前言
Cuckoo Sandbox是一个开源的恶意文件自动化分析系统,采用python和c/c++开发,跨越windows、android、linux和darwin四种操作系统平台,支持二进制的PE文件(exe、dll、com)、PDF文档、office文档、URLs、HTML文件、各种脚本(PHP、VB、Python)、jar包、zip文件等等几乎所有的文件格式。能分析恶意文件的静态二进制数据和动态运行后的进程、网络、文件等行为。对于恶意文件的初步分析定性具有很大帮助。
配置情况:
Host:
Ubuntu 18.04 LTS + VirtualBox + Cuckoo 2.0.6 + 8GB RAM
Guest:
Windows 7 Professional + 2GB RAM
主机环境准备
安装需要的依赖
1 | sudo apt-get install python python-pip python-dev libffi-dev libssl-dev |
安装依赖完成后一点要记得检查软件更新,并更新。$ sudo apt-get update$ sudo apt-get upgrade
PS:
update的作用:从/etc/apt/source.list文件中定义的源中去同步包的索引文件,即运行这个命令其实并没有更新软件,而是相当于windows下面的检查更新,获取的是软件的状态。
upgrade的作用:
根据update命令同步好了的包的索引文件,去真正地更新软件。
dist-upgrade的作用:
从/etc/apt/source.list文件中获得地址,然后从这些地址中检索需要更新的包。相当于update+upgrade
安装相关软件
Tcpdump
TCPDump可以将网络中传送的数据包完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息。1
2
3
4
5
6
7
8
9
10
11 sudo apt-get install -y apparmor-utils
若使用预设的CWD目录(~/.cuckoo),則要禁用AppArmor对tcpdump的安全配置,否則AppArmor会阻止PCAP文件的创建
sudo aa-disable /usr/sbin/tcpdump
sudo apt-get install tcpdump
tcpdump执行需要root权限,若不想让Cuckoo使用root权限执行,那么可以使用下列指令设定
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
验证是否安装成功
getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
若沒有setcap指令,可以使用下列指令安裝
sudo apt-get install libcap2-bin
Pydeep(可选)
1 | wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz |
Volatility
Volatility是一种可选工具,可对内存转储进行取证分析。与Cuckoo结合使用,它可以自动提供对操作系统深度修改的额外可视性,并检测逃脱Cuckoo分析器监控域的rootkit技术的存在。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15先安装依赖
sudo pip install openpyxl
sudo pip install ujson
sudo pip install pycrypto
sudo pip install distorm3
sudo pip install pytz
然后安装volatility
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py build
python setup.py install
确认安装无误
python vol.py -h
M2Crypto
1 | 目前M2Crypto只有在安装SWIG时才支持该库 |
MongoDB
MongoDB用于存储样本分析结果。1
sudo apt-get install mongodb
Cuckoo
1 | pip install cuckoo |
PS:
(1)这些软件的安装顺序随意,但必须安相应软件前安装其相应的依赖。
(2)安装完cuckoo需要运行cukoo -d,确保cuckoo安装成功,并生成相应的文件。否则主机重启后需要重新安装cuckoo。
客户机准备
安装 VirtualBox
在安装VirtualBox的过程中很可能会出现要求你Disable Secure Boot的要求,我建议你最好进BIOS把安全启动模式关掉,否则之后虚拟机的使用很可能无法创建Host-only网卡。1
sudo pip install virtualbox
创建虚拟机
装好Win7 系统之后,默认网络为网络地址转换(NAT),打开虚拟机,可以访问外网,但不能与主机通讯。
- 关闭系统更新,防火墙,UAC。
安装Python及pillow库。
1
2
3安装pillow库
cd C:\Python27\Scripts
pip install Pillow安装一些办公软件,模拟真实办公环境。如:office,浏览器,PDF阅读器,QQ等。
- 安装增强功能,开启共享文件夹或拖拽(双向),剪切板共享(双向)。
- 将Cuckoo的agent.py设定为开机自启动。
a)该文件原始位置在cuckoo的CWD子目录下,默认路径为:~/.cuckoo/agent/agent.py
将agent.py文件拷贝到虚拟机系统开机启动目录。Win7中默认路径为:C:\Users[username]\AppData\Roaming\MicroSoft\Windows\Start Menu\Programs\Startup\。
如果想要agent运行时没有GUI窗口,可以将后缀名改为pyw。
b)配置系统开机自启动。- 使用Administrator权限cmd,并依序在cmd中输入以下指令:
- [USERNAME]和[PASSWORD]需替换为登入的Windows
username和password1
2
3
4
5reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d [USERNAME] /t REG_SZ /f
reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /d [PASSWORD] /t REG_SZ /f
reg add "hklm\software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /t REG_SZ /f
reg add "hklm\system\CurrentControlSet\Control\TerminalServer" /v AllowRemoteRPC /d 0x01 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f
PS:
a)CWD为cuckoo的默认工作空间,代表的路径为:/home/xxx/.cuckoo
b)AppData为隐藏目录,需要打开隐藏目录的windows选项。
网络配置
虚拟机默认安装的网络为网络地址转换(NAT),要想虚拟机与主机进行通讯,则需要再配置一块Host-Only网卡。
- 在VirtualBox的全局设定的网络设置中配置一个Host-Only网卡,默认为vboxnet0,
- 关闭虚拟机,配置虚拟机的网络,网络2设置为Host-Only,在虚拟机内手动设置IP,网关,子网掩码,DNS。
IP: 192.168.56.101
Subnet mask:255.255.255.0
Default gateway: 192.168.56.1
Prefered DNS server: 114.114.114.114
Alternate DNS server: 8.8.8.8
此时虚拟机既能访问外网,又能与主机进行通信。
PS:
a)网络地址转换(NAT):
- 虚拟机可以访问主机能访问到的所有网络,但是对于主机以及主机网络上的其他机器,虚拟机又是不可见的,即主机以及主机网络上的其他机器无法访问虚拟机。
- 虚拟机访问网络的所有数据都是由主机提供的,虚拟机并不真实存在于网络中,主机与网络中的任何机器都不能查看和访问到虚拟机的存在。
b)Host-Only Adapter:虚拟机与主机默认不能相互访问,双方不属于同一IP段,host-only网卡默认IP段为192.168.56.X ,子网掩码为255.255.255.0,后面的虚拟机被分配到的也都是这个网段。通过网卡共享、网卡桥接等,可以实现虚拟机于主机相互访问。但虚拟机无法访问其他网络。
c)虚拟机中的几种网络设置详细说明请看下篇文章。
生成快照
此时虚拟机配置完成,生成快照,进行系统备份,沙箱每次启动都是启动的快照。
Cuckoo 配置文件
Cuckoo配置文件的更改是非常重要的一步,否则很可能你的所有安装都无法正常启动。在~/.cuckoo/conf/文件夹下修改配置文件,
cuckoo.conf
该文件包含了在启动Cuckoo之前验证通用配置选项。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 cd ~/.cuckoo/conf
vim cuckoo.conf
需要注意以下设置
Specify the name of the machinery module to use, this module will
define the interaction between Cuckoo and your virtualization software
of choice.
machinery = virtualbox
Enable creation of memory dump of the analysis machine before shutting
down. Even if turned off, this functionality can also be enabled at
submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = yes # 开启了转存分析,需要设置为yes
[resultserver]
The Result Server is used to receive in real time the behavioral logs
produced by the analyzer.
Specify the IP address of the host. The analysis machines should be able
to contact the host through such address, so make sure it's valid.
NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
`resultserver_ip` for all your virtual machines in machinery configuration.
ip = 192.168.56.1
Specify a port number to bind the result server on.
port = 2042
auxiliary.conf
该文件是与恶意软件分析同时运行的脚本,此文件定义了它们的选项。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61 vim auxiliary.conf
[sniffer]
Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes # 默认为no
Specify the path to your local installation of tcpdump. Make sure this
path is correct.
tcpdump = /usr/sbin/tcpdump
We used to define the network interface to capture on in auxiliary.conf, but
this has been moved to the "interface" field of each Virtual Machinery
configuration.
这里需要注意:之前在auxiliary.conf中定义要捕获的网络接口,现在在每个虚拟机的配置文件中配置的“接口”字段
Specify a Berkeley packet filter to pass to tcpdump.
Note: packer filtering is not possible when using "nictrace" functionality
from VirtualBox (for example dumping inter-VM traffic).
bpf =
[mitm]
Enable man in the middle proxying (mitmdump) [yes/no].
enabled = no
Specify the path to your local installation of mitmdump. Make sure this
path is correct.
mitmdump = /usr/local/bin/mitmdump
Listen port base. Each virtual machine will use its own port to be
able to make a good distinction between the various running analyses.
Generally port 50000 should be fine, in this case port 50001, 50002, etc
will also be used - again, one port per analyses.
port_base = 50000
Script file to interact with the network traffic. Please refer to the
documentation of mitmproxy/mitmdump to get an understand of their internal
workings. (https://mitmproxy.org/doc/scripting/inlinescripts.html)
script = stuff/mitm.py
Path to the certificate to be used by mitmdump. This file will be
automatically generated for you if you run mitmdump once. It's just that
you have to copy it from ~/.mitmproxy/mitmproxy-ca-cert.p12 to somewhere
in the analyzer/windows/ directory. Recommended is to write the certificate
to analyzer/windows/bin/cert.p12, in that case the following option should
be set to bin/cert.p12.
certificate = bin/cert.p12
[services]
Provide extra services accessible through the network of the analysis VM
provided in separate, standalone, Virtual Machines [yes/no].
enabled = no
Comma-separated list with each Virtual Machine containing said service(s).
services = honeyd
Time in seconds required to boot these virtual machines. E.g., some services
will only get online after a minute because initialization takes a while.
timeout = 0
[reboot]
This auxiliary module should be enabled for reboot analysis support.
enabled = yes
virtualbox.conf
该模块是定义Cuckoo应如何与您选择的虚拟化软件交互的脚本。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102 sudo vim virtualbox.conf
[virtualbox]
Specify which VirtualBox mode you want to run your machines on.
Can be "gui" or "headless". Please refer to VirtualBox's official
documentation to understand the differences.
mode = headless # 无界面,若为gui,则有界面,调试时候用。
Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
If you are running Cuckoo on Mac OS X you have to change the path as follows:
path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage
Default network interface.
interface = vboxnet0
Specify a comma-separated list of available machines to be used. For each
specified ID you have to define a dedicated section containing the details
on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = win7 # 虚拟机名称
If remote control is enabled in cuckoo.conf, specify a port range to use.
Virtualbox will bind the VRDP interface to the first available port.
controlports = 5000-5050
[win7] # 对应machines字段
Specify the label name of the current machine as specified in your
VirtualBox configuration.
label = win7 # 对应machines字段
Specify the operating system platform used by current machine
[windows/darwin/linux].
platform = windows
Specify the IP address of the current virtual machine. Make sure that the
IP address is valid and that the host machine is able to reach it. If not,
the analysis will fail.
ip = 192.168.56.101 # 虚拟机设置的静态IP地址
(Optional) Specify the snapshot name to use. If you do not specify a snapshot
name, the VirtualBox MachineManager will use the current snapshot.
Example (Snapshot1 is the snapshot name):
snapshot = cuckoo # 虚拟机生成快照的名称
(Optional) Specify the name of the network interface that should be used
when dumping network traffic from this machine with tcpdump. If specified,
overrides the default interface specified in auxiliary.conf
Example (vboxnet0 is the interface name):
interface = vboxnet0
(Optional) Specify the IP of the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the IP address for the Result Server as your machine sees it. If you don't specify an
address here, the machine will use the default value from cuckoo.conf.
NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
Example:
resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the port for the Result Server as your machine sees it. If you don't specify a port
here, the machine will use the default value from cuckoo.conf.
Example:
resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify
specific VMs. You can run samples on VMs with tag you require.
tags =
Mostly unused for now. Please don't fill it out.
options =
(Optional) Specify the OS profile to be used by volatility for this
virtual machine. This will override the guest_profile variable in
memory.conf which solves the problem of having multiple types of VMs
and properly determining which profile to use.
osprofile = # 使用volatility分析转存,这里需要些虚拟机的版本号,如Win7SP0x86
[honeyd]
For more information on this VM please refer to the "services" section of
the conf/auxiliary.conf configuration file. This machine is a bit special
in the way that its used as an additional VM for an analysis.
*NOTE* that if this functionality is used, the VM should be registered in
the "machines" list in the beginning of this file.
label = honeyd
platform = linux
ip = 192.168.56.102
The tags should at least contain "service" and the name of this service.
This way the services auxiliary module knows how to find this particular VM.
tags = service, honeyd
Not all services actually have a Cuckoo Agent running in the VM, for those
services one can specify the "noagent" option so Cuckoo will just wait until
the end of the analysis instead of trying to connect to the non-existing
Cuckoo Agent. We can't really intercept any inter-VM communication from the
host / gateway so in order to dump traffic between VMs we have to use a
different network dumping approach. For this machine we use the "nictrace"
functionality from VirtualBox (which is basically their internal tcpdump)
and thus properly dumps inter-VM traffic.
options = nictrace noagent
reporting.conf
该文件包含有关报告生成的信息。本文只修改了mongodb部分1
2
3
4
5
6
7
8
9
10[mongodb]
enabled = yes # 默认为no
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
MongoDB authentication (optional).
username =
password =
memory.conf
该文件为Volatility 配置文件,本次未做修改。
processing.conf
该文件允许启用,禁用和配置所有处理模块。1
2
3
4
5
6 开启内存转储
[memory]
Create a memory dump of the entire Virtual Machine. This memory dump will
then be analyzed using Volatility to locate interesting events that can be
extracted from memory.
enabled = yes
启动Cuckoo
运行以下命令下载Cuckoo提供的社区版行为签名库$ cuckoo community若这样运行比较慢或有错误,则下载签名到本地再运行命令$ cuckoo community --file "/root/community-master.tar.gz" file 后的参数为文件所存放的路径。
启动cuckoo$ cuckoo –d,
启动cuckoo web 服务 $ cuckoo web,通过 http://localhost:8000 进行访问
分析结果的储存路径为:CWD/storage/analyses
踩过的坑
(1)虚拟机在设置Host-Only网络,通过iptable做地址转换NAT规则,开启IP转发后,虚拟机可以访问网络,但Ubuntu 18.04无法访问外网。其原因为:主机未设置网络共享,本人不知道如何添加网络共享的iptables规则,故更换此方法,用上网卡设置虚拟机网络,如上网络配置所述。
(2)一切配置完后,启动cuckoo 报如下错误:ERROR: Type of config parameter auxiliary:sniffer:interface not found!
解决方法:修改virtualbox.conf文件1
2
3
4
5 (Optional) Specify the name of the network interface that should be used
when dumping network traffic from this machine with tcpdump. If specified,
overrides the default interface specified in auxiliary.conf
Example (vboxnet0 is the interface name):
interface = vboxnet0 # 增添值为vboxnet0
总结
(1)在搭cuckoo沙箱时,一定要注意看官方的说明文档,而不是一味的按照别人的blog来做,毕竟版本在变化。
(2)遇到问题应想办法解决问题,不能认为按照别人blog的方法做报错,是自己环境配置问题,老是用重装系统来解决。
参考资料
(1)官方文档
(2)Cuckoo Installation
(3)Cuckoo SandBox V2.0.4安装指南
(4)Cuckoo v2.0.6搭建过程
(5)github上关于cuckoo的issus