Cuckoo Malware Analysis Framework Tutorial

Note: This is horribly incomplete and very much a work in progress.  I'm posting in regardless so someone with the same error messages might find help.

I had to set up the following iptables rules to get routing to work between the host and the guest.

iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

Now you need to actually install the Cuckoo agent on the VM.  You can find the agent client in the Cuckoo Working Directory under /agent, called agent.py.  Copy this to the VM and run it.

This is a good time to snapshot your VM for when you inevitably break it.  Not that I know that from experience.


Activate the virtual environment:

virtualenv cuckooenv
./cuckooenv/bin/activate

Because I always start Cuckoo with the command:

cuckoo

To download signatures, you should be able to run "cuckoo community".  It should download and install everything automatically, but it kept choking on the 16 MB download for me.  You can also wget it manually:

 wget https://github.com/cuckoosandbox/community/archive/master.tar.gz
cuckoo community --file master.tar.gz

To run cuckoo, run "cuckoo".
To submit a task for analysis, run "cuckoo submit Notepad.exe" or whatever your binary name is.

I got a tcpdump error:

CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?

I went to that FAQ and disable AppArmor for tcpdump:

 sudo aa-disable /usr/sbin/tcpdump

I got this error:

ERROR: /sbin/apparmor_parser: Unable to remove "/usr/sbin/tcpdump".  Profile doesn't exist

It turns out this fixed the issue instead:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

After fixing the tcpdump issue, I'm still getting some IP configuration error:

ERROR: Error processing task #3: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration

If you get this error, first check to make sure that the host and the guest can ping each other.  In my setup, the host was 192.168.56.1 and the guest was 192.168.56.101.

Somehow, Windows Firewall turned itself back on for public networks so I had to turn that off again.  I could then ping back and forth, but I was still getting this error because I had failed to set the result server IP in cuckoo.conf.

To do this, find the line in ~/.cuckoo/conf/cuckoo.conf with "ip = " under the "[resultreserver" section.  It should be set to the host IP, 192.168.56.1 in my case.