Feeding the bird
Lab autom. malware analysis and MISP feeding
How to install and use:
The harvesting process at a glance
1. Start is the actual download of the *live* malware from it’s origin at the offering website in the internet. This is to actually overcome sharing constraints that will later influence if sharing this specific IOC is allowed or not.
2. A modified cuckoo instance will do the deep analysis of the malware
3. The results are sent to a MISP instance for correlation and sharing the IOCs
4. Splunk is used for correlating the IOCs with live metadata to alert for any matches
5. IOC’s are shared (if qualified) with other SOC’s and public
1. Getting the malware and storing it Download:
I tried to automate as much as possible within the whole process. So I did with getting the malware down to the storage.
The tool of my choice was “ph0neutria”, as it avoids double storage and stores it’s finding in a secure environment called Viper.
More resources for getting real malware from are:
https://zeltser.com/malware-sample-sources/
https://github.com/ytisf/theZoo
For a quick one-of, using below script will gather some real malware and stores it at a certain subdirectory for submitting it to cuckko after it has finished it’s downloads.
/opt/getmalware.sh
!/bin/bash
wget http://vxvault.net/URL_List.php -O ./LIVE-Malware.url
dos2unix ./LIVE-Malware.url
while read url; do wget --read-timeout=10 -t 1 -nc -P /opt/LIVE-Malware $url; done < ./LIVE-Malware.url
/opt/cuckoo/utils/submit.py --memory /opt/LIVE-Malware
Storing:Storing is done in “Viper”
Having not found an automatic way of sending every new malware to cuckoo yet, it’s still very handy to search for a specific malware class or sample and just be clicking the “CUCKOO” button, sending it to the analysis.
Storing the actual malware within a cage has the advantage if being able to analyze it later again and again.
Start the harvesting with:
sudo -H -u spider python viper-api -H [local IP address] -p 8080 &
sudo -H -u spider python viper-web -H [local IP address] -p 9090 &
sudo -H -u spider python run.py
2. Starting the analysis
Start your Viper web GUI:
And search/select the malware of your choice.
For analysis to start, just press the “Cuckoo” button.
IF you followed the install script simply starting the VM makes everything ready.
Now switch to your cuckoo GUI and watch the task being run.
https://192.168.178.112/analysis/
The marked number shows you’re the actual Cuckoo-analysis-ID we need later to find the results in the MISP.
The event listing in the MISP shows you the related cuckoo analysis:
Select the event-ID to see all crafted values.
Specially check the related events and the correlation graph of the event
By now setting the correct tags, you start the sharing process according to your defined policy.
4. Using the IOCs in your LMS
Connecting your LMS (i.e. Splunk) to your MISP, you can correlate your IOC’s to the live data that runs into your LMS.
| dbxquery query="SELECT event_id, category, value1 attribute, value2 md5, events.id, events.date, events.info FROM misp.attributes JOIN misp.events ON attributes.event_id = events.id WHERE attributes.category = \"Network activity\"" connection="MISP-Vmware" wrap=t | rename "(001) attributes.event_id.INT" AS event_id | rename "(002) attributes.category.VARCHAR" AS event_category | rename "(003) attributes.attribute.VARCHAR" AS event_attribute | rename "(004) attributes.md5.VARCHAR" AS event_md5 | rename "(006) events.date.DATE" AS event_date | rename "(007) events.info.VARCHAR" AS event_info | rename "(006) events.date.DATE" AS event_date | stats count values(event_date) values(event_category) values(event_info) values(event_attribute) values(event_md5) by event_id | sort - values(event_date)
5. Sharing
Appendix: Using the modified-cuckoo autoinstall script
New Autoinstall found at: https://github.com/daniel-gallagher/cuckoo-autoinstallAlthough now mentioned, I used a Ubuntu 16.04 server version.
cuckoo@ubuntu:/opt/cuckoo-autoinstall$ sudo ./cuckoo.sh /opt password [local IP address] kvm
[+] Cuckoo Path: /opt
[+] DB Password: password
[+] Web Portal IP: 192.168.178.112
[+] APT Update
[+] APT Upgrade
[+] APT Dist-Upgrade and Autoremove
[+] Installing Dependencies
[+] Round 1 of 3
[+] Round 2 of 3
[+] Round 3 of 3
[+] Copy Configuration Files
[+] Installing Yara
[+] Dependencies
[+] Git Clone
[+] Configure with Cuckoo and Magic Enabled
[+] Installing...
[+] Yara-Python
[+] Installing ClamAV
[+] Installing Pydeep
[+] Installing Malheur
[+] Git Clone
[+] Configure
[+] Installing...
[+] Installing Volatility
[+] Dependencies
[+] Installing...
[+] Installing PyV8 Javascript Engine (this will take some time)
[+] Dependencies
[+] Git Clone
[+] Build (this is the long part...)
[+] Installing...
[+] Configuring TcpDump
[+] Installing Suricata
[+] Installing ETUpdate
[+] Installing PostgreSQL
[+] Configuring PostgreSQL DB
[+] Installing KVM
[+] Remove Default Virtual Network
[+] Create Cuckoo Virtual Network
[+] Creating Cuckoo User
[+] Installing Modified Version of Cuckoo
[+] Installing Signatures
[+] Modifying Config
[+] Installing Nginx
[+] Configuring
[+] Creating Self-Signed SSL Certificate
[+] Generating Diffie-Hellman (DH) Parameters (this will take some time)
[+] Installing Inetsim
[+] Installing Tor Proxy
[+] Installing Privoxy
[+] Installing Routetor
[+] Installing Vsftpd
[+] Creating Startup Script for Cuckoo
[+] Startup Script Set for KVM
no crontab for cuckoo
[+] Installation Complete!
For some reason, the cuckoo user does not hold a valid PW after install, so keep a second root shell open while the above script is running and set the pw of “cuckoo” to a valid PW again.
# passwd cuckoo
Use the below background appendix of how to setup the virtual machine within KVM.
Appendix: Background information about the setup process of your automated cuckoo install script.
https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
This tutorial will show you how to create a working malware sandbox, using the fork of Cuckoo378 developed by Brad Spengler, a former Optiv employee, and others. It contains many improvements over the original Cuckoo project:
· Fully-normalized file and registry names
· Handling of WoW64 filesystem redirection
· Many additional API hooks
· Service monitoring
· Correlates API calls to malware call chains
· Ability to follow APC injection and stealth explorer injection
· Pretty-printed API flags
· Per-analysis Tor support
· Over 120 new signature modules (over 70 developed solely by Optiv)
· Anti-anti-sandbox and anti-anti-VM techniques built-in
· More stable hooking
· Ability to restore removed hooks
· Greatly improved behavioral analysis and signature module API
· Ability to post comments about analyses
· Deep hooks in IE's JavaScript and DOM engines usable for Exploit Kit identification
· Automatic extraction and submission of interesting files from ZIPs, RARs, RFC 2822 emails (.eml), and Outlook .msg files
· Direct submission of AV quarantine files (Forefront, McAfee, Trend Micro, Kaspersky, MalwareBytes, MSE/SCEP, and SEP12 formats currently supported)
· Automatic malware classification by Malheur
· Significant contributions from Jeremy Hedges, William Metcalf, and Kevin Ross
· Hundreds of other bugfixes
A malware sandbox has many components. Building a sandbox requires you to have an understanding of how all these components work together, and how malware might respond. This guide assumes that you have a working, bare metal system, or a large ESX VM with nested virtualization enabled, running Debian Testing with at least 8 GB of RAM (For running analysis tools, and a few windows VMs) and at least 1TB of disk space (for storing samples, analysis results, and possibly memory dumps).
Cuckoo sandbox allows users to choose from a wide variety of different virtualization and networking techniques. While some malware may be able to detect and avoid some technologies used in this guide, these choices provide excellent coverage and analysis with minimal resources. No sandbox is fail-proof.
Used: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso
Installed: Debian core and SSH-server only.
So having the basics ready, let’s start…
sudo apt-get remove apt-listchanges
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
Install some dependencies:
sudo apt install python3-dev python3-pip python-m2crypto libmagic1 swig libvirt-dev upx-ucl libssl-dev wget unzip p7zip-full geoip-database libgeoip-dev libjpeg-dev mono-utils yara python3-yara ssdeep libfuzzy-dev libimage-exiftool-perl curl openjdk-8-jre-headless -y
Install postgres:
sudo apt-get install postgresql postgresql-contrib libpq-dev
sudo pip3 install psycopg2
More Debian packages to generate PDF reports:
$ sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi
Tcpdump is needed quite often
sudo apt-get install tcpdump libcap2-bin
sudo chmod +s /usr/sbin/tcpdump
Get some AV
sudo apt-get install clamav clamav-daemon clamav-freshclam -y
More dependencies
sudo pip3 install git+https://github.com/kbandla/pydeep.git
sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall
Install Malheur, which is used for malware behavior correlation
sudo apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake checkinstall zlib1g-dev
git clone https://github.com/rieck/malheur.git
cd malheur
./bootstrap
./configure --prefix=/usr
Make
Make install
sudo checkinstall
cd
Install the Volatility memory analysis system:
sudo apt-get install python3-pil
sudo pip3 install distorm3 pycrypto openpyxl
sudo pip3 install git+https://github.com/volatilityfoundation/volatility.git
Install the PyV8 JavaScript engine, used for analyzing malicious JavaScript:
sudo apt-get install libboost-all-dev
The next line takes quite a long line, so be patient….
sudo git clone https://github.com/buffer/pyv8.git
cd pyv8
sudo apt-get install build-essential autoconf libtool pkg-config python-opengl python-imaging python-pyrex python-pyside.qtopengl idle-python2.7 qt4-dev-tools qt4-designer libqtgui4 libqtcore4 libqt4-xml libqt4-test libqt4-script libqt4-network libqt4-dbus python-qt4 python-qt4-gl libgle3 python-dev
sudo pip3 install greenlet
sudo pip3 install gevent
sudo python setup.py build
sudo python setup.py install
Install Suricata
sudo apt-get install suricata
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata-cuckoo.yaml
Change /etc/suricata/suricata-cucko.yaml
- file-store:
##mp enabled: no # set to yes to enable
enabled: yes # set to yes to enable
##mp force-hash: [md5]
force-hash: [md5]
force-filestore: yes # force storing of all files
- file-log:
enabled: yes
http:
enabled: yes
request-body-limit: 0
response-body-limit: 0
libhtp:
default-config:
personality: IDS
request-body-limit: 0
response-body-limit: 0
vars:
#EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"
Download etupdate
to update Emerging Threat's Open IDS rules:
cd
git clone https://github.com/seanthegeek/etupdate.git
sudo cp etupdate/etupdate /usr/sbin
sudo /usr/sbin/etupdate -V
Check for a similar output:
Current version: 0
Latest version: 8565
Downloading rules...
Extracting rules to '/etc/suricata'...
mpauli@bird:~$
Edit the crontab
:
$ sudo crontab -e
Add the line:
42 * * * * /usr/sbin/etupdate
Install KVM and virt-manager for setting up the guest system
sudo apt-get install qemu-kvm libvirt-clients libvirt-daemon virt-manager
Add your user to the kvm
and libvirt
groups, so you can manage VMs:
sudo usermod -a -G kvm $USER
sudo usermod -a -G libvirt $USER
Start the virtual manger and edit the network connection.
Virt-manager
Delete the default virtual network
And create a new VirtualNetwork as per below screenshots:
Now let’S cuckoo
Create a user named cuckoo
on the system. This user will run a few services that Cuckoo needs, as well as Cuckoo itself.
sudo adduser cuckoo
sudo usermod -L cuckoo
Add the cuckoo
user to the right groups to manage VMs
sudo usermod -a -G kvm cuckoo
sudo usermod -a -G libvirt cuckoo
Download Cuckoo sudo su cuckoo
cd
wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar
git clone https://github.com/spender-sandbox/cuckoo-modified.git
mkdir vmshared
cp cuckoo-modified/agent/agent.py vmshared/agent.pyw
exit
sudo chmod ug=rwX,o=rX ~cuckoo/vmshared
sudo mv ~cuckoo/cuckoo-modified /opt/cuckoosudo apt install python-dpkt
cd
git clone
https://github.com/erocarrera/pefile.git
cd pefile
python setup.py build
sudo python setup.py installedit /opt/cuckoo/requirements.txt and comment out the above installed packets, like I did below:#pefile
#dpkt
#pefile2==1.2.11sudo pip3 install -r /opt/cuckoo/requirements.txt
sudo su cuckoo
cd /opt/cuckoo/utils
./community.py -afw
exit
Create some prereqs for the final act:
sudo apt-get install nginx apache2-utils
sudo usermod -a -G cuckoo $USER
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout cuckoo.key -out cuckoo.crt
openssl dhparam -out dhparam.pem 4096
cd
sudo mkdir /etc/nginx/ssl
sudo cp ssl/* /etc/nginx/ssl/
sudo chown -R root:www-data /etc/nginx/ssl
sudo chmod -R u=rX,g=rX,o= /etc/nginx/ssl
sudo rm /etc/nginx/sites-enabled/default
sudo vi /etc/nginx/sites-available/cuckoo^
server {
listen 0.0.0.0:443 ssl http2;
ssl_certificate /etc/nginx/ssl/cuckoo.crt;
ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# Uncomment this next line if you are using a signed, trusted cert
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /storage/analysis {
alias /opt/cuckoo/storage/analyses/;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /static {
alias /opt/cuckoo/web/static/;
}
}
server {
listen 0.0.0.0:80;
return 301 https://$server_name$request_uri;
}
server {
listen 192.168.100.1:8080;
root /home/cuckoo/vmshared;
location / {
try_files $uri $uri/ =404;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
}
# Host the upstream legacy API
server {
listen 0.0.0.0:4343 ssl http2;
ssl_certificate /etc/nginx/ssl/cuckoo.crt;
ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# Uncomment this next line if you are using a signed, trusted cert
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Restrict access
allow all;
#allow 192.168.1.0/24;
deny all;
}
}
sudo ln -s /etc/nginx/sites-available/cuckoo /etc/nginx/sites-enabled/cuckoo
sudo htpasswd -c /etc/nginx/htpasswd mpauli
sudo chown root:www-data /etc/nginx/htpasswd
sudo chmod u=rw,g=r,o= /etc/nginx/htpasswd
sudo service nginx restart
To install inetsim
:
wget http://www.inetsim.org/debian/binary/inetsim_1.2.5-1_all.deb
sudo apt-get install gdebi-core
sudo gdebi inetsim_1.2.5-1_all.deb
sudo vi /etc/inetsim/inetsim.conf
Set
service_bind_address and dns_default_ip to 192.168.100.1
Edit
/etc/default/inetsim:
Set
ENABLED to 1
Start
inetsim:
$ sudo service inetsim restart
Install tor for the anonymized access to the malware and virustotal
sudo apt-get install tor
Add these lines at the bottom of /etc/tor/torrc
TransListenAddress 192.168.100.1
TransPort 9040
DNSListenAddress 192.168.100.1
DNSPort 5353
sudo service tor restart
Install privoxy to access tor. (tor only supports socks5)
Add tor’s socks to /etc/privoxy/config and uncomment
# forward-socks5t / 127.0.0.1:9050 .
In /etc/privoxy/config
sudo service privoxy restart
Configure Cuckoo to make use of tor
git clone https://github.com/seanthegeek/routetor.git
cd routetor
sudo cp *tor* /usr/sbin
cd
Schedule routetor to run at system boot by running:
sudo crontab -e
And adding the following line to the crontab file:
@reboot /usr/sbin/routetor
Start routetor for the first time:
sudo /usr/sbin/routetor &
vsftpd We will use nginx
to serve static files like installers from the host to the VMs. But what if you wanted to copy a file from a VM to the host? The simplest way is to use vsftpd
as an anonymous FTP server. That way, the VM can send files without being able to overwrite the installers hosted by nginx
.
First, create a publicly accessible folder:
sudo mkdir /home/cuckoo/vmshared/pub
sudo chown cuckoo:cuckoo /home/cuckoo/vmshared/pub
sudo chmod 777 /home/cuckoo/vmshared/pub
Install vsftpd
:
sudo apt-get install vsftpd
By default, it runs on port 21, which is already is use by inetsim
to run its fake FTP server, so we need to change the port it listens on, among other things:
sudo vi /etc/vsftpd.conf
Make the following changes:
listen=YES
listen_ipv6=NO
anonymous_enable=YES
local_enable=NO
Uncomment the following lines:
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Add the lines:
listen_address=192.168.100.1
listen_port=2121
anon_root=/home/cuckoo/vmshared
anon_umask=000
chown_upload_mode=0666
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100
Restart the service:
sudo service vsftpd restart
The VMs can now read /home/cuckoo/vmshared
and write to /home/cuckoo/vmshared/pub
.
You can access the FTP server in Windows natively by typing ftp://192.168.100.1:2121
into any Explorer window.
cd /home/cuckoo/vmshared/pub
wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
Now create the first guest machine:
nohup virt-manager &
Change:
Add new hardware:
Change:
After Windows is installed create a username and computer name that is fictitious, but realistic for your industry. Leave the password blank.
When you get to a screen that says "Help protect your computer and improve Windows automatically", click "Ask me later".
Configuring the VM Once Windows has been installed, and you are at the desktop:
· Set the theme to Classic
· Set the screen resolution to 1024x768
Open the VM in virt-manager and click on the blue information button in the toolbar to edit the hardware info.
Select the IDE CD-ROM drive, and disconnect the windows ISO. Then, connect the VirtIO drivers ISO that you downloaded earlier.
In the VM, right click on Computer in the Start Menu, then click Properties. In the upper-left of the System window, click Device Manager.
Follow these steps for each of the "Other devices":
1. Right-click on the device, and click Update Driver Software
2. Click browse my computer manually
3. Select the root of the D drive
Windows will automatically locate the proper driver on the disk.
After all of the drivers have been installed, shut down the system.
Edit the VM hardware options again, and disconnect the ISO from the CD-ROM drive.
Now that the driver for the VirtIO storage bus has been installed in Windows, the dummy drive isn't needed any more, and you can configure your primary drive to use VirtIO for much-improved performance.
Remove the dummy VirtIO disk.
Edit the IDE disk. Under advanced options, set the bus to VirtIO Under performance, set the cache mode to writeback.
Start the VM and set the below IP’s statically.
Install and activate your copy of Office (32-bit only, even in a 64-bit OS, due to a bug in Cuckoo). Do not use Office365, or at least sign out after install if you have no other choice.
Remember to disable all update checking when Office prompts you about it.
If your installer is in file format rather than an ISO, zip up the files, and upload the zip to /home/cuckoo/vmshared
. It can then be download by the VM from http://192.168.100.1:8080/
Install at least Python, pillow and put the agent.pyw into autostart:
Install all of the latest supported Microsoft Visual C++ Redistributables71, which as of this writing are:
· Microsoft Visual C++ Redistributable for Visual Studio 201590
· Microsoft Visual C++ Redistributable Packages for Visual Studio 2012 Update 455
· Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package MFC Security Update57
· Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package MFC Security Update45
· Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update49
To analyze files that use a newer .NET framework, install Microsoft .NET framework 4.6.1.
To analyze more than PE files, the following also need to be installed (older versions are greatly preferred for exploitability and corporate realism):
· Adobe Flash Player94 (An old version)
· Adobe Reader76 (An old version)
· Java Runtime Environment85 (An old version, e.g 6, update 22)
As you install each of these programs, change their configuration to disable update checks, which can create noisy PCAPs.
Stop the Tor transparent proxy:
sudo torstop 192.168.100.101
Disable UAC if using a Windows7 guest:
- Click Start ORB, in the Search Field, type secpol.msc, and then press ENTER.
- Double-click Local Policies.
- Double-click User Rights Assignment.
- Double-click Back up Files and directories.
- Click Add, and then double-click the Local Administrators group
- Click OK.
Shut down the VM.
Take a snapshot at this point, in case you ever need a fresh VM. Click on the snapshots button on the toolbar.
Installing MITM for decrypting SSL traffic:
26 sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
27 sudo pip install mitmproxy
28 vi auxiliary.conf
29 ls -l /usr/local/bin/mitmdump
30 vi auxiliary.conf
Set up PostgreSQL Replace somePassword
with a password of your choice. It can be random. You only need to use it in the cuckoo config
sudo su postgres
psql
CREATE
USER cuckoo
WITH
PASSWORD
'blabla';
CREATE
DATABASE cuckoo;
GRANT ALL
PRIVILEGES
ON
DATABASE cuckoo
to cuckoo;
Type \q
to exit
Exit the postgres
bash shell:
$ exit
Configure Cuckoo sudo su cuckoo
cd /opt/cuckoo
vi conf/cuckoo.conf
Change the machinery
option to kvm
Change the terminate_processes
option to yes
. This will make Cuckoo gracefully request the termination of the process that is being analyzed prior to shutting down the VM. This is useful for things like some Office macros that launch on close.
Warning! By default, Cuckoo is configured to do post-analysis DNS lookups using the host! This is to allow comparisons with what the VM resolved. However, it could also potentially tip off an attacker and/or deanonymize you, even if your VM isn't connected to the internet! To disable this feature, set resolve_dns
to off
in cuckoo.conf
.
Set ip
to 192.168.100.1
.
Set the connection
setting to use PostgreSQL:
connection = postgresql://cuckoo:blabla@localhost:5432/cuckoo
Where password
is the password you set in PostgreSQL for the cuckoo
user.
$ nano conf/processing.conf
Under static
, uncomment the line with the procyon_path
variable, including any leading whitespace.
Set Suricata enabled to yes
.
Change the Suricata conf
option to /etc/suricata/suricata-cuckoo.yaml
$ nano conf/reporting.conf
Set reporthtmlsummary
enabled to yes
.
Set reportpdf
enabled to yes
.
Set mongodb
enabled to yes
.
Set resubmitexe
enabled to yes
.
Set malhur
enabled to yes
.
Edit the Cuckoo KVM configuration file:
$ sudo nano conf/kvm.conf
Set machines
to the name of your sandbox VM, such as sandbox-win7-01
Replace cuckoo1
in brackets with the name of your sandbox VM, such as sandbox-win7-01
Set label
to the name of your sandbox VM, such as sandbox-win7-01
Uncomment the snapshot
option by deleting the #
and any leading white space, then set it to the name of your running snapshot, running
.
Uncomment the tags option, by deleting the #
and any leading white space. Make sure it includes either 32_bit
or 64_bit
to match the VM OS architecture, so Cuckoo knows which VMs can process 64-bit samples. Add other tags of your choice to describe the VMs, for your own convince. For example:
windows_7,64_bit,acrobat_reader_11,java_6
Finally, uncomment the correct mem_profile
for the VM OS, by deleting the #
and any leading white space.
Install the community modules $ sudo su cuckoo
$ cd utils
$ ./community.py -afw
$ exit
Startup script As you have seen, there are a lot of services working behind-the-scenes to make Cuckoo work. This script will help you start and restart all of them:
sudo pip3 install gunicorn
sudo vi /usr/sbin/cuckooboot#!/bin/bashCUCKOO_USER=
"cuckoo"
CUCKOO_PATH=
"/opt/cuckoo"
VIRBR_IP=
"192.168.100.1"
INETSIM_DNS_PORT=
"5342"
VIRBR_DEV=
"virbr0"su
$CUCKOO_USER -c
"pkill gunicorn" >/dev/null 2>&1
su
$CUCKOO_USER -c
"pkill python" > /dev/null 2>&1/usr/bin/curl
-s http://
$VIRBR_IP:8080/ > /dev/null# Wait for the virtual bridge to become active before (re)starting services
while [ $?
-ne 0 ]
do
sleep 5
/usr/sbin/service nginx restart
/usr/bin/curl
-s http://
$VIRBR_IP:8080/ > /dev/null
done# Restart services that bind to the bridge
/usr/sbin/service tor restart
/usr/sbin/service inetsim restart
/usr/sbin/service vsftpd restart# Start Cuckoo
cd
$CUCKOO_PATH
su
$CUCKOO_USER -c
"./cuckoo.py &"# Start the Cuckoo web UI
cd web
su
$CUCKOO_USER -c
"gunicorn --reload -D -w 4 -b 127.0.0.1:8000 web.wsgi"# Start the legacy upstream API
cd ../utils
su
$CUCKOO_USER -c
"gunicorn --reload -D -w 4 -b 127.0.0.1:8001 api"# Redirect libvirt VM DNS quires to inetsim's DNS port
/sbin/iptables -t nat -C PREROUTING
-d
$VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports
$INETSIM_DNS_PORT >/dev/null 2>&1
if [ $?
-ne 0 ];
then
/sbin/iptables -t nat -I PREROUTING
-d
$VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports
$INETSIM_DNS_PORT
fi# Allow inetsim to accept traffic for any IP address
/sbin/iptables -t nat -C PREROUTING -i
$VIRBR_DEV -j REDIRECT >/dev/null 2>&1
if [ $?
-ne 0 ];
then
/sbin/iptables -t nat -A PREROUTING -i
$VIRBR_DEV -j REDIRECT
fiIssue a chmod:sudo chmod +x /usr/sbin/cuckooboot
Appendix Usefull commands: root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 80 -j REDIRECT --to-ports 9040
root@ubuntu:~# /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 443 -j REDIRECT --to-ports 9040
Mit privoxy als Socks-Bridge
sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 80 -j REDIRECT --to-ports 8118
sudo /sbin/iptables -t nat -I PREROUTING -d 192.168.100.1 -p tcp --dport 443 -j REDIRECT --to-ports 8118
As per the Cuckoo Page: Dokumenting work in progress of IPTABLEs rules:
iptables -A FORWARD -o ens33 -i virbr1 -s 192.168.100.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
root@ubuntu:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.100.0/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ubuntu:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
MUST BE:
REDIRECT tcp -- 192.168.100.101 anywhere tcp dpt:!2042 flags:FIN,SYN,RST,ACK/SYN redir ports 9040
REDIRECT udp -- 192.168.100.101 anywhere udp dpt:domain redir ports 5353
/etc/tor/torrc
Reset iptables to default:
# IPv6
##
## set default policies to let everything in
ip6tables --policy INPUT ACCEPT;
ip6tables --policy OUTPUT ACCEPT;
ip6tables --policy FORWARD ACCEPT;
##
## start fresh
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
# IPv4
##
## set default policies to let everything in
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
Default ACL for KVM images:
root@cuckoo:/var/lib/libvirt# ls -l
total 20
drwx--x--x 2 root root 4096 Dec 1 00:44 boot
drwxr-xr-x 2 root root 4096 Apr 4 07:23 dnsmasq
drwx--x--x 2 root root 4096 Mar 24 03:00 images
drwxr-x--- 7 libvirt-qemu kvm 4096 Apr 4 07:27 qemu
drwx------ 2 root root 4096 Dec 1 00:44 sanlock
root@cuckoo:/var/lib/libvirt# ## chown -r root:mpauli images/
root@cuckoo:/var/lib/libvirt# ls -l images/
total 16322772
-rw------- 1 root root 5369823744 Mar 24 02:54 sandbox-win7-01-1.qcow2
-rw------- 1 root root 13084917760 Mar 30 03:35 sandbox-win7-01-2.qcow2
-rw------- 1 root root 5369757696 Mar 24 03:01 sandbox-win7-01-3.qcow2
-rw------- 1 root root 11935940608 Mar 24 02:54 sandbox-win7-01.qcow2
root@cuckoo:/var/lib/libvirt# chown -r root:mpauli images/
Appendix: ph0neutria config in my test scenario: /opt/ph0neutria/settings.conf
root@mal-crawler:/opt/ph0neutria/config# cat settings.conf
[Core]
multiprocess=yes
deleteoutput=yes
useragent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
outputfolder=storage
# Refer to: https://docs.python.org/2/library/time.html - escape '%' with '%'.
dateformat=%%d-%%m-%%Y
usetor=yes
torport=9050
[MalShare]
# http://malshare.com/doc.php
apiurl=http://malshare.com/api.php
apikey=f1db099942390f333a20030e139009b9ef603b5e22f006c0430bc4d0c3dd9f9c
remotefirst=yes
remoteonly=yes
disable=no
[Malc0de]
url=http://malc0de.com/rss
[Minotaur]
url=http://minotauranalysis.com/raw/urls
[VXVault]
url=http://vxvault.net/URL_List.php
[Viper]
# http://viper-framework.readthedocs.io/en/latest/usage/web.html
##addurl=http://10.123.12.38:8080/file/add
addurl=http://192.168.178.97:8080/file/add
#findurl=http://10.123.12.38:8080/file/find
findurl=http://192.168.178.97:8080/file/find
[cuckoo]
api_url=http://192.168.178.112:8001
Appendix: Viper config To start Viper use this commands:
sudo -H -u spider python viper-api -H [local IP address] -p 8080 &
sudo -H -u spider python viper-web -H [local IP address] -p 9090 &
/opt/viper# cat viper.conf
[modules]
store_output = True
[paths]
storage_path =
[database]
connection =
[web]
host = 0.0.0.0
port = 8080
[api]
enabled = True
host = 0.0.0.0
port = 9090
[autorun]
enabled = True
verbose = True
commands = cuckoo -f -i'Submit from Viper';
[virustotal]
virustotal_has_private_key = False
virustotal_has_intel_key = False
virustotal_key = xxxxxxxxxxxxxxxxxxxxxx
[cuckoo]
cuckoo_modified = True
cuckoo_host = http://192.168.178.112:8001
cuckoo_web = https://192.168.178.112
[reports]
malwr_login = https://malwr.com/account/login/
malwr_user =
malwr_pass =
malwr_search = https://malwr.com/analysis/search/
malwr_prefix = https://malwr.com
[misp]
misp_url = https://misp.mpauli.de
misp_key = xxxxxxxxxxxxxxxxxx
misp_verify = True
misp_vturl = https://www.virustotal.com/vtapi/v2/file/report
misp_taxonomies_directory = ./misp-taxonomies
[pssl]
pssl_url =
pssl_user =
pssl_pass =
[pdns]
pdns_url =
pdns_user =
pdns_pass =
[koodous]
base_url = https://koodous.com/api/apks
token = d01d9c845e4b2430682241c5faa55e786c129441
/home/spider/.viper/viper.conf
[modules]
store_output = True
[paths]
storage_path = /tmp/LIVE-Malware
[database]
connection =
[web]
host = 192.168.178.97
port = 8080
[api]
enabled = True
host = 192.168.178.97
port = 9090
[autorun]
enabled = True
verbose = True
commands = cuckoo -f, yara scan -t, triage;
[virustotal]
virustotal_has_private_key = False
virustotal_has_intel_key = False
virustotal_key = xxxxxxxxxxxxxx
[cuckoo]
cuckoo_modified = true
##cuckoo_host = https://192.168.178.112:4343
cuckoo_host = http://192.168.178.112:8001
cuckoo_web = https://192.168.178.112
[reports]
malwr_login = https://malwr.com/account/login/
malwr_user =
malwr_pass =
malwr_search = https://malwr.com/analysis/search/
malwr_prefix = https://malwr.com
[misp]
misp_url = https://misp.paulis.net
misp_key = xxxxxxxxxxxxxx
misp_verify = True
misp_vturl = https://www.virustotal.com/vtapi/v2/file/report
misp_taxonomies_directory = ./misp-taxonomies
[pssl]
pssl_url =
pssl_user =
pssl_pass =
[pdns]
pdns_url =
pdns_user =
pdns_pass =
[koodous]
base_url = https://koodous.com/api/apks
token = d01d9c845e4b2430682241c5faa55e786c129441
Appendix Cuckoo config cuckoo.conf [cuckoo]
delete_original = off
delete_bin_copy = off
machinery = kvm
memory_dump = on
terminate_processes = off
reschedule = off
process_results = on
max_analysis_count = 0
max_machines_count = 0
max_vmstartup_count = 10
freespace = 64
tmppath = /tmp
daydelta = 0
[resultserver]
ip = 192.168.100.1
port = 2042
store_csvs = on
upload_max_size = 910485760
[processing]
analysis_size_limit = 9104857600
analysis_call_limit = 0
resolve_dns = on
reverse_dns = on
ram_boost = off
sort_pcap = on
[database]
connection = postgresql://cuckoo:blabla@localhost:5432/cuckoo
timeout = 60
[timeouts]
default = 600
critical =120
vm_state = 300
auxiliary.conf [sniffer]
enabled = yes
tcpdump = /usr/sbin/tcpdump
interface = virbr0
[tor]
enabled = yes
torstart = /usr/sbin/torstart
torstop = /usr/sbin/torstop
[msoffice]
decryptor = /opt/cuckoo/msoffice/bin/msoffice-crypt.exe
[gateways]
RTR1 = 192.168.178.1
[virustotaldl]
enabled = no
dlintelkey = SomeKeyWithDLAccess
dlpath = /tmp/
[display_browser_martians]
enabled = yes
[display_office_martians]
enabled = yes
[display_shrike]
enabled = yes
[expanded_dashboard]
enabled = yes
[display_et_portal]
enabled = yes
[display_pt_portal]
enabled = yes
api.conf cuckoo@ubuntu:/opt/cuckoo/conf$ cat api.conf
[api]
ratelimit = yes
url = http://example.tld
[filecreate]
enabled = yes
allmachines = no
upload_limit = 10
multifile = no
status = yes
rps = 1/s
rpm = 2/m
[urlcreate]
enabled = yes
allmachines = no
status = yes
rps = 1/s
rpm = 2/m
[vtdl]
enabled = yes
allmachines = no
status = yes
rps = 1/s
rpm = 2/m
[fileview]
enabled = yes
md5 = yes
sha1 = yes
sha256 = yes
id = yes
rps = 2/s
rpm = 10/m
[tasksearch]
enabled = yes
md5 = yes
sha1 = yes
sha256 = yes
rps = 2/s
rpm = 10/m
[extendedtasksearch]
enabled = yes
rps = 1/s
rpm = 10/m
[tasklist]
enabled = yes
maxwindow = 1440
maxlimit = 50
defaultlimit = 10
rps = 1/s
rpm = 5/m
[taskview]
enabled = yes
rps = 1/s
rpm = 10/m
[taskresched]
enabled = no
rps = 1/s
rpm = 5/m
[taskdelete]
enabled = no
rps = 1/s
rpm = 5/m
[taskstatus]
enabled = yes
rps = 4/s
[taskreport]
enabled = yes
all = yes
rps = 1/s
rpm = 6/m
[taskiocs]
enabled = yes
jsonoverwrite = no
rps = 1/s
rpm = 4/m
[taskscreenshot]
enabled = yes
rps = 1/s
[taskpcap]
enabled = yes
rps = 1/s
#rpm = 10/m
[taskdropped]
enabled = yes
rps = 1/s
rpm = 20/m
[tasksurifile]
enabled = yes
rps = 1/s
rpm = 20/m
[taskprocmemory]
enabled = yes
all = no
compress = no
rps = 1/s
rpm = 4/m
[taskfullmemory]
enabled = yes
compress = no
rps = 1/s
rpm = 2/m
[sampledl]
enabled = yes
rps = 2/s
[machinelist]
enabled = yes
rps = 1/s
[machineview]
enabled = yes
rps = 1/s
[cuckoostatus]
enabled = yes
rps = 2/s
[rollingsuri]
enabled = yes
windowmax = 1440
rps = 2/s
[rollingshrike]
enabled = yes
windowmax = 10080
kvm.conf [kvm]
machines = cuckoo1
[cuckoo1]
label = sandox-win7-01
platform = windows
ip = 192.168.100.101
snapshot = running
interface = virbr0
resultserver_ip = 192.168.100.1
resultserver_port = 2042
tags = windows_7_sp3,32_bit,acrobat_reader_6
mem_profile = Win7SP3x64
processing.conf [analysisinfo]
enabled = yes
[decompression]
enabled = yes
[behavior]
enabled = yes
[debug]
enabled = yes
[dropped]
enabled = yes
buffer = 8192
[memory]
enabled = no
[usage]
enabled = no
[network]
enabled = yes
dnswhitelist = no
[procmemory]
enabled = yes
strings = yes
[static]
enabled = yes
whois = yes
[strings]
enabled = yes
nullterminated_only = yes
minchars = 5
[targetinfo]
enabled = yes
[virustotal]
enabled = yes
timeout = 60
key = xxxxxxxxxx
do_file_lookup = yes
do_url_lookup = yes
urlscrub = (^http:\/\/serw\.clicksor\.com\/redir\.php\?url=|&InjectedParam=.+$)
[suricata]
enabled = no
runmode = cli
evelog = eve.json
#alertlog = alert.json
#httplog = http.json
#tlslog = tls.json
#sshlog = ssh.json
#dnslog = dns.json
fileslog = files-json.log
filesdir = files
buffer = 8192
7zbin = /usr/bin/7z
zippass = infected
##Runmode "cli" options
bin = /usr/bin/suricata
conf = /etc/suricata/suricata.yaml
##Runmode "socket" Options
pylib_dir = /usr/lib/python2.7/dist-packages/suricatasc/
socket_file = /var/run/suricata/suricata-command.socket
[cif]
enabled = no
url = https://your-cif-server.com/api
key = your-api-key-here
timeout = 60
confidence = 85
nolog = yes
per_lookup_limit = 20
per_analysis_limit = 200
reporting.conf [jsondump]
enabled = yes
ram_boost = yes
indent = 4
encoding = latin-1
[reporthtml]
enabled = no
[reporthtmlsummary]
enabled = no
[reportpdf]
enabled = no
[mmdef]
enabled = no
[maec41]
enabled = no
mode = overview
processtree = true
output_handles = false
static = true
strings = true
virustotal = true
deduplicate = true
[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
fix_large_docs = yes
[elasticsearchdb]
enabled = no
searchonly = no
host = 127.0.0.1
port = 9200
index = cuckoo
[retention]
enabled = no
run_every = 6
memory = 14
procmemory = 62
pcap = 62
sortedpcap = 14
bsonlogs = 62
dropped = 62
screencaps = 62
reports = 62
mongo = 731
elastic = no
malheur = no
[syslog]
enabled = no
host =10.xx.xx.40
port = 514
protocol = udp
logfile = yes
logname = syslog.log
[moloch]
enabled = no
base = https://172.18.100.105:8005/
node = cuckoo3
capture = /data/moloch/bin/moloch-capture
captureconf = /data/moloch/etc/config.ini
user = admin
pass = admin
realm = Moloch
[resubmitexe]
enabled = no
resublimit = 5
[malheur]
enabled = yes
maxsimilar = 20
[compression]
enabled = yes
zipmemdump = yes
zipmemstrings = yes
zipprocdump = yes
zipprocstrings = yes
[misp]
enabled = yes
apikey = xxxxxxxxxxxxxx
url = https://misp.mpauli.de
min_malscore = 3
threads = 10
extend_context = yes
upload_iocs = yes
distribution = 1
threat_level_id = 2
analysis = 2
title = IOCs from TheSOC-cuckoo analysis:
network = yes
ids_files = yes
dropped = yes
registry = yes
mutexes = yes
[distributed]
enabled = no
remove_task_on_slave = no
db = sqlite:///dist.db
samples_directory = /tmp/distributed_cuckoo_samples
dead_count = 5
retriever_threads = 4