Cuckoo Installation and Configuration on Debian 10 Buster

The tutorial covers installation and configuration of Cuckoo Malware Sandbox on Debian 10 Buster. Once you complete successfully all steps, your Cuckoo installation will be ready to perform analysis of malware uploaded to guest VM. It is Windows 7 x64 SP1 VM running on Oracle VirtualBox. The tutorial is based on an excellent YouTube videos below.

Cuckoo Installation Part 1 - Download and Install Cuckoo
Cuckoo Installation Part 2 - Guest and network configuration

Host Software:
- Debian 10 Buster
- Oracle VirtualBox 6.0.14

Guest OS:
- Windows 7 x64 SP1

1. Install Git and Required Packages

$ sudo apt-get update
$ sudo apt-get install git -y

$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev -y
$ sudo apt-get install python-virtualenv python-setuptools -y
$ sudo apt-get install libjpeg-dev zlib1g-dev swig -y

2. Install Mongo DB

$ wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add -
$ sudo echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list
$ sudo apt-get update
$ sudo apt-get install -y mongodb-org

3. Install PostgreSQL DB

$ sudo apt-get install postgresql libpq-dev -y

4. Install Oracle VirtualBox 6

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

$ sudo add-apt-repository "deb http://download.virtualbox.org/virtualbox/debian buster contrib"

$ sudo apt update
$ sudo apt install virtualbox-6.0

5. Install tcpdump

$ sudo apt-get install tcpdump apparmor-utils -y
$ sudo aa-disable /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Note: You must be able to run tcpdump as non-root user (user that is later used to run Cuckoo) otherwise Cuckoo will complain later.

6. Install Volatility

$  git clone https://github.com/volatilityfoundation/volatility

$ cd volatility

$ sudo python ./setup.py install
$ cd ..

7. Install M2Crypto

$ sudo pip install M2Crypto

8. Download and Install Cuckoo

$ sudo pip install -U pip setuptools
$ sudo pip install -U cuckoo

$ sudo pip install distorm3

9. Cuckoo Working Directory

$ sudo mkdir /opt/cuckoo
$ sudo chown $(whoami):$(whoami) /opt/cuckoo/

10. Load Cuckoo Signatures

Signatures are highly recommended and improve and enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface.

$ cuckoo --cwd /opt/cuckoo community

10. Install Windows 7 to VirtualBox Guest VM

I assume you all know how to install a virtual machine within VirtualBox so please install your OS. I will be assigning mine 2GB of RAM, 2 CPUs and a 80GB Hard Disk. Do not install VirtualBox guest addition as malware can detect that it is running on VM.

11. Create and Configure Interface vboxnet0

Once complete close the Virtual machine and use these following commands

$ vboxmanage hostonlyif create
$ vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

Use ifconfig to ensure the network adapter shows up.

Change the network adapter on VirtualBox to host only and vboxnet0 and start the machine.

12. Configure IP Address for Windows 7 VM

Edit the network settings and disable IPv6 and use the following

Static IP - 192.168.56.101
Mask - 255.255.255.0
Default Gateway - 192.168.56.1
DNS - any DNS server (8.8.8.8)

13. Configure Debian Firewall and Forwarding Between Interfaces

Go back to the Debian machine and use the following commands. Change the interface ens32 to your primary NIC.

Default drop.
$ sudo iptables -P FORWARD DROP

Accept connections from vboxnet to the whole internet.
$ sudo iptables -A FORWARD -o ens32 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT

Existing connection.
$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Configure NAT to maks 192.168.56.101 to the IP assigned to ens33.
$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE

Allow Cuckoo Agent running on Windows VM to reach Cuckoo host.
$ sudo -A INPUT -s 192.168.56.0/24 -d 192.168.56.1/32 -j ACCEPT

Save iptables configuration so it survives Debian reboot.

$ sudo su
# iptables-save > /etc/iptables/rules.v4

Enable forwarding between interfaces.

$ sudo su
# echo 1 > /proc/sys/net/ipv4/ip_forward

Note: Read about iptables configuration here.

Verity that the virtual machine has an Internet connection by opening cmd and ping www.msn.com and see if it replies. Also, you must be able to ping vboxnet IP address 192.168.56.1.

14. Upload Cuckoo Agent to Guest VM (Windows)

Windows VM must run Cuckoo agent when malware analysis is started from Cuckoo running on Debian. Cuckoo agent agent.py is located in /opt/cuckoo/agent on host (Debian). As we haven't installed VBox Guest addition to Windows VM, we need to run Samba server on Debian and share the file. Afterwards, we can download agent from Samba share.

Alternatively, you can run web server on Debian and download to Windows via http.

As the agent is written in Python script, we need to download Python 2.7 and Python Pillow into Windows VM. Then we will install both.

- Python 2.7.0 (x64 msi)
- Pillow-5.1.0.win-amd64-py2.7.exe

Once, packages are installed we will turn the Windows firewall off. We will be turning UAC off also so it doesn't interfere with the running malware. Open cmd and type uac. Change value to Never notify.

Now, run the agent. Open the cmd and check whether agent is listening on the socket 0.0.0.0:8000 with the command netstat -vatn.

Picture 1 - Cuckoo Agent Listenning on VirtualBox Windows VM

Once complete we will need to create a snapshot for the VM name. I will save the snapshot as snapshot1 with the description as nothing installed.

15. Cucko Configuration

Edit configuration for VirtualBox. We need to change the VM name, label and mode. Change the default VM name cuckoo1 to the name of Windows VM from VirtualBox. Mine is Windows7-Cuckoo. Change mode from headless to GUI.

$ vi /opt/cuckoo/conf/virtualbox.conf

# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui" or "headless". Please refer to VirtualBox's official
# documentation to understand the differences.
mode = gui

# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = Windows7-Cuckoo

[Windows7-Cuckoo]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = Windows7-Cuckoo

16. Cuckoo Web Interface

Cuckoo provides a full-fledged web interface in the form of a Django application. This interface will allow you to submit files, browse through the reports, and search across all the analysis results.

Start MongoDB Database Server.

$ sudo systemctl start mongod

root@freepc:/opt/cuckoo# netstat -tulpn | grep mongo
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 24135/mongod

Enable mongodb module in /opt/cuckoo/conf/reporting.conf

[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
# MongoDB authentication (optional).
username =
password =

Now we can run webserver.

$ cuckoo web runserver

17. Testing

Shutdown Windows VM and start cuckoo in debugging mode to catch Cuckoo errors.

$ cucko -d

Login to the web interface from Debian http://127.0.0.1:8000/ and submit malware for analysis. Select file and press Analyze button. Once you do it, Windows VM with running Cuckoo agent will be started by Cuckoo. Check if they are error messages in console when Cuckoo is started.

The log file when Cuckoo is started is here. The file messages-task16 displays logs for malware analysis - task 16.