This is used to build a cuckoo vm which can be used for malware analysis.
- Download vagrant from here: http://www.vagrantup.com/downloads.html
- To install on a debian-based platform, use dpkg -i
- Download and install Virtual Box from here: https://www.virtualbox.org/wiki/Downloads
Set up VNC and get access to a trucks machine. If VNC is too painful to use then give TeamViewer a shot by setting it up on the malwarrior box:
$ vagrant ssh
$ wget http://www.teamviewer.com/download/teamviewer_linux.deb
$ sudo dpkg --add-architecture i386
$ sudo apt-get update
$ sudo apt-get install gdebi
$ sudo gdebi teamviewer_linux.deb
$ git clone https://github.com/l50/cuckooVagrantBox.git
$ cd cuckooVagrantBox
$ vagrant plugin install vagrant-puppet-install
$ vagrant up
Wait while the VM is downloaded, which could take a bit of time. Eventually, the machine will boot and it will begin the configuration of cuckoo with all of its dependencies utilizing puppet and this script (which has been modified) - https://github.com/buguroo/cuckooautoinstall
If you're on the CS machines you will get an error. No worries. Open the VirtualBox GUI and uncheck 3D acceleration under the graphics settings for the machine. Go ahead and hook the machine up with 4 cores and 4096 MB of RAM while you're in there. Finally, run:
$ vagrant up
If you have a lot of crazy errors come up at the end, you might want to try re-creating your box. Do this using the commands:
$ vagrant destroy
$ vagrant up
When you open the new machine it will be locked. Hit enter and login with password: vagrant. Open a terminal window on the machine that comes up and get to work:
$ sudo -s
$ mkdir /home/vagrant/xpTransfer
$ cd ~/xpTransfer
$ wget http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
$ wget https://www.python.org/ftp/python/2.7.9/python-2.7.9.msi
$ cp ../cuckoo/agent/agent.py .
$ /usr/lib/virtualbox/VirtualBox
You should be in VirtualBox Manager at this point.
- Click File
- Click Import Appliance
- Input the following for the import path: /vagrant/vm/IE6.WinXP/IE6 - WinXP.ova NOTE: If the folder /vagrant/vm does not exist, go back to the terminal in the Linux VM and run:
$ sudo mkdir /vagrant/vm
$ cd /vagrant/vm
$ sudo curl -O https://az412801.vo.msecnd.net/vhd/VMBuild_20141027/VirtualBox/IE6/Mac/IE6.XP.For.Mac.VirtualBox.zip
$ unzip IE6.XP.For.Mac.VirtualBox.zip
Then try the import again. 4. Click import 5. Go into the settings for the box 6. Change the name to xp 7. Upgrade the RAM to 1024 MB 8. Change Adapter 1 to Host-only in vboxnet0 9. Create shared folder at /home/vagrant/xpTransfer, tick auto mount 10. Start the VM
- Click start
- Click Control Panel
- Turn off Windows Firewall
- Click Network Connections
- Double click on Local Area Connection
- Click Properties
- Double click TCP/IP
- Set the ip settings as follows for malwarrior:
IP address: 192.168.56.130
Subnet Mask: 255.255.255.0
Default gateway: 192.168.56.1
You can leave the DNS Server blank.
Lastly, we need to get the cuckoo agent, pil and python-2.7.9 installed.
- Go to My Computer
- Go to xpTransfer under Network Drives
- Pull all three files to the Desktop
- Double click python-2.7.9.msi and follow prompts to install
- Double click PIL-1.1.7.win32-py2.7.exe and follow prompts to install
- Double click agent.py - this will open a terminal window, leave it open
Go back to the VirtualBox Manager on the malwarrior machine
- Click Snapshots
- Ctrl-shift-s to take a snapshot, or click the camera
- Rename the snapshot Snapnum1 and click OK
###To create our snapshot for analysis
- Power off the Windows machine
- Click Restore Snapshot
- Unclick Create Snapshot (do not create another) and click Restore
$ sudo -s
$ cd ~/cuckoo/conf
$ sublime cuckoo.conf
Set version_check = off
Exit the file
$ sublime kvm.conf
Set the following paramters like so:
[kvm]
# Specify ...
machines = xp
This appears directly above the label field and may appear as cuckoo1: [xp]
label = xp
(Obviously this will change depending on the IP of the machine you're on) ip = 192.168.56.130
Exit the file
$ sublime virtualbox.conf
Set the following paramters like so:
machines = xp
This appears directly above the label field and may appear as cuckoo1: [xp]
label = xp
ip = 192.168.56.130
Exit the file
As root:
$ cd ~/cuckoo
$ python cuckoo.py
Open a new tab
$ sudo -s
$ cd ~/cuckoo/utils
$ python submit.py <file name>
Open new tab
$ sudo -s
$ cd ~/cuckoo/utils/
$ python web.py
Open web browser and navigate to http://localhost:8080 to view the dashboard.
Open new tab
$ sudo -s
$ cd ~/cuckoo/utils/
$ python api.py
This will bind to port 8090
On the malwarrior machine, to get output from a submitted byte file:
curl http://localhost:8090/tasks/report/1 > <output_name>.txt
Use this documentation for the commands: http://cuckoo.readthedocs.org/en/latest/usage/api/
This repo now has a simple script to pull and filter JSON information from
cuckoo's api. It is located in the json_tools
directory.
For running samples through cuckoo, put all the malware files in a directory
called samples
in the cuckoo directory. Make a folder in samples called
json
and another in json
called processed
.
You must modify the script at the following places with the correct directories:
## EDIT these paths
CUCKOOUTILS=/cuckoo/utils/
SAMPLEPATH=/cuckoo/samples/
Put the python script (filter_json.py
) in the json
folder and start the
cuckoo web api.
you can then run the script as:
sh get_json.sh
and modify as ness.
Cuckoo - https://github.com/cuckoobox/cuckoo
Vagrant - https://github.com/mitchellh/vagrant
David Reguera's Cuckoo Auto Install Script - https://github.com/buguroo/
Apache