How to build a automated analysis platform for Cuckoo malware

Source: Internet
Author: User
Tags install mongodb virtual environment

How to build a automated analysis platform for Cuckoo malware

0x00 cuckoo Overview

Cuckoo is an open-source automated malware analysis system. It is mainly used to analyze malware on the windows platform, but its framework supports both Linux and Mac OS. Cuckoo can automatically obtain the following information:

Tracking of malware processes and win32 API call records of all processes generated by them; detecting creation, deletion, and download of malware files; and obtaining memory images of malware processes; it can obtain all the system memory images for further analysis by other tools, capture network data in the pacp format, and capture Malware running.

Cuckoo supports analysis of multiple file formats, including windows executable files, DLL files, PDF files, Office documents, malicious URLs, HTML files, PHP files, CPL files, VBS, ZIP compressed files, jar files, python programs, etc. These depend entirely on the analysis module.

Is the structural diagram of cuckoo, which is very clear. Cuckoo relies on the following virtual machines for actual analysis, and then transmits the analysis results to cuckoo host through the virtual network. Therefore, the operation of cuckoo requires at least one virtual environment. Currently, cuckoo supports mainstream virtualization platforms such as vmware, virtualbox, kvm, qemu, xen, and avd.

The architecture of Cuckoo is highly modular. As long as we add different analysis modules, cuckoo can complete the analysis work under different system platforms.

0x01 environment setup

The test environment is host: kali 2.0x64, guest: windows xp sp3 en.

1.1 installation

Obtain cuckoo. We will get the latest cuckoo from github:

Git clone https://github.com/cuckoobox/cuckoo.git

Install the python library on which cuckoo depends:

$ sudo apt-get install python python-pip$ sudo apt-get install mongodb$ sudo pip install -r requirements.txt

The installation may cause problems because the python library installed in the system is inconsistent with the Library version installed in pip, because the python library installed in the system is often old, the library installed by pip is relatively new, and other libraries installed by pip are dependent on newer libraries, which leads to problems. The solution is to uninstall the python library of the system. However, some python libraries of the system are dependent on each other. You need to use the dpkg -- purge -- force-all package name to forcibly uninstall it, then pip is used for installation.

$ sudo apt-get install tcpdump$ sudo apt-get install libcap2-bin

If you want to perform memory image analysis, you need to install volatility.

$ sudo apt-get install volatility

The Python Image Library is required to enable the function.

$ sudo pip install PIL

We use the virtualbox virtualization platform, so we need to download and install virtualbox.

1.2 Configuration

After the software is installed, you must first create a virtual machine, which can be operated using the virtualbox graphic interface. When Cuckoo is running, you need to listen to an address on the host to obtain the report information, and this address must be accessible to the virtual machine. The network configuration used here is to adjust the Virtual Machine Nic to the host-only mode, which is equivalent to connecting a network cable between the virtual machine and the host. In this case, the NIC list of the host contains a NIC similar to vboxnet0, which is the NIC for communication between the host and the virtual machine. You can set the IP address inside the VM as long as it is in the same CIDR block as the vboxnet0 address. By default, vboxnet0 is 192.168.56.1. The virtual machine can be 192.168.56.101.

To enable the VM to access the Internet normally, the host also needs to forward data. Refer to the official command:

iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPTiptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTiptables -A POSTROUTING -t nat -j MASQUERADEsysctl -w net.ipv4.ip_forward=1

In the first command, eth0 is the real NIC address used by your host to access the Internet, and vboxnet0 is the virtual Nic.

The last one is to enable kernel data forwarding.

After the virtual machine system is installed, to achieve the best compatibility, You need to disable the firewall of the windows virtual machine, and then install the python2.7 environment. And copy the agent/agent. py in the root directory of cuckoo to the virtual machine. Agent. py is responsible for data transmission from the VM to the host. You can add it to the startup Folder and start it automatically upon startup. If you do not want to see a black window, you can modify the file name agent. py to agent. pyw. After running agent. pyw, the virtual machine environment is basically set up. Of course, if you need to analyze office or pdf, you need to install these software. Now you can create a pure System Snapshot for future use.

After the virtual machine is configured, configure cuckoo. The Cuckoo configuration file is in the conf directory, which contains many configuration files, including:

Auxiliary. conf is an auxiliary configuration module used to assist other functions such as sniffer and mitm. You do not need to configure it here.

Cuckoo. conf is the main configuration file. machinery is used to specify the virtual machine configuration file we use. The default value is virtualbox. The file is also located in the conf directory and named virtualbox. conf. Of course, we can define our own virtual machine configuration file and put it in the conf directory. The naming rules are the same. An important option is ip and port, which is used to specify the server that receives the analysis result. This address must be accessible to the virtual machine. It is generally set to the IP address of the virtual network card. For example, if the vboxnet0 address is 192.168.56.1 configured above, the port can be used by default.

Memory. conf is the memory image configuration option. It is mainly used for Volatility Analysis and does not need to be configured here.

Processing. conf is the result processing configuration module. The configuration options directly affect the final report content. You do not need to configure it here.

. Conf refers to all virtualization configuration files, including virtualbox, vmware, and kvm. These files belong to a type of file. In actual configuration, we only need to configure one of them based on our virtualization environment. The configuration file used must also be in cuckoo. the machinery field of conf is specified. The configuration options here are for specific virtualization platforms. Many options only apply to certain platforms. We use virtualbox. conf, where mode specifies the virtualbox running mode, path specifies the absolute path of VBoxManage, machines specifies the name of the virtual machine we use, platform specifies the system platform where the virtual machine runs, and ip specifies the ip address of the virtual machine.

Reporting. conf is used to configure the report generation method. You do not need to configure it here.

Finally, configure the web interface of cuckoo. Enable mongodb in reporting. conf. Enable the mongodb service: systemctl enable mongodb; systemctl start mongodb. You can now start the web Service web/manage. py runserver. The service runs on 127.0.0.1: 8000.

 

1.3 run

Python cuckoo. py runs the cuckoo analysis system. For example:

After the startup, cuckoo starts waiting for the analysis task. Add an analysis task to use utils/'s submit. py in the root directory. For more information, see help. Here we mainly introduce how to add tasks and view reports on the web interface.

Open 127.0.0.1: 8000 in the browser

Click submit to add a task. There are also some advanced options. If you need Memory analysis, select Full Memory Dump. After submission, cuckoo starts automatic analysis, and virtualbox starts and runs the program. Final analysis result:

The top is the type of cuckoo analysis, including static analysis, behavior analysis, and network analysis.

0x02 conclusion

This article describes the basic features, installation, and configuration of cuckoo. Using cuckoo, you can quickly analyze malicious program behaviors to improve the analysis efficiency of malicious programs. Subsequent articles will continue to analyze the program structure and module development of cuckoo

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.