machines we need.
In order to make Cuckoo run properly in our virtualized Windows system, we will have to install some required softwares and libraries.
- Python: is a strict requirement for the Cuckoo guest component (analyzer) in order to run properly.
- Python Image Library: it’s used for taking screenshots of Windows desktop during the analysis.
- Install additional software such as browsers, PDF readers, office suites, etc., depending upon the type of malware we wish to analyze.
- Disable the “auto update” or “check for updates” feature of any additional software.
One of the most important things to do is disable the Windows Firewall and other Automatic Updates. The reason behind this is that they can adversely affect the behavior of the malware under normal circumstances and that they can pollute the network analysis performed by Cuckoo by dropping connections or including irrelevant requests.
We can use Windows Security Center to disable both firewall and automatic updates:
The recommended setup to enhance network capabilities between the hosts and guest OS is using a Host-Only networking layout with proper forwarding and filtering configuration done with iptables on the Host.
For example, if we use VirtualBox, we can enable Internet access to the virtual machines using the following iptables configuration rules:
Installing Cuckoo Agent
Cuckoo uses and adopts a custom agent that runs inside the Guest operating system which handles the communication and the exchange of data with the Host. Since this agent is designed to be a cross-platform, it can be used on Windows as well as on Linux variants and OS X. In order to make Cuckoo work successfully, we have to install and start this agent. In Windows, simply launching the script will also generate a Python window; if we want to make it run in the background, we can rename the file from agent.py to agent.pyw.
Usage of Cuckoo
To start Cuckoo we can use the command:
We will get an output similar to this:
Now we can submit an executable or URL to the cuckoo sandbox for analysis by using the following command:
Cuckoo also provides a very basic web utility that we can use to submit files to be analyzed.
We can find the script at path utils/web.py and we can start it with:
By default it will create a webserver on local host and port 8080. Open the browser at http://localhost:8080 and it will prompt a simple form that allows uploading a file and submitting it.
In the Browse section, we can track the status of pending, failed and successful analyses and, when available, we will be prompted a link to view the HTML report.
Web interface of the cuckoo sandbox
Result after running Cuckoo Sandbox with a malware
For exercise, I would like you all to download this malware called Reveton and upload in Cuckoo Sandbox to do an automated analysis. Password of the file is –infected