As a company grows in size and it’s public image becomes more and more prominent, it is inevitable that it will become a more attractive target to attackers – whether it be the prime focus of an attack, or the low hanging fruit attached to a greater one. I certainly see this with my employer, and the effort put into some emails that I have had forwarded to me for inspection following my most recent social engineering test have very much illustrated that we are on the radar of some people who possess both determination and resource. However, regardless of how much effort you put into education you’re still guaranteed to get someone who opens a malicious attachment, so to guide incident response you need to analyse the behavior of the file(s) to have meaningful data to work with.

worst phishing attempt ever – recently sent to our hr team

introducing cuckoo

Cuckoo Sandbox is a malware analysis platform that facilitates the dynamic creation of sandboxed virtual machines – allowing you to safely execute malware samples inside of them. An agent runs on the guest VM, in addition to a suite of software on the host (e.g. tcpdump, Volatility Framework), which work together to produce an easy-to-digest report on observed network, registry, filesystem and memory behavior.

Installation is not simple. There are a lot of version dependencies, which caused me a solid 2-3 grief… and I suspect that my environment still isn’t running 100% in terms of Cuckoo’s integration with Volatility. However, hopefully my install notes (i.e. it’s not a “let us hold hands and do this together” walkthrough for newbies) below get you up and running with a functional analysis environment of your own.

prepare host

Install Dependencies

  • apt-get update
  • apt-get install autoconf automake build-essential dh-autoreconf flex git libreadline-gplv2-dev libjpeg8-dev zlib1g zlib1g-dev libgdbm-dev libc6-dev libbz2-dev libfreetype6-dev libtool python-dev python-pip python-sqlalchemy mongodb python-bson python-dpkt python-jinja2 python-magic python-gridfs python-libvirt python-bottle python-pefile python-chardet libjansson-dev libmagic-dev libxml2 libxml2-dev libxslt1.1 libxslt1-dev tar unzip
  • pip install django
  • pip install pymongo -U

Install Volatility

Download:

Extract each archive, and follow the build instructions for each:

  • distorm: regular ‘python setup.py build install’ method.
  • pycrypto: regular ‘python setup.py build install’ method.
  • yara:
    • chmod +x bootstrap.sh
    • ./bootstrap.sh
    • ./configure –enable-cuckoo –enable-magic
    • make
    • make install
    • cd yara-python
    • python setup.py build install
    • ldconfig
  • OpenPyxl: regular ‘sudo python setup.py build install’ method.
  • PIL:
    • ln -s -f /lib/$(uname -i)-linux-gnu/libz.so.1 /usr/lib/
    • ln -s -f /usr/lib/$(uname -i)-linux-gnu/libfreetype.so.6 /usr/lib/
    • ln -s -f /usr/lib/$(uname -i)-linux-gnu/libjpeg.so.8 /usr/lib/
  • pytz:
    • easy_install –upgrade pytz
  • iPython: regular ‘sudo python setup.py build install’ method.
  • syft:
    • pip install lxml –upgrade
  • Volatility: regular ‘sudo python setup.py build install’ method.

install cuckoo

Install jannson:

Install ssdeep:

Install pydeep:

Install VirtualBox:

  • vboxmanage hostonlyif create
  • iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack –ctstate NEW -j ACCEPT
  • iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
  • iptables -A POSTROUTING -t nat -j MASQUERADE
  • sysctl -w net.ipv4.ip_forward=1
  • adduser –disabled-password -gecos “” cuckoo
  • usermod -G vboxusers cuckoo

Configure tcpdump:

  • setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Install Cuckoo:

  • cd /opt
  • git clone git://github.com/cuckoobox/cuckoo.git

Apply django Fix:

DJANGO_VERSION=`python -c "import django; print(django.get_version())"`
    verlte 1.5 $DJANGO_VERSION && FIX_DJANGO=false || FIX_DJANGO=true
 if [ "$FIX_DJANGO" = true ]; then
     cat cuckoo/web/web/settings.py | grep -A1 "TEMPLATE_DIRS = (" | cut -d# -f2 | grep "templates" | grep "(" | grep ")"
     if [ $? -ne 0 ]; then
         echo "Fixing settings.py...."
         sed -i '/TEMPLATE_DIRS/{ N; s/.*/TEMPLATE_DIRS = \( \("templates"\),/; }' cuckoo/web/web/settings.py
 fi

build sandbox vm

Stand up a new VM. The platform is of your choosing, however I personally chose Windows XP SP3 Professional. Ensure that you install the Guest Tools, and create a shared folder to allow the easy transfer of files between the host and guest.

Attach the VM to the vboxnet0 host-only network. It should pick up an IP address of 192.168.56.101.

Prepare Guest

Disable:

  • Windows Updates.
  • Windows Firewall.

Install (at a minimum):

Ensure that you disable autoupdate for all products, and open each at least once to clear any ‘first time’ pop-up’s that may appear and block further execution.

Following the install of Python, add C:\Python27 to the PATH environment variable.

From the host, copy /opt/cuckoo/agent/agent.py to C:\Python27\Scripts\agent.pyw on the guest. Open regedit and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Enter a new ‘string’ value:

  • Name: CuckooAgent
  • Value: C:\Python27\Scripts\agent.pyw

Restart the guest. Once it returns from the reboot, in a command prompt enter:
netstat -ano|findstr 8000

If this returns a result, ensure that the PID of the listening process is that of the Cuckoo Agent.

Take a snapshot of the VM with no spaces or symbols in it’s name. After the snapshot completes you can shut the guest down.

configure cuckoo

Cuckoo mostly works out of the box, however you will need to tweak a few configs to enable memory analysis (Volatility integration) and VirtualBox:

/opt/cuckoo/conf/cuckoo.conf

  • [cuckoo]
    memory_dump = on

/opt/cuckoo/conf/virtualbox.conf

  • [cuckoo1]
    label = cuckoo1
    snapshot = snapshot1

Replace ‘cuckoo1’ with the name of your VM, and ‘snapshot1’ with the name of the snapshot you take.

/opt/cuckoo/conf/memory.conf

  • [basic]
    delete_memdump = yes

/opt/cuckoo/conf/processing.conf

  • [memory]
    enabled = yes

/opt/cuckoo/conf/reporting.conf

  • [maec41]
    enabled = yes

producing a report

For testing purposes you can obtain a catalogue of malware from theZoo project on GitHub or build your own.

Start Cuckoo:

  • sudo python /opt/cuckoo/cuckoo.py

Start the Cuckoo web interface:

  • sudo python /opt/cuckoo/utils/web.py

Submit a sample application:

  • sudo python /opt/cuckoo/utils/submit.py

… or submit a URL:

  • sudo python /opt/cuckoo/utils/submit.py –url

Once the analysis completes you can view the results in your browser and submit new ones by visiting http://localhost:8080

demo analysis

00:00 – 00:07 – Malware submitted to Cuckoo for analysis.
00:08 – 00:14 – XP SP3 sandbox fired up by Cuckoo. The malware is copied into this and executed.
00:15 – 01:00 – tcpdump, Volatility and various Cuckoo plugins are used to analyse the behavior of the XP VM.
01:01 – 01:44 – Static file analysis.
01:45 – 02:02 – Network activity: addresses contacted, HTTP requests made, etc.
02:02 – 02:10 – Registry access.
02:11 – 03:06 – Dynamic analysis: Crawling through initial load (decryption routines, etc).
03:07 – 04:21 – Dynamic analysis: request to webserver, retrieval of encrypted textfile, initiation of notepad.exe process, injection of shellcode, connection from notepad.exe process out to meterpreter handler.
04:22 – 05:02 – Memory analysis: injection into notepad.exe detected, somewhat excessive notepad process privileges noted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s