Cuckoo Sandbox on Windows 10 Linux Subsystem

Disclaimer

This blog may not be 100% complete and may be updated as I add/update what is missing or unclear. Also, some items will be left to you to know as this project had a lot of moving parts and thus could not cover every single thing that popped up. For example, you will be responsible for some configuring on your own (volatility).

Use this blog as a guide and you should be successful or close to it.

Setting up your Windows Subsystem for Linux

First, we need to install Windows Subsystem for Linux.

It is nicely documented here: https://msdn.microsoft.com/enus/commandline/wsl/install_guide

Attributions

Trustwave’s approach as documented HERE. I couldn’t get this method to work, which is why I’m doing this blog detailing what worked for me. Some of the configurations come from the Trustwave blog, and even more comes directly from the Cuckoo docs website.

Reality

All of the Cuckoo Sandbox will be run from inside the Linux Subsystem. Because the WSL interacts with the host OS, the sandbox VM will run from Virtualbox on the Host.

When all is done you should have a fully functional Cuckoo Sandbox running under the Linux Subsystem for Windows 10 using a Virtualbox Windows 10 sandbox OS configured so that Windows Defender protects the host Windows 10 and ignores your malware analysis processing.

The only drawback will be the manual starting of each Cuckoo service has to be done due to systemd not able to hook into a kernel for autostart functionality. Its a small sacrifice in my eyes.

Preparing the Host

Windows Defender Exclusion

The quick and dirty method for excluding your Cuckoo Sandbox from Windows Defender on the host OS is to find the below folder. Note that the part after the underscore ( _ ) will be different. Copy the full path to your clipboard.

C:\Users\jeff\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu16.04onWindows_79rhkp1fndgsc

Open Windows 10 Configuration and launch Updates & Security.

Click on Windows Security then click Open Windows Defender Security Center.

 

Click on Virus & Threat protection

 

Click on Virus & threat protection settings

 

Scroll down until you see Exclusions…then Click it.

 

Click the + and select Folder then paste the path saved in your clipboard or browse to it manually.

 

Requirements (Linux Subsystem)

Open up the Bash for Ubuntu application to start the shell. To keep things simple I am just going to keep things simple. Do this:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
sudo apt-get install python-virtualenv python-setuptools
sudo apt-get install libjpeg-dev zlib1g-dev swig
sudo apt-get install mongodb
sudo pip install m2crypto==0.24.0
sudo pip install distorm3
sudo pip install pycrypto
sudo pip install volatility
sudo pip install mysql-python
sudo service mysql start
sudo service mongodb start

# Guacamole
sudo apt -y install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev libfreerdp-dev
sudo apt -y build-dep guacd
mkdir /tmp/guac-build && cd /tmp/guac-build
wget https://www.apache.org/dist/guacamole/0.9.14/source/guacamole-server-0.9.14.tar.gz
tar xvf guacamole-server-0.9.14.tar.gz && cd guacamole-server-0.9.14
./configure –with-init-dir=/etc/init.d
make && sudo make install && cd ..
sudo ldconfig
sudo /etc/init.d/guacd start

# Cuckoo
sudo pip install -U pip setuptools
sudo pip install -U cuckoo

MySQL Configuration

First, use the mysql program to connect to the server as the MySQL root user:
shell> mysql –user=root mysql

If you have assigned a password to the root account, you must also supply a –password or -p option.

After connecting to the server as root, you can add new accounts. The following example uses CREATE USER and GRANT statements to set up four accounts:

mysql> CREATE DATABASE cuckoo;
mysql> CREATE USER ‘cuckoo’@’localhost’ IDENTIFIED BY ‘cuckoo’;
mysql> GRANT ALL PRIVILEGES ON cuckoo.* TO ‘cuckoo’@’localhost’
-> WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;

Tcpdump

WinDump is basically tcpdump for the Windows platform and you can download it from here: https://www.winpcap.org/windump/install/default.htm.

The default file name of WinDump is windump.exe. I just renamed it to tcpdump.exe on my installation.

In addition, Cuckoo has a wrapper for Tcpdump called sniffer.py. It calls tcpdump and parses its output. The only problem is that tcpdump’s output on Windows behaves slightly different as it adds ‘⧵r’ to its output. Because of this I had to tweak sniffer.py to make it work properly. To make the same change you will need to open the file sniffer.py and edit the following line by adding a “\r” to it.

for line in err.split(“\r\n”):
if not line continue or line.startswith(err_whitelist_start):
continue

NOTE: “\r” was added. You also want to edit the following:

err_whitelist_start = (
“tcpdump: listening on “,
“/mnt/c/bin/tcpdump.exe: listening on “,
)

NOTE: The path should reflect the actual path to where you installed tcpdump.exe

It also seems that sniffer.py is designed to expect only one network adapter for both internet access and to communicate with the Cuckoo agent. However, in this exercise, I setup my Guest Image to use two network adapters. I will be discuss this further in the next section of this blog, “Preparing the Guest”. I have modified the following few lines of code in sniffer.py to make the packet capturing work.

NOTE: The default configuration wants to capture packets from the IP you have entered in ‘virtualbox.conf’, but in my case the Internet connection goes through the NAT adapter. For us to be able to capture network activities of the malware, we will capture packets that come in and out of the host machine.

Preparing the Guest

I use VirtualBox to create virtual machines and I setup 2 network adapters, one is Host-Only and the other one is NAT. The Host-Only adapter is used by Cuckoo to communicate with the Agent inside the guest image while the NAT adapter is for Internet access. For the Cuckoo setup in Linux, you only need one Host-Only adapter for both Internet access and Cuckoo Agent communication. I haven’t explored that possibility on Windows host yet, but if you do, I’d be happy to hear it.

To configure the Host-only adapter with DHCP disabled follow these steps:

Open VirtualBox Manager
Click File > Preferences > Network
Click on Host-only Networks Tab
Highlight “VirtualBox Host-Only Ethernet Adapter” and click on Edit (the icon that looks like Screw-driver)
Click on DHCP Server tab
Uncheck “Enable Server”

Also, make sure to have a static IP address for your Host-only adapter inside the Guest Image. The default IP range for VirtualBox Host-Only adapter is 192.168.56.0/24. Finally, make sure that you turn off Windows Firewall, Windows Defender, and Windows Updates..

Once you have properly installed your virtualization software, you can proceed on creating all the virtual machines you need.

Using and configuring your virtualization software is out of the scope of this guide, so please refer to the official documentation.

When creating the virtual machine, Cuckoo doesn’t require any specific configuration. You can choose the options that best fit your needs. You can look here for some hints on creating your sandbox VM to be more authentic:

https://cuckoo.sh/docs/introduction/sandboxing.html

Your Windows 10 VM should be fully configured to looked used. Install Python 2.7 32-bit with the Pillow library (for screenshots), Java 32 and 64, Adobe Reader, Adobe Flash, Chrome, Firefox, and anything else to make the sandbox OS look like a regular, everyday user. Disable Windows Defender, Firewall, Windows Updates, and Updates for all applications installed.

Download and move into place the agent.py file found here:

https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py

Rename agent.py to agent.pyw and place it into the primary user Startup folder under the AppData folder, usually located here:

C:\Users\jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Now to make your Win10 sandbox VM function properly, you have to remove MS Edge and force Internet Explorer as the default browser. To do this download and extract this tool to your VM and run it as Administrator.

https://www.webeaver.com/538978/33e1441abbd9905d616bbb0da3ec00ff/download-uninstall-edge-zip

Cuckoo Basic Configuration

cuckoo.conf

[cuckoo]
version_check = yes
delete_original = no
delete_bin_copy = no
machinery = virtualbox
memory_dump = no
terminate_processes = no
reschedule = no
process_results = yes
max_analysis_count = 0
max_machines_count = 0
max_vmstartup_count = 10
freespace = 1024
tmppath =
rooter = /tmp/cuckoo-rooter

[feedback]
enabled = no
name =
company =
email =

[resultserver]
ip = 192.168.56.1
port = 2042
force_port = no
upload_max_size = 134217728

[processing]
analysis_size_limit = 134217728
resolve_dns = yes
sort_pcap = yes

[database]
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, defaults to a SQLite3 database at $CWD/cuckoo.db.
connection = mysql://cuckoo:cuckoo@127.0.0.1/cuckoo
timeout = 60

[timeouts]
default = 120
critical = 60
vm_state = 60

[remotecontrol]
enabled = no
guacd_host = localhost
guacd_port = 4822

auxillary.conf

[sniffer]
enabled = yes
tcpdump = /mnt/c/bin/tcpdump.exe
# NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe

virtualbox.conf

[virtualbox]
path = /mnt/c/Program Files/Oracle/VirtualBox/VBoxManage.exe
interface = \Device\NPF_{57998A2E-0606-4E86-A107-E7856A3794A3}
# NOTE: to list all network interfaces, do the following command:
# C:\bin\tcpdump> tcpdump.exe –D
machines = win10

[win10]
label = win10 # The label name of my guest image
platform = windows
ip = 192.168.56.101
snapshot = Snapshot1

reporting.conf

[mongodb]
enabled = yes

Running Cuckoo

Cuckoo Rooter

sudo cuckoo rooter -g cuckoo &

Cuckoo

cuckoo &

Cuckoo Web

cuckoo web -H 127.0.0.1 -p 8080 &

Cuckoo API

cuckoo api -H 127.0.0.1 -p 8081 &

Status (Updated)

  • Everything starts up properly
    • Cuckoo Runs
    • Cuckoo Web Runs
    • Analysis jobs run to completion
  • TCPDump errors out with a permission denied.
    • Disabled TCPDump for now.
    • The WSL version of tcpdump doesn’t work due to a lack of support for AF_PACKET.
    • Running the tcpdump.exe outside of cuckoo works as expected
      • I ran it while an analysis was running and was successfully seeing packets flow on the host-only interface.
    • Why won’t Cuckoo run tcpdump.exe properly when it definitely runs outside of Cuckoo??
    • The sniffer apparently will start no matter how I have the interface configuration option set to:

INFO: Started sniffer with PID 13356 (interface=eth1, host=192.168.56.101)

  • Looking to see if Suricata will work.
    • Nope, no pcap means no suricata

This site uses Akismet to reduce spam. Learn how your comment data is processed.