Setting up an open-source malware analysis lab with Cuckoo.
I will use Ubuntu Server 16.04 LTS as my Linux host.
I should better use a physical host, but I’m going to use a VMware virtual machine for the moment. That means that I will have virtual machines inside the cuckoo virtual machine! VM HW specs: 4 cores, 8 GB RAM, 120 GB disk.
https://cuckoo.sh/docs/installation/host/requirements.html
Extra packages:
Build tools:
# aptitude install automake libtool make gcc flex bison
Libraries:
# aptitude install libmagic-dev magic python-magic python3-magic
# aptitude install libjansson4 libjansson-dev
ssdeep: https://ssdeep-project.github.io/ssdeep/
# aptitude install ssdeep python-ssdeep python3-ssdeep
# ldconfig
pydeep: https://github.com/kbandla/pydeep
# aptitude install libfuzzy-dev
$ git clone https://github.com/kbandla/pydeep.git
$ python setup.py build
$ python setup.py test
# python setup.py install
Yara: http://yara.readthedocs.io/en/latest/gettingstarted.html
download and extract tar.gz
$ ./bootstrap.sh
$ ./configure --enable-cuckoo --enable-magic
$make
# make install
$ make check
Yara-python: https://github.com/VirusTotal/yara-python
$ pip install yara-python
mitmproxy: http://docs.mitmproxy.org/en/stable/install.html
tcpdump:
# aptitude install tcpdump apparmor-utils
# aa-disable /usr/sbin/tcpdump
Tcpdump requires root privileges, but since we don’t want Cuckoo to run as root we’ll have to set specific Linux capabilities to the binary:
# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
M2crypto:
# pip install m2crypto==0.24.0
Volatility: https://github.com/volatilityfoundation/volatility/blob/master/README.txt
# aptitude install virtualbox
$ sudo su postgres
$ psql
Create database and user:
CREATE USER cuckoo WITH PASSWORD 'somePassword';
CREATE DATABASE cuckoo;
GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;
Type \q to exit
https://cuckoo.sh/docs/installation/host/installation.html
Raise the number of open files limit: https://easyengine.io/tutorials/linux/increase-open-files-limit/
Cuckoo user: create one or use yours; whatever choice, add the user to the vboxusers group:
# usermod -a -G vboxusers cuckoo
Install in a virtualenv:
$ virtualenv venv
$ . venv/bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo
Coockoo Working Directory defaults to: ~/.cuckoo
Launch cuckoo for first-time initialization.
$ . venv/bin/activate
(venv)$ cuckoo
Configuration files are in ~/.cuckoo/conf
connection = postgresql://cuckoo:password@localhost:5432/cuckoo
… TO BE CONTINUED …