Book Image

Cuckoo Malware Analysis

Book Image

Cuckoo Malware Analysis

Overview of this book

Cuckoo Sandbox is a leading open source automated malware analysis system. This means that you can throw any suspicious file at it and, in a matter of seconds, Cuckoo will provide you with some detailed results outlining what said file did when executed inside an isolated environment. Cuckoo Malware Analysis is a hands-on guide that will provide you with everything you need to know to use Cuckoo Sandbox with added tools like Volatility, Yara, Cuckooforcanari, Cuckoomx, Radare, and Bokken, which will help you to learn malware analysis in an easier and more efficient way. Cuckoo Malware Analysis will cover basic theories in sandboxing, automating malware analysis, and how to prepare a safe environment lab for malware analysis. You will get acquainted with Cuckoo Sandbox architecture and learn how to install Cuckoo Sandbox, troubleshoot the problems after installation, submit malware samples, and also analyze PDF files, URLs, and binary files. This book also covers memory forensics – using the memory dump feature, additional memory forensics using Volatility, viewing result analyses using the Cuckoo analysis package, and analyzing APT attacks using Cuckoo Sandbox, Volatility, and Yara. Finally, you will also learn how to screen Cuckoo Sandbox against VM detection and how to automate the scanning of e-mail attachments with Cuckoo.
Table of Contents (13 chapters)
Cuckoo Malware Analysis
About the Authors
About the Reviewers

Installing Cuckoo Sandbox

Let us see what the important components are when installing Sandbox.

Hardware requirements

There are no specific requirements for hardware equipment. Requirements for minimum RAM is 2 GB (for virtualization) and free space in the hard disk drive of about 40 GB. In this book, I will use the following hardware specifications as the Host OS:

  • Quad Core CPU

  • 4 GB RAM

  • 320 GB HDD

Preparing the host OS

Theoretically, Cuckoo Sandbox can run on every Linux operating system. In this book, all instructions in the Host OS will be conducted in Ubuntu 12.04.


Before continuing to the installation and configuration process, you need to install some applications and libraries.

Install Python in Ubuntu

We need to type in the following command:

$ sudo apt-get install python

Cuckoo needs the SqlAlchemy application as the database toolkit for Python. So you need to install SqlAlchemy with the following command line:

$ sudo apt-get install python-sqlalchemy

You can also use pip command to install SqlAlchemy. Pip is a tool for installing and managing Python packages.

$ sudo pip install sqlalchemy

There are other optional dependencies that are mostly used by modules and utilities. The following libraries are not strictly required, but you should have the libraries to guarantee Cuckoo Sandbox runs smoothly in your environment:

  • dpkt: This library is highly recommended and is used for extracting information from PCAP files

  • jinja2: This library is highly recommended and is used for rendering the HTML reports and the web interface

  • magic: This library is optional and is used for identifying files' formats (otherwise use the file command-line utility)

  • ssdeep: This library is also optional and is used for calculating fuzzy hash or files

  • pydeep: This library is optional and is used for calculating ssdeep fuzzy hash of files

  • pymongo: This library is optional and is used for storing the results in a MongoDB database

  • yara and yara python: This library is optional and is used for matching Yara signatures (use the svn version)

  • libvirt: This library is optional and it uses the KVM machine manager

  • bottlepy: This library is optional and it uses the and utilities

  • pefile: This library is optional and is used for static analysis of PE32 binaries

All the packages can be installed by using a one-line apt-get command:

$ sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile ssdeep

Or you can install all the packages using pip package management (except python-magic and python-libvirt):

$ sudo pip install dpkt jinja2 pymongo bottle pefile

You have to install pydeep for ssdeep fuzzy hashes of samples; but before installing Pydeep, we need to install some dependencies with the following command line:

  • Build-essential

  • Git

  • Libpcre3

  • Libpcre3-dev

  • Libpcre++-dev

    $ sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev

Next, you have to clone pydeep from the the git source (put pydeep in the /opt folder):

$ cd /opt
$ git clone pydeep
$ cd /opt/pydeep/
python build
sudo python install

You will also need to install yara to categorize malware samples (put yara in /opt folder):

$ sudo apt-get install automake -y
$ cd /opt
$ svn checkout
$ cd /opt/yara
$ sudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12
$ ./configure
$ make
$ sudo make install
$ cd yara-python
$ python build
$ sudo python install

You need to install tcpdump in order to dump network traffic which occurs during analysis:

$ sudo apt-get install tcpdump

If you want to run the tcpdump, you need root privileges; but since you don't want Cuckoo to run as root, you'll have to set specific Linux capabilities to the binary, as shown in the following command line:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

You can verify the results of the last command with:

$ getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

If you don't have setcap installed, you should install this library:

$ sudo apt-get install libcap2-bin

Otherwise (not recommended) run the following command line:

$ sudo chmod +s /usr/sbin/tcpdump

The chmod +s command means SUID bit. you add both user ID and group ID permission to a file. In this case, it is tcpdump. If you set the SUID bit "s" on tcpdump, then other users can run it and they will become the root for as long as the tcpdump process is executing. That is why this step is not recommended.

After you finish setting up the Host OS, you need to install and configure Cuckoo Sandbox in your Host OS.

Setting up Cuckoo Sandbox in the Host OS

In this section, you will set up Cuckoo Sandbox and configure it:

  1. First, download Cuckoo from its website at

    There are two ways to set Cuckoo up in your Host OS. You can either download the tarball file or you can clone from source using git.

    • If you want to clone from git source, you can do this step:

      $ git clone git://
    • If you want to download the tarball file from the website, you can visit the website and then press the Download Cuckoo! button.

  2. After you're finished downloading the file, you have to extract the files into a folder:

    $ tar –zxvf cuckoo-current.tar.gz
  3. Before configuring Cuckoo in your Host OS, you need to set up the Guest OS, as the Guest OS will be mentioned in Cuckoo's configuration files (you will write down the Guest OS name in the configuration file). In this book, we will use VirtualBox Version 4.2.12 for 64 bit. You can download VirtualBox from the website

In this book, we will use VirtualBox 4.2.12 for the Linux Host (If you can't find Version 4.2.12, you can use newer versions. But if you want to download Version 4.2.12, please go to There are several versions of VirtualBox for your Linux OS. We will download Ubuntu 12.04 LTS ("Precise Pangolin") AMD64 version (this one is for the 64-bit version if you are using a 32-bit version, you can choose to download i386).

Before setting up your Guest OS in VirtualBox, you need to pay attention to Vbox driver. You need to set up vboxdrv first before creating your Guest OS. In order to set up the vboxdrv, you need to install kernel headers of your Linux. The kernel headers will be required in compiling vboxdrv. If you want to be sure about your kernel version, you can use this command:

$ uname –a

You will see an output like this:

Linux digit-labs #28-ubuntu SMP Tue Oct 9 19:31:23 UTC 2012 x86_64x86_64 x86_64 x86_64 GNU/Linux

It means you are using kernel Version, and you need to install the kernel headers using this command:

$ apt-get install linux-headers-

After you're finished installing the Linux headers, you can set up vboxdrv with the following command lines:

$ sudo /etc/init.d/vboxdrv setup
* Stopping VirtualBox kernel modules         [OK]
* Recompiling VirtualBox kernel modules        [OK]
* Starting VirtualBox kernel modules        [OK]

If all the output is OK, it means you can now set up the Guest OS.

Preparing the Guest OS

The required specifications to set up the Guest OS are listed as follows:

  • 1GB RAM memory

  • 10 GB of hard disk space

  • VDI format for the virtual disk

  • Dynamically allocated storage

  • Windows XP SP3


When you are installing the Guest OS, you have to create the Guest OS name for the Cuckoo Sandbox VirtualBox configuration file.

In the first step, we will create the guest OS. You can write down your guest OS name, and operating system type. Since we are using Windows XP as guest OS, you can choose Windows XP in the OS type and version.

Before you start your Guest OS in VirtualBox, you need to configure the network, sharing folder, and the installing of VirtualBox Guest Addition to improve its capabilities in the malware analysis process.

Configuring the network

Basically, VirtualBox has several types of network configuration that can be used by the Guest OS. Each type has a different capability based on your need, we can learn more about it in the VirtualBox website:


Cuckoo is written in Python language, so you will need to install Python and other libraries as dependencies. Here is a website for you to download malware samples from, which will be used in this book:

You can download malware samples from the website. They will also provide you with some useful tools that can be downloaded from the same website. If you want to get additional information about this book, you can visit the aforementioned website, and put your comments there.

Based on the explanation in the website, we should use the Host-only networking type, because it will isolate our Guest OS from the outside network. With this networking type, Host OS and Guest OS can interact with each other, but the Guest OS can "see" the outside network or internet.

  1. In the VirtualBox main window, click on the File button and select Preferences...:

  2. Choose Network in the sidebar to configure your host-only networking, and then click on the green icon that says Add host-only network (Ins) if you hover over it:

  3. Click on the last icon on the side pane that says Edit Host-only Network to view your network configuration. If the DHCP server is not enabled, you need to manually configure your Guest OS IP Address but I suggest you leave it as it is:

  4. Next, you need to set up your Guest OS. Choose your Guest OS first in the sidebar, then click on the Settings option in the VirtualBox main window, and choose Network:

  5. Go to the Adapter 1 tab and tick the option Enable Network Adapter. In the Attached to drop-down menu, you have to choose Host-only Adapter and in the Name drop-down menu choose vboxnet0 (network adapter name is based on what you have created).

  6. After finishing your configuration for the Guest OS, you can start your Guest OS into the beginning installation process.

I assume that you have already finished your Guest OS installation process and logged in to your Guest OS. You will need to manually configure your Guest OS, as the DHCP server is not enabled in the host-only network configuration. Give your OS IP address with the same network segment as the Host OS. In this case, if you leave the host-only configuration as it is, the Host OS and Guest OS IP addresses will be set as and, respectively.

Try to ping each other to make sure that the Host OS and Guest OS is already connected.

Setting up a shared folder between Host OS and Guest OS

  1. In the Guest OS main window, click on the Devices option and select Shared Folders... as shown in the following screenshot:

  2. Then click on the green icon at the top-right corner of your window that says Add Shared Folder (Ins):

  3. Choose the folder (in your Host OS) that you want to be shared with your Guest OS in the Folder Path (for example /home/username/Downloads or we can make our own folder somewhere else).

  4. Give the shared folder a name (by default your computer will give a shared folder name, you can change the folder name as you wish), and tick the sharing options according to your choice:

  5. Now in your Windows Guest OS, click on the Start menu, right-click on My Computer, and choose Map network drive....

  6. Select the drive you want from the drop-down menu.

  7. In the Folder text field, fill it in with \\vboxsrv\shares (shares is the shared folder name in the previous screenshot).

  8. Go to Computer or Windows Explorer, and you will see the shared folder.

  9. Now, to configure your Guest OS you have to:

    1. Install Python for Windows. You can download the software at

    2. Install PIL (Python Imaging Library) Python module to created desktop screenshots. This software is available at

    3. Turn off automatic Windows updates.

    4. Turn off Windows firewall.

    5. Install third-party applications (Microsoft Office 2003/2007, Acrobat Reader 9.5, Mozilla Firefox 3.6, and so on) at This step is optional.

  10. Next, copy the Python agent to our Windows shared folder using this command line on the Host OS:

    $ cp /home/digit/cuckoo/agent/ /home/digit/cuckoo/shares/
  11. From your Windows Guest OS, copy the file into C:\Python27 folder.

  12. Rename the file to agent.pyw.

    PYW files run the script without invoking the console window, especially if your program is GUI based. If you double-click the file, a command prompt window will appear on your desktop. If you rename the file to a .pyw file, there will be no pop-up window appearing on your desktop. It is similar to a background process in Linux.

  13. To always run the agent.pyw file in startup process, you need to put it in the Startup folder in the following paths:

    For Windows XP go to C:\Document and settings\username\Start Menu\Programs\Startup.

    For Windows 7 go to C:\Users\iKONspirasi\AppData\Roaming\Microsoft\WIndows\Start Menu\Programs\Startup.

  14. After executing agent.pyw, a new socket will be listening on the port. To check it, you should run this command in the command prompt:

    C:\>netstat –aon

    As you can see in the screenshot below:

  15. You also need to configure Host OS IP forwarding and filtering rules using Iptables:

    $ iptables -A FORWARD -o eth0 -i vboxnet0 -s -m conntrack --ctstate NEW -j ACCEPT 
    $ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
    $ iptables -A POSTROUTING -t nat -j MASQUERADE 
    $ sysctl -w net.ipv4.ip_forward=1 
  16. The next step is the configuration of Cuckoo Sandbox.

Creating a user

You can either run Cuckoo from your own user or create a new one dedicated just to your Sandbox setup. We recommend you to create a specific user for your Cuckoo Sandbox environment. Make sure that the user that runs Cuckoo is the same user that you will use to create and run the virtual machines, otherwise Cuckoo will not be able to identify and launch them. Just run the following command line in terminal:

$ sudo adduser cuckoo

If you're using VirtualBox, make sure the new user belongs to the vboxusers group (or the group you used to run VirtualBox):

$ sudo usermod -G vboxusers cuckoo

If you're using KVM or any other libvirt-based module, make sure the new user belongs to the libvirtd group (or the group your Linux distributor uses to run libvirt):

$ sudo usermod -G libvirtd cuckoo

Now it's time for the best part, let's install and configure Cuckoo Sandbox.

Installing Cuckoo Sandbox

Extract or checkout your copy of Cuckoo to a path of your choice and you're ready to go. For example, we can put it in the /home/username/cuckoo path.

First things first, we need to configure Cuckoo's configuration files, which consist of the following main files:

  • cuckoo.conf: This configuration file contains information about the general behavior and analysis options in Cuckoo Sandbox.

  • <machinemanager>.conf: This file holds the information about your virtual machine configuration. (Depends on the name of virtualization that we used.)

  • processing.conf: This file is used for enabling and configuring the processing of modules.

  • reporting.conf: This file contains information about reporting methodologies.

The aforementioned .conf files are described in detail in the following sections.


This file contains the basic and general configuration information of Cuckoo. For example, you can ask Cuckoo to check the newest version when it is being executed. If you use this feature, Cuckoo will download the newest version, and you can store the old version or delete it. It defines in the version_check on the cuckoo.conf file. You can describe your virtualization method in the cuckoo.conf file. For example, if you are using VirtualBox, you can write in machine_manager= virtualbox, or if you are using VMware, you can change this line to vmware.

You can also write down the Host OS IP address and port number that will be used by Cuckoo Sandbox. By default, the IP address is set as (because we are using host-only networking method), and the default port is 2042. (Don't forget to define your networking interface.) We have defined the interface for Cuckoo, vboxnet0 (look at the discussion about VirtualBox configuration in the Configure the network section).


Machine managers are the modules that define how Cuckoo will interact with your virtualization tools. In cuckoo.conf, you will write down your virtualization software. If you use VirtualBox, the <machinemanager>.conf will refer to the virtualbox.conf configuration. If you use VMware, <machinemanager>.conf will refer to the vmware.conf file.

In this book we use VirtualBox, so you just need to pay attention to the virtualbox.conf file. You can edit this file based on your need. For example, if you want to run VirtualBox in GUI, you should edit the mode and set it as gui. If you feel comfortable using VirtualBox with command lines, then you should write down mode = headless in virtualbox.conf.

Remember in the Guest OS installation, I mentioned that you need to pay attention while naming the Guest OS because you will edit the Guest OS name in this configuration. Therefore, in the [cuckoo1] section, you can specify the Guest OS name. If you give your Guest OS name cuckoo1, you can edit label as label = cuckoo1 (don't forget we created the Guest OS name Windows-cuckoo).

Since we are using Windows XP as the Guest OS, you have to define the platform section as windows:

platform = windows

Don't forget to write down the Guest OS IP address. We are using host-only networking, by default the first OS in guest system will be given the IP address


This configuration file will allow you to enable, disable, and configure all the processing modules.

Basically, you do not need to make any changes to the default configuration in this file. But you can add your own VirusTotal API key in it. If you don't have a VirusTotal account yet and want to have one, just create an account in VirusTotal's website at, and put the key in this line:

# Add your VirusTotal API key here. The default API key, kindly# provided by the VirusTotal team, should enable you with a # sufficient throughput and while being shared with all our users, # it should not affect your use.

key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088


The conf/reporting.conf file contains information on automated reports generation. This file contains information about the methodologies or kinds of reporting that you want to use after the completion of the analysis process. You can either disable or enable the reporting method.

After you finish configuring your Cuckoo Sandbox environment, you can test your first malware analysis process.

The virtual machine is now ready to test malware, but for the first time you need to create a snapshot file using this command:

$ vboxmanage snapshot "WIndows-cuckoo" take "WIndows-cuckooSnap01" --pause 

The following commands are used to restore the snapshot:

$ vboxmanagecontrolvm "WIndows-cuckoo " poweroff
$ vboxmanage snapshot "WIndows-cuckoo" restorecurrent
$ vboxheadless --startvm "WIndows-cuckoo"

The snapshot of the Guest OS is the most important part for the process of analyzing malware using Cuckoo Sandbox. Make sure everything is set and ready to analyze malware and carry out the following steps to perform the analysis:

  1. To start your Cuckoo Sandbox, you need to run:

    $ ./

    The output from your terminal will be something like the following screenshot:

  2. Cuckoo is now running and waiting for analysis. You can submit sample malware or malicious URLs. You have to change the directory to /cuckoo/utils/ and then use the file to perform a malware analysis:

    Then, the output from Cuckoo's main window will be something like the following screenshot: