legal contact
 

Feeding the bird

Lab autom. malware analysis and MISP feeding

How to install and use:


The harvesting process at a glance

1.       Start is the actual download of the *live* malware from it’s origin at the offering website in the internet. This is to actually overcome sharing constraints that will later influence if sharing this specific IOC is allowed or not.

2.       A modified cuckoo instance will do the deep analysis of the malware

3.       The results are sent to a MISP instance for correlation and sharing the IOCs

4.       Splunk is used for correlating the IOCs with live metadata to alert for any matches

5.       IOC’s are shared (if qualified) with other SOC’s and public


1.     Getting the malware and storing it Download:

I tried to automate as much as possible within the whole process. So I did with getting the malware down to the storage.

The tool of my choice was “ph0neutria”, as it avoids double storage and stores it’s finding in a secure environment called Viper.

More resources for getting real malware from are:

https://zeltser.com/malware-sample-sources/

https://github.com/ytisf/theZoo

For a quick one-of, using below script will gather some real malware and stores it at a certain subdirectory for submitting it to cuckko after it has finished it’s downloads.

/opt/getmalware.sh

!/bin/bash

wget http://vxvault.net/URL_List.php  -O ./LIVE-Malware.url

dos2unix ./LIVE-Malware.url

while read url; do wget --read-timeout=10 -t 1 -nc -P /opt/LIVE-Malware $url; done < ./LIVE-Malware.url

/opt/cuckoo/utils/submit.py --memory /opt/LIVE-Malware

Storing:

Storing is done in “Viper

Having not found an automatic way of sending every new malware to cuckoo yet, it’s still very handy to search for a specific malware class or sample and just be clicking the “CUCKOO” button, sending it to the analysis.

Storing the actual malware within a cage has the advantage if being able to analyze it later again and again.

Start the harvesting with:

sudo -H -u spider python viper-api -H [local IP address] -p 8080 &

sudo -H -u spider python viper-web -H [local IP address] -p 9090 &

sudo -H -u spider python run.py


2.     Starting the analysis

Start your Viper web GUI:

http://192.168.178.97:9090/

And search/select the malware of your choice.

For analysis to start, just press the “Cuckoo” button.


IF you followed the install script simply starting the VM makes everything ready.

Now switch to your cuckoo GUI and watch the task being run.

https://192.168.178.112/analysis/

The marked number shows you’re the actual Cuckoo-analysis-ID we need later to find the results in the MISP.


3.     Find your new IOC’s in MISP

The event listing in the MISP shows you the related cuckoo analysis:

Select the event-ID to see all crafted values.

Specially check the related events and the correlation graph of the event

By now setting the correct tags, you start the sharing process according to your defined policy.


4.     Using the IOCs in your LMS

Connecting your LMS (i.e. Splunk) to your MISP, you can correlate your IOC’s to the live data that runs into your LMS.

| dbxquery query="SELECT event_id, category, value1 attribute, value2 md5, events.id, events.date, events.info FROM misp.attributes JOIN misp.events ON attributes.event_id = events.id WHERE attributes.category = \"Network activity\"" connection="MISP-Vmware" wrap=t | rename "(001) attributes.event_id.INT" AS event_id | rename "(002) attributes.category.VARCHAR" AS event_category | rename "(003) attributes.attribute.VARCHAR" AS event_attribute | rename "(004) attributes.md5.VARCHAR" AS event_md5 | rename "(006) events.date.DATE" AS event_date | rename "(007) events.info.VARCHAR" AS event_info | rename "(006) events.date.DATE" AS event_date | stats count values(event_date) values(event_category) values(event_info) values(event_attribute) values(event_md5) by event_id | sort - values(event_date)


5.     Sharing



Appendix: Using the modified-cuckoo autoinstall script

New Autoinstall found at: https://github.com/daniel-gallagher/cuckoo-autoinstall

Although now mentioned, I used a Ubuntu 16.04 server version.

cuckoo@ubuntu:/opt/cuckoo-autoinstall$ sudo ./cuckoo.sh /opt password [local IP address] kvm

[+] Cuckoo Path: /opt

[+] DB Password: password

[+] Web Portal IP: 192.168.178.112

[+] APT Update

[+] APT Upgrade

[+] APT Dist-Upgrade and Autoremove

[+] Installing Dependencies

    [+] Round 1 of 3

    [+] Round 2 of 3

    [+] Round 3 of 3

    [+] Copy Configuration Files

[+] Installing Yara

    [+] Dependencies

    [+] Git Clone

    [+] Configure with Cuckoo and Magic Enabled

    [+] Installing...

    [+] Yara-Python

[+] Installing ClamAV

[+] Installing Pydeep

[+] Installing Malheur

    [+] Git Clone

    [+] Configure

    [+] Installing...

[+] Installing Volatility

    [+] Dependencies

    [+] Installing...

[+] Installing PyV8 Javascript Engine (this will take some time)

    [+] Dependencies

    [+] Git Clone

    [+] Build (this is the long part...)

    [+] Installing...

[+] Configuring TcpDump

[+] Installing Suricata

[+] Installing ETUpdate

[+] Installing PostgreSQL

[+] Configuring PostgreSQL DB

[+] Installing KVM

    [+] Remove Default Virtual Network

    [+] Create Cuckoo Virtual Network

[+] Creating Cuckoo User

[+] Installing Modified Version of Cuckoo

    [+] Installing Signatures

    [+] Modifying Config

[+] Installing Nginx

    [+] Configuring

    [+] Creating Self-Signed SSL Certificate

    [+] Generating Diffie-Hellman (DH) Parameters (this will take some time)

[+] Installing Inetsim

[+] Installing Tor Proxy

[+] Installing Privoxy

[+] Installing Routetor

[+] Installing Vsftpd

[+] Creating Startup Script for Cuckoo

    [+] Startup Script Set for KVM

no crontab for cuckoo

[+] Installation Complete!

For some reason, the cuckoo user does not hold a valid PW after install, so keep a second root shell open while the above script is running and set the pw of “cuckoo” to a valid PW again.

# passwd cuckoo

Use the below background appendix of how to setup the virtual machine within KVM.


Appendix: Background information about the setup process of your automated cuckoo install script.

https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27

This tutorial will show you how to create a working malware sandbox, using the fork of Cuckoo378 developed by Brad Spengler, a former Optiv employee, and others. It contains many improvements over the original Cuckoo project:

·         Fully-normalized file and registry names

·         Handling of WoW64 filesystem redirection

·         Many additional API hooks

·         Service monitoring

·         Correlates API calls to malware call chains

·         Ability to follow APC injection and stealth explorer injection

·         Pretty-printed API flags

·         Per-analysis Tor support

·         Over 120 new signature modules (over 70 developed solely by Optiv)

·         Anti-anti-sandbox and anti-anti-VM techniques built-in

·         More stable hooking

·         Ability to restore removed hooks

·         Greatly improved behavioral analysis and signature module API

·         Ability to post comments about analyses

·         Deep hooks in IE's JavaScript and DOM engines usable for Exploit Kit identification

·         Automatic extraction and submission of interesting files from ZIPs, RARs, RFC 2822 emails (.eml), and Outlook .msg files

·         Direct submission of AV quarantine files (Forefront, McAfee, Trend Micro, Kaspersky, MalwareBytes, MSE/SCEP, and SEP12 formats currently supported)

·         Automatic malware classification by Malheur

·         Significant contributions from Jeremy Hedges, William Metcalf, and Kevin Ross

·         Hundreds of other bugfixes

A malware sandbox has many components. Building a sandbox requires you to have an understanding of how all these components work together, and how malware might respond. This guide assumes that you have a working, bare metal system, or a large ESX VM with nested virtualization enabled, running Debian Testing with at least 8 GB of RAM (For running analysis tools, and a few windows VMs) and at least 1TB of disk space (for storing samples, analysis results, and possibly memory dumps).

Cuckoo sandbox allows users to choose from a wide variety of different virtualization and networking techniques. While some malware may be able to detect and avoid some technologies used in this guide, these choices provide excellent coverage and analysis with minimal resources. No sandbox is fail-proof.


Used: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso

Installed: Debian core and SSH-server only.

So having the basics ready, let’s start…

sudo apt-get remove apt-listchanges

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y

Install some dependencies:

sudo apt install python3-dev python3-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils yara python3-yara ssdeep libfuzzy-dev libimage-exiftool-perl curl openjdk-8-jre-headless -y

Install postgres:

sudo apt-get install postgresql postgresql-contrib libpq-dev

sudo pip3 install psycopg2

More Debian packages to generate PDF reports:

$ sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi

Tcpdump is needed quite often

sudo apt-get install tcpdump libcap2-bin

sudo chmod +s /usr/sbin/tcpdump

Get some AV

sudo apt-get install clamav clamav-daemon clamav-freshclam -y

More dependencies

sudo pip3 install git+https://github.com/kbandla/pydeep.git

sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall

Install Malheur, which is used for malware behavior correlation

sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall zlib1g-dev  

git clone https://github.com/rieck/malheur.git

cd malheur

./bootstrap

./configure --prefix=/usr

Make

Make install

sudo checkinstall

cd

Install the Volatility memory analysis system:

sudo apt-get install python3-pil

sudo pip3 install distorm3 pycrypto openpyxl

sudo pip3 install git+https://github.com/volatilityfoundation/volatility.git

Install the PyV8 JavaScript engine, used for analyzing malicious JavaScript:

sudo apt-get install libboost-all-dev

The next line takes quite a long line, so be patient….

sudo git clone https://github.com/buffer/pyv8.git

cd pyv8

sudo apt-get install build-essential autoconf libtool pkg-config python-opengl python-imaging python-pyrex python-pyside.qtopengl idle-python2.7 qt4-dev-tools qt4-designer libqtgui4 libqtcore4 libqt4-xml libqt4-test libqt4-script libqt4-network libqt4-dbus python-qt4 python-qt4-gl libgle3 python-dev

sudo pip3 install greenlet

sudo pip3 install gevent

sudo python setup.py build

sudo python setup.py install

Install Suricata

sudo apt-get install suricata

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata-cuckoo.yaml

Change /etc/suricata/suricata-cucko.yaml

  - file-store:

      ##mp enabled: no       # set to yes to enable

      enabled: yes       # set to yes to enable

      ##mp force-hash: [md5]

      force-hash: [md5]

      force-filestore: yes # force storing of all files

  - file-log:

      enabled: yes

    http:

      enabled: yes

      request-body-limit: 0

      response-body-limit: 0

      libhtp:

         default-config:

           personality: IDS

           request-body-limit: 0

           response-body-limit: 0

vars:

    #EXTERNAL_NET: "!$HOME_NET"

    EXTERNAL_NET: "any"

Download etupdate to update Emerging Threat's Open IDS rules:

cd
git clone https://github.com/seanthegeek/etupdate.git
sudo cp etupdate/etupdate /usr/sbin
sudo /usr/sbin/etupdate -V

 

Check for a similar output:

Current version: 0

Latest version: 8565

Downloading rules...

Extracting rules to '/etc/suricata'...

mpauli@bird:~$

Edit the crontab:

$ sudo crontab -e

Add the line:

42 * * * * /usr/sbin/etupdate

 


Install KVM and virt-manager for setting up the guest system
sudo apt-get install qemu-kvm libvirt-clients libvirt-daemon virt-manager

Add your user to the kvm and libvirt groups, so you can manage VMs:

sudo usermod -a -G kvm $USER
sudo usermod -a -G libvirt $USER

Start the virtual manger and edit the network connection.

Virt-manager

Delete the default virtual network

 

And create a new VirtualNetwork as per below screenshots:


Now let’S cuckoo

Create a user named cuckoo on the system. This user will run a few services that Cuckoo needs, as well as Cuckoo itself.

sudo adduser cuckoo
sudo usermod -L cuckoo

Add the cuckoo user to the right groups to manage VMs

sudo usermod -a -G kvm cuckoo
sudo usermod -a -G libvirt cuckoo
Download Cuckoo
sudo su cuckoo
cd
wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar
git clone https://github.com/spender-sandbox/cuckoo-modified.git
mkdir vmshared
cp cuckoo-modified/agent/agent.py vmshared/agent.pyw
exit
sudo chmod ug=rwX,o=rX ~cuckoo/vmshared
sudo mv ~cuckoo/cuckoo-modified /opt/cuckoo
sudo apt install python-dpkt
cd
git clone https://github.com/erocarrera/pefile.git
cd pefile
python setup.py build
sudo python setup.py install
edit /opt/cuckoo/requirements.txt and comment out the above installed packets, like I did below:
#pefile
#dpkt
#pefile2==1.2.11
sudo pip3 install -r /opt/cuckoo/requirements.txt
sudo su cuckoo
cd /opt/cuckoo/utils
./community.py -afw
exit

Create some prereqs for the final act:

sudo apt-get install nginx apache2-utils

sudo usermod -a -G cuckoo $USER

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout cuckoo.key -out cuckoo.crt

openssl dhparam -out dhparam.pem 4096

cd

sudo mkdir /etc/nginx/ssl

sudo cp ssl/* /etc/nginx/ssl/

sudo chown -R root:www-data /etc/nginx/ssl

sudo chmod -R u=rX,g=rX,o= /etc/nginx/ssl

sudo rm /etc/nginx/sites-enabled/default

sudo vi /etc/nginx/sites-available/cuckoo^

server {

    listen 0.0.0.0:443 ssl http2;

    ssl_certificate /etc/nginx/ssl/cuckoo.crt;

    ssl_certificate_key /etc/nginx/ssl/cuckoo.key;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off; # Requires nginx >= 1.5.9

    # Uncomment this next line if you are using a signed, trusted cert

    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    add_header X-Frame-Options SAMEORIGIN;

    add_header X-Content-Type-Options nosniff;

    root /usr/share/nginx/html;

    index index.html index.htm;

    client_max_body_size 101M;

    auth_basic "Login required";

    auth_basic_user_file /etc/nginx/htpasswd;

    location / {

        proxy_pass http://127.0.0.1:8000;

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

    location /storage/analysis {

       alias /opt/cuckoo/storage/analyses/;

       autoindex on;

       autoindex_exact_size off;

       autoindex_localtime on;

    }

    location /static {

      alias /opt/cuckoo/web/static/;

    }

}

server {

    listen 0.0.0.0:80;

    return 301 https://$server_name$request_uri;

}

server {

  listen 192.168.100.1:8080;

    root /home/cuckoo/vmshared;

     location / {

           try_files $uri $uri/ =404;

           autoindex on;

           autoindex_exact_size off;

           autoindex_localtime on;

     }

}

# Host the upstream legacy API

server {

    listen 0.0.0.0:4343 ssl http2;

    ssl_certificate /etc/nginx/ssl/cuckoo.crt;

    ssl_certificate_key /etc/nginx/ssl/cuckoo.key;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off; # Requires nginx >= 1.5.9

   # Uncomment this next line if you are using a signed, trusted cert

    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    add_header X-Frame-Options SAMEORIGIN;

    add_header X-Content-Type-Options nosniff;

    root /usr/share/nginx/html;

    index index.html index.htm;

    client_max_body_size 101M;

    location / {

        proxy_pass http://127.0.0.1:8001;

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

       

        # Restrict access

       allow all;

      #allow 192.168.1.0/24;

      deny all;

    }

}

sudo ln -s /etc/nginx/sites-available/cuckoo /etc/nginx/sites-enabled/cuckoo

sudo htpasswd -c /etc/nginx/htpasswd  mpauli

sudo chown root:www-data /etc/nginx/htpasswd

sudo chmod u=rw,g=r,o= /etc/nginx/htpasswd

sudo service nginx restart

To install inetsim:

wget http://www.inetsim.org/debian/binary/inetsim_1.2.5-1_all.deb
sudo apt-get install gdebi-core
sudo gdebi inetsim_1.2.5-1_all.deb

 

sudo vi /etc/inetsim/inetsim.conf

Set service_bind_address and dns_default_ip to 192.168.100.1

Edit /etc/default/inetsim:

Set ENABLED to 1

Start inetsim:

$ sudo service inetsim restart

Install tor for the anonymized access to the malware and virustotal

sudo apt-get install tor

Add these lines at the bottom of /etc/tor/torrc

TransListenAddress 192.168.100.1

TransPort 9040

DNSListenAddress 192.168.100.1

DNSPort 5353

sudo service tor restart

Install privoxy to access tor. (tor only supports socks5)

Add tor’s socks to /etc/privoxy/config and uncomment

#        forward-socks5t             /     127.0.0.1:9050 .

In /etc/privoxy/config

sudo service privoxy restart


Configure Cuckoo to make use of tor

git clone https://github.com/seanthegeek/routetor.git

cd routetor

sudo cp *tor* /usr/sbin

cd

Schedule routetor to run at system boot by running:

sudo crontab -e

And adding the following line to the crontab file:

@reboot /usr/sbin/routetor

Start routetor for the first time:

sudo /usr/sbin/routetor &

vsftpd

We will use nginx to serve static files like installers from the host to the VMs. But what if you wanted to copy a file from a VM to the host? The simplest way is to use vsftpd as an anonymous FTP server. That way, the VM can send files without being able to overwrite the installers hosted by nginx.

First, create a publicly accessible folder:

sudo mkdir /home/cuckoo/vmshared/pub
sudo chown cuckoo:cuckoo /home/cuckoo/vmshared/pub
sudo chmod 777 /home/cuckoo/vmshared/pub

Install vsftpd:

sudo apt-get install vsftpd

By default, it runs on port 21, which is already is use by inetsim to run its fake FTP server, so we need to change the port it listens on, among other things:

sudo vi /etc/vsftpd.conf

Make the following changes:

listen=YES
listen_ipv6=NO
anonymous_enable=YES
local_enable=NO

Uncomment the following lines:

write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES

Add the lines:

listen_address=192.168.100.1
listen_port=2121
anon_root=/home/cuckoo/vmshared
anon_umask=000
chown_upload_mode=0666
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100

Restart the service:

sudo service vsftpd restart

The VMs can now read /home/cuckoo/vmshared and write to /home/cuckoo/vmshared/pub.

You can access the FTP server in Windows natively by typing ftp://192.168.100.1:2121 into any Explorer window.

cd /home/cuckoo/vmshared/pub

wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso

Now create the first guest machine:

nohup virt-manager &

Change:

Add new hardware:

Change:


After Windows is installed create a username and computer name that is fictitious, but realistic for your industry. Leave the password blank.

When you get to a screen that says "Help protect your computer and improve Windows automatically", click "Ask me later".

Configuring the VM

Once Windows has been installed, and you are at the desktop:

·         Set the theme to Classic

·         Set the screen resolution to 1024x768

Open the VM in virt-manager and click on the blue information button in the toolbar to edit the hardware info.

Select the IDE CD-ROM drive, and disconnect the windows ISO. Then, connect the VirtIO drivers ISO that you downloaded earlier.

In the VM, right click on Computer in the Start Menu, then click Properties. In the upper-left of the System window, click Device Manager.

Follow these steps for each of the "Other devices":

1.    Right-click on the device, and click Update Driver Software

2.    Click browse my computer manually

3.    Select the root of the D drive

Windows will automatically locate the proper driver on the disk.

After all of the drivers have been installed, shut down the system.

Edit the VM hardware options again, and disconnect the ISO from the CD-ROM drive.

Now that the driver for the VirtIO storage bus has been installed in Windows, the dummy drive isn't needed any more, and you can configure your primary drive to use VirtIO for much-improved performance.

Remove the dummy VirtIO disk.

Edit the IDE disk. Under advanced options, set the bus to VirtIO Under performance, set the cache mode to writeback.

Start the VM and set the below IP’s statically.

Install and activate your copy of Office (32-bit only, even in a 64-bit OS, due to a bug in Cuckoo). Do not use Office365, or at least sign out after install if you have no other choice. 

Remember to disable all update checking when Office prompts you about it.

If your installer is in file format rather than an ISO, zip up the files, and upload the zip to /home/cuckoo/vmshared. It can then be download by the VM from http://192.168.100.1:8080/

Install at least Python, pillow and put the agent.pyw into autostart:

Install all of the latest supported Microsoft Visual C++ Redistributables71, which as of this writing are:

·         Microsoft Visual C++ Redistributable for Visual Studio 201590

·         Microsoft Visual C++ Redistributable Packages for Visual Studio 2012 Update 455

·         Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update57

·         Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package MFC Security Update45

·         Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update49

To analyze files that use a newer .NET framework, install Microsoft .NET framework 4.6.1.

To analyze more than PE files, the following also need to be installed (older versions are greatly preferred for exploitability and corporate realism):

·         Adobe Flash Player94 (An old version)

·         Adobe Reader76 (An old version)

·         Java Runtime Environment85 (An old version, e.g 6, update 22)

As you install each of these programs, change their configuration to disable update checks, which can create noisy PCAPs.

Stop the Tor transparent proxy:

sudo torstop 192.168.100.101

Disable UAC if using a Windows7 guest:
  1. Click Start ORB, in the Search Field, type secpol.msc, and then press ENTER.
  2. Double-click Local Policies.
  3. Double-click User Rights Assignment.
  4. Double-click Back up Files and directories.
  5. Click Add, and then double-click the Local Administrators group
  6. Click OK.

Shut down the VM.

Take a snapshot at this point, in case you ever need a fresh VM. Click on the snapshots button on the toolbar.

Installing MITM for decrypting SSL traffic:

  26  sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev

   27  sudo pip install mitmproxy

   28  vi auxiliary.conf

   29  ls -l /usr/local/bin/mitmdump

   30  vi auxiliary.conf

Set up PostgreSQL

Replace somePassword with a password of your choice. It can be random. You only need to use it in the cuckoo config

sudo su postgres
psql
CREATE USER cuckoo WITH PASSWORD 'blabla';
CREATE DATABASE cuckoo;
GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;

Type \q to exit

Exit the postgres bash shell:

$ exit
Configure Cuckoo
sudo su cuckoo
cd /opt/cuckoo
vi conf/cuckoo.conf

Change the machinery option to kvm

Change the terminate_processes option to yes. This will make Cuckoo gracefully request the termination of the process that is being analyzed prior to shutting down the VM. This is useful for things like some Office macros that launch on close.

Warning! By default, Cuckoo is configured to do post-analysis DNS lookups using the host! This is to allow comparisons with what the VM resolved. However, it could also potentially tip off an attacker and/or deanonymize you, even if your VM isn't connected to the internet! To disable this feature, set resolve_dns to off in cuckoo.conf.

Set ip to 192.168.100.1.

Set the connection setting to use PostgreSQL:

connection = postgresql://cuckoo:blabla@localhost:5432/cuckoo

Where password is the password you set in PostgreSQL for the cuckoo user.

$ nano conf/processing.conf

Under static, uncomment the line with the procyon_path variable, including any leading whitespace.

Set Suricata enabled to yes.

Change the Suricata conf option to /etc/suricata/suricata-cuckoo.yaml

$ nano conf/reporting.conf

Set reporthtmlsummary enabled to yes.

Set reportpdf enabled to yes.

Set mongodb enabled to yes.

Set resubmitexe enabled to yes.

Set malhur enabled to yes.

Edit the Cuckoo KVM configuration file:

$ sudo nano conf/kvm.conf

Set machines to the name of your sandbox VM, such as sandbox-win7-01

Replace cuckoo1 in brackets with the name of your sandbox VM, such as sandbox-win7-01

Set label to the name of your sandbox VM, such as sandbox-win7-01

Uncomment the snapshot option by deleting the # and any leading white space, then set it to the name of your running snapshot, running.

Uncomment the tags option, by deleting the # and any leading white space. Make sure it includes either 32_bit or 64_bit to match the VM OS architecture, so Cuckoo knows which VMs can process 64-bit samples. Add other tags of your choice to describe the VMs, for your own convince. For example:

windows_7,64_bit,acrobat_reader_11,java_6

Finally, uncomment the correct mem_profile for the VM OS, by deleting the # and any leading white space.

Install the community modules
$ sudo su cuckoo
$ cd utils
$ ./community.py -afw
$ exit
Startup script

As you have seen, there are a lot of services working behind-the-scenes to make Cuckoo work. This script will help you start and restart all of them:

sudo pip3 install gunicorn
sudo vi /usr/sbin/cuckooboot
#!/bin/bash
CUCKOO_USER="cuckoo"
CUCKOO_PATH="/opt/cuckoo"
VIRBR_IP="192.168.100.1"
INETSIM_DNS_PORT="5342"
VIRBR_DEV="virbr0"
su $CUCKOO_USER -c "pkill gunicorn" >/dev/null 2>&1
su $CUCKOO_USER -c "pkill python" > /dev/null 2>&1
/usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
# Wait for the virtual bridge to become active before (re)starting services
while [ $? -ne 0 ]
do
sleep 5
/usr/sbin/service nginx restart
/usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
done
# Restart services that bind to the bridge
/usr/sbin/service tor restart
/usr/sbin/service inetsim restart
/usr/sbin/service vsftpd restart
# Start Cuckoo
cd $CUCKOO_PATH
su $CUCKOO_USER -c "./cuckoo.py &"
# Start the Cuckoo web UI
cd web
su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8000 web.wsgi"
# Start the legacy upstream API
cd ../utils
su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8001 api"
# Redirect libvirt VM DNS quires to inetsim's DNS port
/sbin/iptables -t nat -C  PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT >/dev/null 2>&1
if [ $? -ne 0 ]; then
    /sbin/iptables -t nat -I PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT
fi
# Allow inetsim to accept traffic for any IP address
/sbin/iptables -t nat -C PREROUTING -i $VIRBR_DEV -j REDIRECT >/dev/null 2>&1
if [ $? -ne 0 ]; then
    /sbin/iptables -t nat -A PREROUTING -i $VIRBR_DEV -j REDIRECT
fi
Issue a chmod:
sudo chmod +x  /usr/sbin/cuckooboot

Appendix Usefull commands:

root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353

root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 80 -j REDIRECT --to-ports 9040

root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 443 -j REDIRECT --to-ports 9040

Mit privoxy als Socks-Bridge

sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353

sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 80 -j REDIRECT --to-ports 8118

sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 443 -j REDIRECT --to-ports 8118

As per the Cuckoo Page:

Dokumenting work in progress of IPTABLEs rules:

iptables -A FORWARD -o ens33 -i virbr1 -s 192.168.100.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

root@ubuntu:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.100.0/24     anywhere             ctstate NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@ubuntu:~# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  anywhere             anywhere

MUST BE:

REDIRECT   tcp  --  192.168.100.101      anywhere             tcp dpt:!2042 flags:FIN,SYN,RST,ACK/SYN redir ports 9040

REDIRECT   udp  --  192.168.100.101      anywhere             udp dpt:domain redir ports 5353

/etc/tor/torrc

Reset iptables to default:

# IPv6

   ##

   ## set default policies to let everything in

   ip6tables --policy INPUT   ACCEPT;

   ip6tables --policy OUTPUT  ACCEPT;

   ip6tables --policy FORWARD ACCEPT;

   ##

   ## start fresh

   ip6tables -Z; # zero counters

   ip6tables -F; # flush (delete) rules

   ip6tables -X; # delete all extra chains

# IPv4

   ##

   ## set default policies to let everything in

   iptables --policy INPUT   ACCEPT;

   iptables --policy OUTPUT  ACCEPT;

   iptables --policy FORWARD ACCEPT;

   ##

   ## start fresh

   iptables -Z; # zero counters

   iptables -F; # flush (delete) rules

   iptables -X; # delete all extra chains

Default ACL for KVM images:

root@cuckoo:/var/lib/libvirt# ls -l

total 20

drwx--x--x 2 root         root 4096 Dec  1 00:44 boot

drwxr-xr-x 2 root         root 4096 Apr  4 07:23 dnsmasq

drwx--x--x 2 root         root 4096 Mar 24 03:00 images

drwxr-x--- 7 libvirt-qemu kvm  4096 Apr  4 07:27 qemu

drwx------ 2 root         root 4096 Dec  1 00:44 sanlock

root@cuckoo:/var/lib/libvirt# ## chown -r root:mpauli images/

root@cuckoo:/var/lib/libvirt# ls -l images/

total 16322772

-rw------- 1 root root  5369823744 Mar 24 02:54 sandbox-win7-01-1.qcow2

-rw------- 1 root root 13084917760 Mar 30 03:35 sandbox-win7-01-2.qcow2

-rw------- 1 root root  5369757696 Mar 24 03:01 sandbox-win7-01-3.qcow2

-rw------- 1 root root 11935940608 Mar 24 02:54 sandbox-win7-01.qcow2

root@cuckoo:/var/lib/libvirt# chown -r root:mpauli images/


Appendix: ph0neutria config in my test scenario:

/opt/ph0neutria/settings.conf

root@mal-crawler:/opt/ph0neutria/config# cat settings.conf

[Core]

multiprocess=yes

deleteoutput=yes

useragent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

outputfolder=storage

# Refer to: https://docs.python.org/2/library/time.html - escape '%' with '%'.

dateformat=%%d-%%m-%%Y

usetor=yes

torport=9050

[MalShare]

# http://malshare.com/doc.php

apiurl=http://malshare.com/api.php

apikey=f1db099942390f333a20030e139009b9ef603b5e22f006c0430bc4d0c3dd9f9c

remotefirst=yes

remoteonly=yes

disable=no

[Malc0de]

url=http://malc0de.com/rss

[Minotaur]

url=http://minotauranalysis.com/raw/urls

[VXVault]

url=http://vxvault.net/URL_List.php

[Viper]

# http://viper-framework.readthedocs.io/en/latest/usage/web.html

##addurl=http://10.123.12.38:8080/file/add

addurl=http://192.168.178.97:8080/file/add

#findurl=http://10.123.12.38:8080/file/find

findurl=http://192.168.178.97:8080/file/find

[cuckoo]

api_url=http://192.168.178.112:8001


Appendix: Viper config

To start Viper use this commands:

sudo -H -u spider python viper-api -H [local IP address] -p 8080 &

sudo -H -u spider python viper-web -H [local IP address] -p 9090 &

/opt/viper# cat viper.conf

 [modules]

store_output = True

[paths]

storage_path =

[database]

connection =

[web]

host = 0.0.0.0

port = 8080

[api]

enabled = True

host = 0.0.0.0

port = 9090

[autorun]

enabled = True

verbose = True

commands = cuckoo -f -i'Submit from Viper';

 [virustotal]

virustotal_has_private_key = False

virustotal_has_intel_key = False

virustotal_key = xxxxxxxxxxxxxxxxxxxxxx

[cuckoo]

cuckoo_modified = True

cuckoo_host = http://192.168.178.112:8001

cuckoo_web = https://192.168.178.112

[reports]

malwr_login = https://malwr.com/account/login/

malwr_user =

malwr_pass =

malwr_search = https://malwr.com/analysis/search/

malwr_prefix = https://malwr.com

[misp]

misp_url = https://misp.mpauli.de

misp_key = xxxxxxxxxxxxxxxxxx

misp_verify = True

misp_vturl = https://www.virustotal.com/vtapi/v2/file/report

misp_taxonomies_directory = ./misp-taxonomies

[pssl]

pssl_url =

pssl_user =

pssl_pass =

[pdns]

pdns_url =

pdns_user =

pdns_pass =

[koodous]

base_url = https://koodous.com/api/apks

token = d01d9c845e4b2430682241c5faa55e786c129441

/home/spider/.viper/viper.conf

 [modules]

store_output = True

[paths]

storage_path = /tmp/LIVE-Malware

[database]

connection =

[web]

host = 192.168.178.97

port = 8080

[api]

enabled = True

host = 192.168.178.97

port = 9090

[autorun]

enabled = True

verbose = True

commands = cuckoo -f, yara scan -t, triage;

[virustotal]

virustotal_has_private_key = False

virustotal_has_intel_key = False

virustotal_key = xxxxxxxxxxxxxx

[cuckoo]

cuckoo_modified = true

##cuckoo_host = https://192.168.178.112:4343

cuckoo_host = http://192.168.178.112:8001

cuckoo_web = https://192.168.178.112

[reports]

malwr_login = https://malwr.com/account/login/

malwr_user =

malwr_pass =

malwr_search = https://malwr.com/analysis/search/

malwr_prefix = https://malwr.com

[misp]

misp_url = https://misp.paulis.net

misp_key = xxxxxxxxxxxxxx

misp_verify = True

misp_vturl = https://www.virustotal.com/vtapi/v2/file/report

misp_taxonomies_directory = ./misp-taxonomies

[pssl]

pssl_url =

pssl_user =

pssl_pass =

[pdns]

pdns_url =

pdns_user =

pdns_pass =

[koodous]

base_url = https://koodous.com/api/apks

token = d01d9c845e4b2430682241c5faa55e786c129441


Appendix Cuckoo config cuckoo.conf

[cuckoo]

delete_original = off

delete_bin_copy = off

machinery = kvm

memory_dump = on

terminate_processes = off

reschedule = off

process_results = on

max_analysis_count = 0

max_machines_count = 0

max_vmstartup_count = 10

freespace = 64

tmppath = /tmp

daydelta = 0

[resultserver]

ip = 192.168.100.1

port = 2042

store_csvs = on

upload_max_size = 910485760

[processing]

analysis_size_limit = 9104857600

analysis_call_limit = 0

resolve_dns = on

reverse_dns = on

ram_boost = off

sort_pcap = on

[database]

connection = postgresql://cuckoo:blabla@localhost:5432/cuckoo

timeout = 60

[timeouts]

default = 600

critical =120

vm_state = 300


auxiliary.conf

[sniffer]

enabled = yes

tcpdump = /usr/sbin/tcpdump

interface = virbr0

[tor]

enabled = yes

torstart = /usr/sbin/torstart

torstop = /usr/sbin/torstop

[msoffice]

decryptor = /opt/cuckoo/msoffice/bin/msoffice-crypt.exe

[gateways]

RTR1 = 192.168.178.1

[virustotaldl]

enabled = no

dlintelkey = SomeKeyWithDLAccess

dlpath = /tmp/

[display_browser_martians]

enabled = yes

[display_office_martians]

enabled = yes

[display_shrike]

enabled = yes

[expanded_dashboard]

enabled = yes

[display_et_portal]

enabled = yes

[display_pt_portal]

enabled = yes




api.conf

cuckoo@ubuntu:/opt/cuckoo/conf$ cat api.conf

[api]

ratelimit = yes

url = http://example.tld

 [filecreate]

enabled = yes

allmachines = no

upload_limit = 10

multifile = no

status = yes

rps = 1/s

rpm = 2/m

 [urlcreate]

enabled = yes

allmachines = no

status = yes

rps = 1/s

rpm = 2/m

 [vtdl]

enabled = yes

allmachines = no

status = yes

rps = 1/s

rpm = 2/m

 [fileview]

enabled = yes

md5 = yes

sha1 = yes

sha256 = yes

id = yes

rps = 2/s

rpm = 10/m

 [tasksearch]

enabled = yes

md5 = yes

sha1 = yes

sha256 = yes

rps = 2/s

rpm = 10/m

 [extendedtasksearch]

enabled = yes

rps = 1/s

rpm = 10/m

 [tasklist]

enabled = yes

maxwindow = 1440

maxlimit = 50

defaultlimit = 10

rps = 1/s

rpm = 5/m

 [taskview]

enabled = yes

rps = 1/s

rpm = 10/m

 [taskresched]

enabled = no

rps = 1/s

rpm = 5/m

 [taskdelete]

enabled = no

rps = 1/s

rpm = 5/m

 [taskstatus]

enabled = yes

rps = 4/s

 [taskreport]

enabled = yes

all = yes

rps = 1/s

rpm = 6/m

 [taskiocs]

enabled = yes

jsonoverwrite = no

rps = 1/s

rpm = 4/m

 [taskscreenshot]

enabled = yes

rps = 1/s

 [taskpcap]

enabled = yes

rps = 1/s

#rpm = 10/m

 [taskdropped]

enabled = yes

rps = 1/s

rpm = 20/m

 [tasksurifile]

enabled = yes

rps = 1/s

rpm = 20/m

 [taskprocmemory]

enabled = yes

all = no

compress = no

rps = 1/s

rpm = 4/m

 [taskfullmemory]

enabled = yes

compress = no

rps = 1/s

rpm = 2/m

 [sampledl]

enabled = yes

rps = 2/s

 [machinelist]

enabled = yes

rps = 1/s

 [machineview]

enabled = yes

rps = 1/s

 [cuckoostatus]

enabled = yes

rps = 2/s

[rollingsuri]

enabled = yes

windowmax = 1440

rps = 2/s

[rollingshrike]

enabled = yes

windowmax = 10080


kvm.conf

[kvm]

machines = cuckoo1

[cuckoo1]

label = sandox-win7-01

platform = windows

ip = 192.168.100.101

snapshot = running

interface = virbr0

resultserver_ip = 192.168.100.1

resultserver_port = 2042

tags = windows_7_sp3,32_bit,acrobat_reader_6

mem_profile = Win7SP3x64


processing.conf

[analysisinfo]

enabled = yes

[decompression]

enabled = yes

[behavior]

enabled = yes

[debug]

enabled = yes

[dropped]

enabled = yes

buffer = 8192

[memory]

enabled = no

[usage]

enabled = no

[network]

enabled = yes

dnswhitelist = no

[procmemory]

enabled = yes

strings = yes

[static]

enabled = yes

whois = yes

[strings]

enabled = yes

nullterminated_only = yes

minchars = 5

[targetinfo]

enabled = yes

[virustotal]

enabled = yes

timeout = 60

key = xxxxxxxxxx

do_file_lookup = yes

do_url_lookup = yes

urlscrub = (^http:\/\/serw\.clicksor\.com\/redir\.php\?url=|&InjectedParam=.+$)

[suricata]

enabled = no

runmode = cli

evelog = eve.json

#alertlog = alert.json

#httplog = http.json

#tlslog = tls.json

#sshlog = ssh.json

#dnslog = dns.json

fileslog = files-json.log

filesdir = files

buffer = 8192

7zbin = /usr/bin/7z

zippass = infected

##Runmode "cli" options

bin = /usr/bin/suricata

conf = /etc/suricata/suricata.yaml

##Runmode "socket" Options

pylib_dir = /usr/lib/python2.7/dist-packages/suricatasc/

socket_file = /var/run/suricata/suricata-command.socket

[cif]

enabled = no

url = https://your-cif-server.com/api

key = your-api-key-here

timeout = 60

confidence = 85

nolog = yes

per_lookup_limit = 20

per_analysis_limit = 200


reporting.conf

[jsondump]

enabled = yes

ram_boost = yes

indent = 4

encoding = latin-1

[reporthtml]

enabled = no

[reporthtmlsummary]

enabled = no

[reportpdf]

enabled = no

[mmdef]

enabled = no

[maec41]

enabled = no

mode = overview

processtree = true

output_handles = false

static = true

strings = true

virustotal = true

deduplicate = true

[mongodb]

enabled = yes

host = 127.0.0.1

port = 27017

db = cuckoo

fix_large_docs = yes

 [elasticsearchdb]

enabled = no

searchonly = no

host = 127.0.0.1

port = 9200

index = cuckoo

[retention]

enabled = no

run_every = 6

memory = 14

procmemory = 62

pcap = 62

sortedpcap = 14

bsonlogs = 62

dropped = 62

screencaps = 62

reports = 62

mongo = 731

elastic = no

malheur = no

[syslog]

enabled = no

host =10.xx.xx.40

port = 514

protocol = udp

logfile = yes

logname = syslog.log

[moloch]

enabled = no

base = https://172.18.100.105:8005/

node = cuckoo3

capture = /data/moloch/bin/moloch-capture

captureconf = /data/moloch/etc/config.ini

user = admin

pass = admin

realm = Moloch

[resubmitexe]

enabled = no

resublimit = 5

[malheur]

enabled = yes

maxsimilar = 20

[compression]

enabled = yes

zipmemdump = yes

zipmemstrings = yes

zipprocdump = yes

zipprocstrings = yes

[misp]

enabled = yes

apikey = xxxxxxxxxxxxxx

url = https://misp.mpauli.de

min_malscore = 3

threads = 10

extend_context = yes

upload_iocs = yes

distribution = 1

threat_level_id = 2

analysis = 2

title = IOCs from TheSOC-cuckoo analysis:

network = yes

ids_files = yes

dropped = yes

registry = yes

mutexes = yes

[distributed]

enabled = no

remove_task_on_slave = no

db = sqlite:///dist.db

samples_directory = /tmp/distributed_cuckoo_samples

dead_count = 5

retriever_threads = 4