Cuckoo: EasyMode

Published by Matt Clemons on

I’ve been running Cuckoo since it came out in 2011. The original project is no longer maintained, but the folks at CERT-EE have released Cuckoo3. Setting up Cuckoo has never been easy for me, but they’ve made it a breeze. By the end of this guide, you’ll have a fully functional Cuckoo environment ready for safe and effective malware analysis.

1. Initial Ubuntu 22.04 Setup

  • Install Ubuntu 22.04. I’m using one of my old laptops.
    • Set your hostname to cuckoo.
    • User can be anything but “cuckoo”.
    • During installation, enable automatic login for ease of access.
  • Upgrade the system by running:
sudo apt update && sudo apt upgrade -y
  • Install essential packages with:
sudo apt install ssh curl htop vim net-tools -y
  • Optimize laptop power settings:
    • Set screen locks, power saving, and hibernation to disabled.
    • Adjust power settings to maximum performance.
  • Enable remote desktop under Settings > Sharing.
    • Enable remote control
    • Set the user and password
  • Disable laptop lid actions by editing logind.conf:
sudo vim /etc/systemd/logind.conf
  • Uncomment and set: HandleLidSwitch=ignore
  • Set a static IP:
    • Edit /etc/netplan/01-network-configuration.yaml like so:
network:
    version: 2
    renderer: NetworkManager
    ethernets:
        enp58s0f1:
            addresses:
                - 192.168.66.66/24
            nameservers:
                addresses: [8.8.8.8, 8.8.4.4]
            routes:
                - to: default
                  via: 192.168.66.1
  • Reboot.

2. Installing Cuckoo3

Now that your environment is ready, let’s set up Cuckoo3.

  • Download and install Cuckoo3 using the provided installation script: curl -sSf https://cuckoo-hatch.cert.ee/static/install/quickstart | sudo bash
    • Follow the instructions and create a non-sudo user named “cuckoo”. This script handles several dependencies and configurations, allowing you to quickly deploy Cuckoo on your machine.
    Tip: Refer to Cuckoo3 GitHub Repository for an in-depth understanding of the setup process and additional configuration options.
  • Configure network routing for isolated web traffic:
    • I want to route all traffic from a dirty VLAN on pfSense through a VPN to the internet. See this guide on pfSense VPN setup to configure secure traffic routing.
  • Enable IP forwarding to allow VM network communication: sudo vim /etc/sysctl.conf
    • Uncomment and set: net.ipv4.ip_forward = 1

3. Firewall Configuration

Set up UFW to control access to critical ports:

sudo ufw allow 22    # SSH
sudo ufw allow 8080  # Web interface
sudo ufw allow 2042  # Cuckoo report server
sudo ufw allow 3389  # RDP
sudo ufw enable

4. Configuring QEMU for Interactive Analysis

To perform interactive malware analysis, configure the VMs in QEMU to display a GUI:

  • Edit the machineinfo.json for each VM in your Cuckoo environment: vim /home/cuckoo/.vmcloak/vms/qemu/win10vm_X/machineinfo.json
    • Change -display from "none" to "gtk" for each VM.

5. Helper Script for Network Bridging

  • Stop Cuckoo’s debug mode using Ctrl + C.
  • Reboot to get to a starting point.
  • Modify the helper script at ~/helper_script.sh and paste in the following:
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0 192.168.30.1/24 source /opt/cuckoo3/venv/bin/activate sudo iptables -t nat -A POSTROUTING -o wlp59s0 -s 192.168.30.0/24 -j MASQUERADE
# Default drop
sudo iptables -P FORWARD DROP
# Existing connections
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow VM traffic to the internet
sudo iptables -A FORWARD -s 192.168.30.0/24 -j ACCEPT
# Internal VM traffic
sudo iptables -A FORWARD -s 192.168.30.0/24 -d 192.168.30.0/24 -j ACCEPT

Set your network interface to whatever is in use. I’m using my wireless NIC: wlp59s0.

6. Starting Cuckoo

  • Run the helper script: ./helper_script.sh
  • Activate the Cuckoo virtual environment: source ~/cuckoo3/venv/bin/activate
  • Run Cuckoo in debug mode: cuckoo --debug
  • Submit files for analysis through the Cuckoo web interface. http://your_ip:8080

Wrapping Up

You now have a fully operational Cuckoo Sandbox set up to conduct secure malware analysis on your isolated environment. With the correct configurations, networking, and optimizations, your Cuckoo sandbox is ready to handle various analysis tasks while ensuring safe traffic routing and effective malware analysis capabilities.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Programming

SDLC 2: Prototyping, Hybrid, and Custom Models

1. Prototype Model The Prototype Model is used when project requirements are unclear or expected to evolve. It focuses on creating an initial version (prototype) that allows stakeholders to visualize the product early on and Read more…

Security

IR 7: Cloud Incident handling and Malware Analysis

Introduction As more organizations move to cloud environments, incident handling in platforms like AWS has become essential for SOC operations. This post will cover strategies for managing incidents in cloud environments, specifically AWS, and wrap Read more…

Security

IR 6: Persistence, Powershell and Advanced Forensics

Introduction One of the goals for incident response is not just stopping an attack but making sure attackers can’t get back in. Attackers often use persistence techniques to maintain access, setting up mechanisms that survive Read more…