legal contact rss

Cuckoo2GO: VMware Cuckoo with a nested VirtualBox analysis

Installation instructions for a "nested" Cuckoo installation.

Cuckoo Host is therefore a virtual machine in which virtual machines are operated.

The advantage is the clear portability of the entire solution because "only" a corresponding virtual machine has to be copied and the installation effort of this new Cuckoo instance is kept to a minimum.

Hardware requirements

1 TB storage (min) prevrably on fast SSD
32GB RAM (to run 5 targets on Win7)
Core i7 (Hypertreading with 8 cores



sudo apt install -y git make vim
sudo apt install -y python python-pip python-setuptools python-virtualenv virtualenv
sudo apt install -y libjpeg8-dev zlib1g-dev

git clone
virtualenv venv
. venv/bin/activate


# for Volatility
git clone
cd volatility
python install
cd ../
pip install distorm3 pefile

cp MalConfScan/ venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/utils venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/yara venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/

# for MongoDB
sudo apt install -y libffi-dev libssl-dev libjpeg-dev zlib1g-dev swig
sudo apt install -y mongodb

# for elasticsearch 5.6.0 (
sudo apt install -y openjdk-11-jdk
sudo dpkg -i elasticsearch-5.6.0.deb
rm elasticsearch-5.6.0.deb

# for mitmproxy
sudo apt install -y python3-dev python3-pip
pip3 install mitmproxy

# for tcpdump (
sudo apt install -y apparmor-utils
sudo aa-disable /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

# for non-root user (in this case, user name is "infected")
sudo usermod -a -G vboxusers infected
sudo groupadd pcap
sudo usermod -a -G pcap infected
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

# for VirtualBox
sudo apt install -y virtualbox
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip --netmask

vi .cuckoo/conf/auxiliary.conf[mitm]
# Enable man in the middle proxying (mitmdump) [yes/no].
#enabled = no
enabled = yes
# path is correct.
#mitmdump = /usr/local/bin/mitmdump
mitmdump = /home/infected/.local/bin/mitmdump

vi .cuckoo/conf/cuckoo.conf# submission. Currently available for: VirtualBox and libvirt modules (KVM).
#memory_dump = no
memory_dump = yes
# The value is expressed in bytes, by default 128 MB.
#upload_max_size = 134217728
upload_max_size = 1610612736

vi .cuckoo/conf/memory.conf[basic]
# Profile to avoid wasting time identifying it
#guest_profile = WinXPSP2x86
guest_profile = Win7SP1x86

vi .cuckoo/conf/processing.conf[memory]
# Create a memory dump of the entire Virtual Machine. This memory dump will
# then be analyzed using Volatility to locate interesting events that can be
# extracted from memory.
#enabled = no
enabled = yes

vi .cuckoo/conf/reporting.conf[mongodb]
#enabled = no
enabled = yes
#enabled = no
enabled = yes
#hosts =
hosts =

vi .cuckoo/conf/virtualbox.conf[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
#label = cuckoo1
label = Win7SP1x86
# Example (Snapshot1 is the snapshot name):
#snapshot =
snapshot = cuckoo
# Example (vboxnet0 is the interface name):
#interface =
interface = vboxnet0
sudo iptables -t nat -F
sudo iptables -F
sudo iptables -L
sudo iptables -A INPUT -i ens33 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i vboxnet0 -j ACCEPT
sudo iptables -A INPUT -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables -A FORWARD -s -d -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s -d -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s -d -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo sysctl -w net.ipv4.ip_forward=1

sudo apt install -y iptables-persistentsudo 
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf

sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip --netmask

cuckoo community

Start after reboot:

. venv/bin/activate. 
cuckoo &
cuckoo web &

Win7 target config


  • Set display resolution to 1024 x 768
  • Disable Windows Update
  • Disable Windows Defender
  • Disable Windows Firewall
  • Disable UAC (Set not to notify)
  • Select “Ask me later” when asked to set when starting IE
  • Installing Python 2.7
  • Installing PIL-1.1.7.win32-py2.7.exe
  • Set in startup folder :
    Startup folder :
    %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
  • Network Settings
    - IP address:
    - Subnet mask:
    - Default gateway:
    - Preferred DNS server:
    - Alternate DNS server:
  • Suppressing Network Noise (Disable Teredo, LLMNR, etc.)
    - To open the Group Policy Editor, [Windows key] + R, and then type “gpedit.msc”
    - Computer Configuration- > Administrative Templates- > Network- > DNS Client, and then enable “Turn off Multicast Name Resolution”
    - Computer Configuration- > Administrative Templates- > System- > Internet Communication Management, and then enable “Restrict Internet Communication”
    - Enter the following at the command prompt.
netsh interface teredo set state disabled
  • Change the network configuration of VirtualBox to “Host-only Adapter”
    - Make sure “vboxnet0” is selected
    - If “Not Selected”, execute the following command
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip --netmask

create init.reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]

  • Uninstall “Oracle VM VirtualBox Guest Additions”
    - Will be asked to reboot, so reboot
  • Verify is started after reboot
    - You should see a black screen with the title “C:\Python 27\python.exe”
    - If not started, check that the contents of match the contents of the source.
  • Minimize’s window so it doesn’t get in the way of screenshots during analysis
  • Run the previously created init.reg

Cukoo Client Package und Moloch:

Install from above Client package.

  1. python 2.7
  2. Pillow 5.3.1
  3. (link to autostart)
  4. Adobe Reader 11.0.1 (no update check) (Start one to accept EULA)
  5. Adobe FlashPlayer 11.0.9(no update check)
  6. NDP451
  7. Chrome Browser (no Feedback to (Start one to accept EULA, disable all services that give Google feedback of your activity)) Set as default Browser)

Change the Network type in VirtualBox from "Bridged" to "Host Only"

Disable IPv6 and set IPv4 within the Win7 VM as:

While the Machine is still running in the desired mode, create a VirtualBox Snapshot

About to start the first time

Verify that you took the VirtualBox snapshot of your Setup. Otherwise it will be gone after the first start.  (Lächeln)

Check that you are using the very last Version of Cuckoo (this also does an update for later use

. venv/bin/activate

sudo pip install virtualenv --upgrade

pip install -U cuckoo

cuckoo community

/home/analyst/venv/bin/cuckoo -d rooter -g analyst --sudo

cuckoo -d

cuckoo web -H -p 8000

Autostart Cuckoo

sudo apt install supervisord

vi /etc/supervisor/conf.d/cuckoo.conf

logfile = /var/log/supervisor/supervisord.log
pidfile = /home/analyst/.cuckoo/supervisord/pidfile
user = root

serverurl = unix:///home/analyst/.cuckoo/supervisord/unix.sock

supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

file = /home/analyst/.cuckoo/supervisord/unix.sock

command = /home/analyst/venv/bin/cuckoo rooter -g analyst
user = root
startsecs = 10
autorestart = true

command = /home/analyst/venv/bin/cuckoo -d -m 10000
user = analyst
startsecs = 30
autorestart = true

command = /home/analyst/venv/bin/cuckoo process p%(process_num)d
process_name = cuckoo-process_%(process_num)d
numprocs = 4
user = analyst
autorestart = true

command = /home/analyst/venv/bin/cuckoo web -H -p 8000
user = analyst
startsecs = 30
autorestart = true

command = /home/analyst/venv/bin/cuckoo api -H -p 8080
user = analyst
startsecs = 30
autorestart = true

programs = cuckoo-rooter, cuckoo-daemon, cuckoo-process, cuckoo-web, cuckoo-api

command = /home/analyst/venv/bin/python -m cuckoo.distributed.worker
user = analyst
autostart = false
autorestart = true
environment = CUCKOO_APP="worker",CUCKOO_CWD="/home/analyst/.cuckoo"

sudo service supervisor restart

ps aux should show: