This blog may not be 100% complete and may be updated as I add/update what is missing or unclear. Also, some items will be left to you to know as this project had a lot of moving parts and thus could not cover every single thing that popped up. For example, you will be responsible for some configuring on your own (volatility).
Use this blog as a guide and you should be successful or close to it.
Setting up your Windows Subsystem for Linux
First, we need to install Windows Subsystem for Linux.
Trustwave’s approach as documented HERE. I couldn’t get this method to work, which is why I’m doing this blog detailing what worked for me. Some of the configurations come from the Trustwave blog, and even more comes directly from the Cuckoo docs website.
Reality
All of the Cuckoo Sandbox will be run from inside the Linux Subsystem. Because the WSL interacts with the host OS, the sandbox VM will run from Virtualbox on the Host.
When all is done you should have a fully functional Cuckoo Sandbox running under the Linux Subsystem for Windows 10 using a Virtualbox Windows 10 sandbox OS configured so that Windows Defender protects the host Windows 10 and ignores your malware analysis processing.
The only drawback will be the manual starting of each Cuckoo service has to be done due to systemd not able to hook into a kernel for autostart functionality. Its a small sacrifice in my eyes.
Preparing the Host
Windows Defender Exclusion
The quick and dirty method for excluding your Cuckoo Sandbox from Windows Defender on the host OS is to find the below folder. Note that the part after the underscore ( _ ) will be different. Copy the full path to your clipboard.
First, use the mysql program to connect to the server as the MySQL root user:
shell> mysql –user=root mysql
If you have assigned a password to the root account, you must also supply a –password or -p option.
After connecting to the server as root, you can add new accounts. The following example uses CREATE USER and GRANT statements to set up four accounts:
mysql> CREATE DATABASE cuckoo;
mysql> CREATE USER ‘cuckoo’@’localhost’ IDENTIFIED BY ‘cuckoo’;
mysql> GRANT ALL PRIVILEGES ON cuckoo.* TO ‘cuckoo’@’localhost’
-> WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
The default file name of WinDump is windump.exe. I just renamed it to tcpdump.exe on my installation.
In addition, Cuckoo has a wrapper for Tcpdump called sniffer.py. It calls tcpdump and parses its output. The only problem is that tcpdump’s output on Windows behaves slightly different as it adds ‘⧵r’ to its output. Because of this I had to tweak sniffer.py to make it work properly. To make the same change you will need to open the file sniffer.py and edit the following line by adding a “\r” to it.
for line in err.split(“\r\n”):
if not line continue or line.startswith(err_whitelist_start):
continue
NOTE: “\r” was added. You also want to edit the following:
err_whitelist_start = (
“tcpdump: listening on “,
“/mnt/c/bin/tcpdump.exe: listening on “,
)
NOTE: The path should reflect the actual path to where you installed tcpdump.exe
It also seems that sniffer.py is designed to expect only one network adapter for both internet access and to communicate with the Cuckoo agent. However, in this exercise, I setup my Guest Image to use two network adapters. I will be discuss this further in the next section of this blog, “Preparing the Guest”. I have modified the following few lines of code in sniffer.py to make the packet capturing work.
NOTE: The default configuration wants to capture packets from the IP you have entered in ‘virtualbox.conf’, but in my case the Internet connection goes through the NAT adapter. For us to be able to capture network activities of the malware, we will capture packets that come in and out of the host machine.
Preparing the Guest
I use VirtualBox to create virtual machines and I setup 2 network adapters, one is Host-Only and the other one is NAT. The Host-Only adapter is used by Cuckoo to communicate with the Agent inside the guest image while the NAT adapter is for Internet access. For the Cuckoo setup in Linux, you only need one Host-Only adapter for both Internet access and Cuckoo Agent communication. I haven’t explored that possibility on Windows host yet, but if you do, I’d be happy to hear it.
To configure the Host-only adapter with DHCP disabled follow these steps:
Open VirtualBox Manager
Click File > Preferences > Network
Click on Host-only Networks Tab
Highlight “VirtualBox Host-Only Ethernet Adapter” and click on Edit (the icon that looks like Screw-driver)
Click on DHCP Server tab
Uncheck “Enable Server”
Also, make sure to have a static IP address for your Host-only adapter inside the Guest Image. The default IP range for VirtualBox Host-Only adapter is 192.168.56.0/24. Finally, make sure that you turn off Windows Firewall, Windows Defender, and Windows Updates..
Once you have properly installed your virtualization software, you can proceed on creating all the virtual machines you need.
Using and configuring your virtualization software is out of the scope of this guide, so please refer to the official documentation.
When creating the virtual machine, Cuckoo doesn’t require any specific configuration. You can choose the options that best fit your needs. You can look here for some hints on creating your sandbox VM to be more authentic:
Your Windows 10 VM should be fully configured to looked used. Install Python 2.7 32-bit with the Pillow library (for screenshots), Java 32 and 64, Adobe Reader, Adobe Flash, Chrome, Firefox, and anything else to make the sandbox OS look like a regular, everyday user. Disable Windows Defender, Firewall, Windows Updates, and Updates for all applications installed.
Download and move into place the agent.py file found here:
Now to make your Win10 sandbox VM function properly, you have to remove MS Edge and force Internet Explorer as the default browser. To do this download and extract this tool to your VM and run it as Administrator.
[database]
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, defaults to a SQLite3 database at $CWD/cuckoo.db.
connection = mysql://cuckoo:cuckoo@127.0.0.1/cuckoo
timeout = 60
[remotecontrol]
enabled = no
guacd_host = localhost
guacd_port = 4822
auxillary.conf
[sniffer]
enabled = yes
tcpdump = /mnt/c/bin/tcpdump.exe
# NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe
virtualbox.conf
[virtualbox]
path = /mnt/c/Program Files/Oracle/VirtualBox/VBoxManage.exe
interface = \Device\NPF_{57998A2E-0606-4E86-A107-E7856A3794A3}
# NOTE: to list all network interfaces, do the following command:
# C:\bin\tcpdump> tcpdump.exe –D
machines = win10
[win10]
label = win10 # The label name of my guest image
platform = windows
ip = 192.168.56.101
snapshot = Snapshot1
reporting.conf
[mongodb]
enabled = yes
Running Cuckoo
Cuckoo Rooter
sudo cuckoo rooter -g cuckoo &
Cuckoo
cuckoo &
Cuckoo Web
cuckoo web -H 127.0.0.1 -p 8080 &
Cuckoo API
cuckoo api -H 127.0.0.1 -p 8081 &
Status (Updated)
Everything starts up properly
Cuckoo Runs
Cuckoo Web Runs
Analysis jobs run to completion
TCPDump errors out with a permission denied.
Disabled TCPDump for now.
The WSL version of tcpdump doesn’t work due to a lack of support for AF_PACKET.
Running the tcpdump.exe outside of cuckoo works as expected
I ran it while an analysis was running and was successfully seeing packets flow on the host-only interface.
Why won’t Cuckoo run tcpdump.exe properly when it definitely runs outside of Cuckoo??
The sniffer apparently will start no matter how I have the interface configuration option set to:
INFO: Started sniffer with PID 13356 (interface=eth1, host=192.168.56.101)