Setting Up Cuckoo

David Johnson

27 Dec 2022 — 15 min read

What is Cuckoo?

Cuckoo is a sandbox for testing malware. What does that mean? Well, a sandbox is a safe place to execute code, open urls.

Host Setup

I am installing cuckoo on Ubuntu as recommended by cuckoos instilation documentation, found here. I did not install volatility at this time but I did install virtualbox, tcpdump, and guacd.

The following was copied from cuckoos documentation. All I have done is put it in order that I did it so that you don't have to keep flipping from page to page as I did.

Install python

$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

Installing databases

sudo apt-get install mongodb
sudo apt-get install postgresql libpq-dev

Installing requirements

$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump

Add cuckoo user

$ sudo adduser cuckoo
$ sudo usermod -a -G vboxusers cuckoo

Add groups

$ sudo groupadd pcap
$ sudo usermod -a -G pcap cuckoo
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Cheking tcpdump

$ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Create venv and install cuckoo

$ virtualenv venv
$ . venv/bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo

Give it a try. See if everything is working by running.

$ cuckoo -d

Here the -d is for debug mode and in the future it can be omitted.

You might see the following in the out put

2019-05-30 08:17:47,175 [cuckoo] WARNING: It appears that you haven't loaded any Cuckoo Signatures. Signatures are highly recommended and improve & enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface - so, pretty important!
2019-05-30 08:17:47,175 [cuckoo] WARNING: You'll be able to fetch all the latest Cuckoo Signaturs, Yara rules, and more goodies by running the following command:
2019-05-30 08:17:47,176 [cuckoo] INFO: $ cuckoo community

I recommend doing this.

cuckoo community

Configuration

$ ~/.cuckoo

https://cuckoo.sh/docs/installation/host/configuration.html

IPTables

$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -j LOG

https://cuckoo.sh/docs/installation/host/routing.html#simple-global-routing

Guest Setup

Cuckoo recommends Windows 7 64bit as the guest VM and thats what I will be using. I named this VM cuckoo1 to match the label in ~/.cuckoo/conf/virtualbox.conf.

Set Up virtualbox network

If you are getting

2014-01-07 18:42:12,686 [root] CRITICAL: CuckooCriticalError: Unable to bind result server on 192.168.56.1:2042: [Errno 99] Cannot assign requested address

Than be sure to set up the VirtualBox net work as shown below.

$ VBoxManage hostonlyif create
$ VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Also, be sure to set a static IPAddress of 192.168.56.101 on the guest VM.
https://cuckoo.sh/docs/installation/guest/network.html

Install Python 2.7 and be make sure it is added to your path. Transfer agent.py to the guest machine. It can be found in the ~/.cuckoo/agent/ directory. I then ran python agent.py and took a snapshot. This way when cuckoo loads up the snapshot it's running and ready to go.

Install Volatility if you intend on preforming memory forensics. For this follow their instructions for installation here.

That's about it for the guest. Next step is to analyze some malware.

Analyze Malware

Let's analyze some malware now. For this I will be using Doublepulsar-1.3.1.exe and Eternalblue-2.2.0.exe. The first step it to submit the executables. You can get these files here on github.

Submit the first file.

cuckoo submit ~/github/Eternalblue-Doublepulsar-Metasploit/deps/Doublepulsar-1.3.1.exe

You should see the following.

Success: File "/home/yojimbo/github/Eternalblue-Doublepulsar-Metasploit/deps/Doublepulsar-1.3.1.exe" added as task with ID #1

Next.

cuckoo submit ~/github/Eternalblue-Doublepulsar-Metasploit/deps/Eternalblue-2.2.0.exe

You should see the following

Success: File "/home/yojimbo/github/Eternalblue-Doublepulsar-Metasploit/deps/Eternalblue-2.2.0.exe" added as task with ID #2

Now, lets run cuckoo and let it do its thing.

cuckoo -d

You should see something similar to the following.

 .-----------------.
  | Cuckoo Sandbox? |
  |     OH NOES!    |\  '-.__.-'
  '-----------------' \  /oo |--.--,--,--.
                         \_.-'._i__i__i_.'
                               """""""""

 Cuckoo Sandbox 2.0.6
 www.cuckoosandbox.org
 Copyright (c) 2010-2018

 Checking for updates...
 You're good to go!

 Our latest blogposts:
 * IQY malspam campaign, October 15, 2018.
   Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing DDE to achieve code execution.
   More at https://hatching.io/blog/iqy-malspam

 * Hooking VBScript execution in Cuckoo, October 03, 2018.
   Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.
   More at https://hatching.io/blog/vbscript-hooking

 * Cuckoo Sandbox 2.0.6 pentest, September 18, 2018.
   Cuckoo Sandbox 2.0.6 public pentest performed by Cure53 and sponsored by PolySwarm!
   More at https://hatching.io/blog/cuckoo-206-pentest

 * Cuckoo Sandbox 2.0.6, June 07, 2018.
   Interim release awaiting the big release.
   More at https://cuckoosandbox.org/blog/206-interim-release

 * Cuckoo Sandbox 2.0.5: Office DDE, December 03, 2017.
   Brand new release based on a DDE case study.
   More at https://cuckoosandbox.org/blog/205-office-dde

2019-05-30 09:26:45,404 [cuckoo.core.startup] DEBUG: Imported modules...
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: Imported "auxiliary" modules:
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: 	 |-- MITM
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: 	 |-- Reboot
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: 	 |-- Services
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: 	 `-- Sniffer
2019-05-30 09:26:45,405 [cuckoo.core.startup] DEBUG: Imported "machinery" modules:
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- vSphere
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- KVM
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- ESX
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- XenServer
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- VirtualBox
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- Avd
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- QEMU
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 |-- VMware
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: 	 `-- Physical
2019-05-30 09:26:45,406 [cuckoo.core.startup] DEBUG: Imported "processing" modules:
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- AnalysisInfo
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- ApkInfo
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Baseline
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- BehaviorAnalysis
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Debug
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Droidmon
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Dropped
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- DroppedBuffer
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Extracted
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- GooglePlay
2019-05-30 09:26:45,407 [cuckoo.core.startup] DEBUG: 	 |-- Irma
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- Memory
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- MetaInfo
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- MISP
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- NetworkAnalysis
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- ProcessMemory
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- Procmon
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- Screenshots
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- Snort
2019-05-30 09:26:45,408 [cuckoo.core.startup] DEBUG: 	 |-- Static
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: 	 |-- Strings
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: 	 |-- Suricata
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: 	 |-- TargetInfo
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: 	 |-- TLSMasterSecrets
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: 	 `-- VirusTotal
2019-05-30 09:26:45,409 [cuckoo.core.startup] DEBUG: Imported "signatures" modules:
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: Imported "reporting" modules:
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- ElasticSearch
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- Feedback
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- JsonDump
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- Mattermost
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- MISP
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- Moloch
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- MongoDB
2019-05-30 09:26:45,461 [cuckoo.core.startup] DEBUG: 	 |-- Notification
2019-05-30 09:26:45,462 [cuckoo.core.startup] DEBUG: 	 `-- SingleFile
2019-05-30 09:26:45,466 [cuckoo.core.startup] DEBUG: Checking for locked tasks..
2019-05-30 09:26:45,475 [cuckoo.core.startup] DEBUG: Checking for pending service tasks..
2019-05-30 09:26:45,482 [cuckoo.core.startup] DEBUG: Initializing Yara...
2019-05-30 09:26:45,484 [cuckoo.core.startup] DEBUG: 	 |-- binaries embedded.yar
2019-05-30 09:26:45,484 [cuckoo.core.startup] DEBUG: 	 |-- binaries filetypes.yar
2019-05-30 09:26:45,484 [cuckoo.core.startup] DEBUG: 	 |-- binaries shellcodes.yar
2019-05-30 09:26:45,484 [cuckoo.core.startup] DEBUG: 	 |-- binaries vmdetect.yar
2019-05-30 09:26:45,486 [cuckoo.core.startup] DEBUG: 	 |-- scripts applocker_bypass.yar
2019-05-30 09:26:45,486 [cuckoo.core.startup] DEBUG: 	 |-- scripts powerfun.yar
2019-05-30 09:26:45,486 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_AMSI.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_BITS_transfer.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_ddi_rc4.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_dfsp.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_di.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_empire.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_meterpreter.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_txt_c2.yar
2019-05-30 09:26:45,487 [cuckoo.core.startup] DEBUG: 	 |-- scripts powershell_unicorn.yar
2019-05-30 09:26:45,488 [cuckoo.core.startup] DEBUG: 	 |-- scripts powerworm.yar
2019-05-30 09:26:45,488 [cuckoo.core.startup] DEBUG: 	 |-- shellcode metasploit.yar
2019-05-30 09:26:45,489 [cuckoo.core.startup] DEBUG: 	 |-- office dde.yar
2019-05-30 09:26:45,489 [cuckoo.core.startup] DEBUG: 	 |-- office ole.yar
2019-05-30 09:26:45,490 [cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2019-05-30 09:26:45,491 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2019-05-30 09:26:45,821 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to its current snapshot
2019-05-30 09:26:45,966 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019-05-30 09:26:45,977 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2019-05-30 09:30:23,467 [cuckoo.core.scheduler] DEBUG: Processing task #1
2019-05-30 09:30:23,475 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "Doublepulsar-1.3.1.exe" (task #1, options "")
2019-05-30 09:30:23,498 [cuckoo.core.scheduler] INFO: Task #1: acquired machine cuckoo1 (label=cuckoo1)
2019-05-30 09:30:23,503 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 26277 (interface=vboxnet0, host=192.168.56.101)
2019-05-30 09:30:23,504 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2019-05-30 09:30:23,545 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo1
2019-05-30 09:30:23,633 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to its current snapshot
2019-05-30 09:30:28,637 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2019-05-30 09:30:29,640 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:30:30,644 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:30:31,647 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:30:31,688 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:30:32,696 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo1, ip=192.168.56.101)
2019-05-30 09:30:32,715 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3967696)
2019-05-30 09:30:32,925 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:30:33,004 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2019-05-30 09:30:33,931 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:30:34,444 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2019-05-30 09:30:34,459 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 125252
2019-05-30 09:30:34,936 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:30:35,463 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.jpg
2019-05-30 09:30:35,481 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 129812
2019-05-30 09:30:35,940 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully
2019-05-30 09:30:36,000 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2019-05-30 09:30:36,001 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1
2019-05-30 09:30:37,612 [cuckoo.core.scheduler] DEBUG: Released database task #1
2019-05-30 09:30:37,644 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #1
2019-05-30 09:30:37,645 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2019-05-30 09:30:37,645 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #1
2019-05-30 09:30:37,646 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #1
2019-05-30 09:30:37,646 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #1
2019-05-30 09:30:37,647 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #1
2019-05-30 09:30:37,647 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #1
2019-05-30 09:30:37,647 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #1
2019-05-30 09:30:37,669 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #1
2019-05-30 09:30:37,928 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #1
2019-05-30 09:30:37,931 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #1
2019-05-30 09:30:37,934 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #1
2019-05-30 09:30:37,940 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #1
2019-05-30 09:30:37,940 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #1
2019-05-30 09:30:37,941 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #1
2019-05-30 09:30:37,943 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #1
2019-05-30 09:30:37,945 [cuckoo.core.plugins] DEBUG: Running 540 signatures
2019-05-30 09:30:38,058 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2019-05-30 09:30:38,059 [cuckoo.core.scheduler] INFO: Task #1: reports generation completed
2019-05-30 09:30:38,066 [cuckoo.core.scheduler] INFO: Task #1: analysis procedure completed
2019-05-30 09:30:53,832 [cuckoo.core.scheduler] DEBUG: Processing task #2
2019-05-30 09:30:53,840 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "Eternalblue-2.2.0.exe" (task #2, options "")
2019-05-30 09:30:53,871 [cuckoo.core.scheduler] INFO: Task #2: acquired machine cuckoo1 (label=cuckoo1)
2019-05-30 09:30:53,876 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 26518 (interface=vboxnet0, host=192.168.56.101)
2019-05-30 09:30:53,876 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2019-05-30 09:30:53,925 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo1
2019-05-30 09:30:54,017 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to its current snapshot
2019-05-30 09:30:59,054 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2019-05-30 09:31:00,058 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:31:01,061 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:31:02,066 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:31:03,069 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2019-05-30 09:31:03,076 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo1, ip=192.168.56.101)
2019-05-30 09:31:03,093 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3967696)
2019-05-30 09:31:03,287 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:31:03,587 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2019-05-30 09:31:04,292 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:31:05,037 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2019-05-30 09:31:05,054 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 125269
2019-05-30 09:31:05,298 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2019-05-30 09:31:06,106 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.jpg
2019-05-30 09:31:06,156 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 129822
2019-05-30 09:31:06,302 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully
2019-05-30 09:31:06,360 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2019-05-30 09:31:06,361 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1
2019-05-30 09:31:08,215 [cuckoo.core.scheduler] DEBUG: Released database task #2
2019-05-30 09:31:08,244 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #2
2019-05-30 09:31:08,244 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2019-05-30 09:31:08,245 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #2
2019-05-30 09:31:08,245 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #2
2019-05-30 09:31:08,245 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #2
2019-05-30 09:31:08,246 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #2
2019-05-30 09:31:08,246 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #2
2019-05-30 09:31:08,247 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #2
2019-05-30 09:31:08,263 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #2
2019-05-30 09:31:08,504 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #2
2019-05-30 09:31:08,511 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #2
2019-05-30 09:31:08,516 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #2
2019-05-30 09:31:08,522 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #2
2019-05-30 09:31:08,522 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #2
2019-05-30 09:31:08,523 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #2
2019-05-30 09:31:08,525 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #2
2019-05-30 09:31:08,527 [cuckoo.core.plugins] DEBUG: Running 540 signatures
2019-05-30 09:31:08,644 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2019-05-30 09:31:08,644 [cuckoo.core.scheduler] INFO: Task #2: reports generation completed
2019-05-30 09:31:08,653 [cuckoo.core.scheduler] INFO: Task #2: analysis procedure completed
# Resources
[cuckoo](https://cuckoo.sh/docs/introduction/index.html)

I know that looks like a lot, and it is. You can trim some of that down by omitting the -d. However, it does give us a bit more insight. For example if the guest and host cannot connect you will see that here.

This is cool and all but we want data! Information about what just happened can be found here ~/.cuckoo/storageanalyses. Since I submitted Doublepulsar-1.3.1.exe first it can be found in ~/.cuckoo/storageanalyses/1 making ~/.cuckoo/storageanalyses/2 Eternalblue-2.2.0.exe.

If you cd into ~/.cuckoo/storageanalyses/1 and run ls -gG to get

-rw-rw-r-- 1 1752 May 30 09:30 analysis.log
lrwxrwxrwx 1  103 May 30 09:30 binary -> ~/.cuckoo/storage/binaries/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
drwxrwxr-x 2 4096 May 30 09:30 buffer
-rw-rw-r-- 1 4310 May 30 09:30 cuckoo.log
-rw-rw-r-- 1 5292 May 30 09:30 dump.pcap
-rw-rw-r-- 1 5292 May 30 09:30 dump_sorted.pcap
drwxrwxr-x 2 4096 May 30 09:30 extracted
drwxrwxr-x 2 4096 May 30 09:30 files
-rw-rw-r-- 1  114 May 30 09:30 files.json
drwxrwxr-x 2 4096 May 30 09:30 logs
drwxrwxr-x 2 4096 May 30 09:30 network
-rw-rw-r-- 1    0 May 30 09:30 reboot.json
drwxrwxr-x 2 4096 May 30 09:30 reports
drwxrwxr-x 2 4096 May 30 09:30 shots
-rw-rw-r-- 1  796 May 30 09:30 task.json
-rw-rw-r-- 1    0 May 30 09:30 tlsmaster.txt

Exploring these files will help you understand what the malware is doing. To do that lets use the built in web interface.

Cuckoo Web Interface

To get the web interface going first install MongoDB. To do this on Ubuntu just use the following.

sudo apt install mongodb

Modify ~/.cuckoo/conf/reporting.conf from.

[mongodb]
enabled = no

[mongodb]
enabled = yes

Once that's finished start up mongodb with.

mongo

Start up cuckoo

cuckoo

Then start the web service with

cuckoo web runserver 127.0.0.1:8080

Navigate to 127.0.0.1:8080 in your browser and you should see the home page. Here you can upload files, urls, or hashes and submit it for analysis. This provides a much easier way to consume the data.

Setting Up Cuckoo

David Johnson

What is Cuckoo?

Host Setup

Guest Setup

Analyze Malware

Cuckoo Web Interface

Read more

Supporting the Security Parthenon: How the Five Pillars of Information Security Work Together and Why Authorization Deserves Its Place

Firewalls, IDS, IPS and Nmap

Golden Ticket

Bash Breakout