legal contact rss
 

configuring cuckoo 2.0

For using my vSphere environment I've used the below configuration.

sudo su - cuckoo
. venv/bin/activate
cd .cuucko/conf

Still some python modules are missing:
pip install -U pyvmomi
pip install psycopg2
pip install weasyprint
pip install m2crypto

In auxiliary.conf changed:
#[mitm]
enabled = yes

In cuckoo.conf changed:
delete_original = yes
machinery = vsphere
upload_max_size = 99134217728
analysis_size_limit = 99134217728
connection=postgresql://cuckoo:[password]@localhost:5432/cuckoo

postgres@Cuckoo2:~$ psql -c "CREATE DATABASE cuckoo;"
postgres@Cuckoo2:~$ psql -c "CREATE USER cuckoo WITH PASSWORD 'secret';"
postgres@Cuckoo2:~$ psql -c "GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;"

As I'm having a quite low performing ESXi:

[timeouts]
default = 240
critical = 60
vm_state = 300

In memory.conf changed:
guest_profile = Win7SP0x86
delete_memdump = yes

In processing.conf changed:
allowed_dns = 8.8.8.8,9.9.9.9,8.8.4.4,10.123.64.11
extract_dll = yes
dump_delete = yes

#[suricata]
enabled = yes
conf = /etc/suricata/suricata-cuckoo.yaml

#[virustotal]
enabled = yes

in reporting.conf changed:

#[singlefile]
enabled = yes
html = yes
pdf = yes

#[mongodb]
enabled = yes

in routing.conf changed:
internet = ens160

in vsphere.conf changed:

[vsphere]
# ?no_verify disables the SSL signature check. By default it is self signed
host = xxx.xxx.xxx.xxx [IP addr of the vcenter/vsphere host]
port = 443
user = root
pwd = xxx
unverified_ssl = on
machines = analysis1,analysis2,analysis3,analysis4

[analysis1]
label = Win7_1
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_1_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64

[analysis2]
label = Win7_2
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_2_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64

[analysis3]
label = Win7_3
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_3_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64

[analysis4]
label = Win7_4
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_4_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64

[analysis5]
label = Win7_5
platform = windows
ip = xxx.xxx.xxx.xxx [IP addr of the Win_7 victim]
snapshot = Win7_5_running
interface = ens160
resultserver_ip = xxx.xxx.xxx.xxx [Cuckoo's IP in the victims NIC]
mem_profile = Win7SP1x64