Automating malware analysis, cuckoo api + postfix

Written by  on April 25, 2018 

For our sandbox setup, we will need a cuckoo machine, in this case an Ubuntu 16.04 with 2GB of RAM and a sandbox machine which will be a windows xp sp3 machine with 1GB of ram. We will use virtualbox in both cases (virtualbox inside virtualbox).

As I found many tutorials on the internet which are wrong, outdated or have a lot of commands/tips that do only work on specific systems I decided to write my own, so I can make sure everything works on my setup.

So the first thing we are going to do is install everything we need for cuckoo to work. So we’ll install every dependency with the following:

sudo apt-get install git mongodb libffi-dev build-essential python-django python python-dev python-pip python-pil python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs \ python-libvirt python-bottle python-pefile python-chardet tcpdump -y

Note that we’ll be using tcpdump for the packet capture and further analysis of potential malware behavior with cuckoo, as we’ll be using “cuckoo” user with non-root privileges we have to work a little bit on tcpdump to avoid any permission problems so we do:

sudo apt-get install tcpdump apparmor-utils

sudo aa-disable /usr/sbin/tcpdump

And then:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

We can verify everything’s working fine by doing:

getcap /usr/sbin/tcpdump

I did that myself and I saw something like this:

Now we’ll proceed to install yara. Yara is a really useful tool for doing static analysis of binaries, it works by analyzing bytes, different hash signatures, strings and many more and it can be used as a scripting language… I should make a blog post about using yara for detecting malware. But going straight to the point we’ll proceed with:

sudo apt-get install autoconf libtool libjansson-dev libmagic-dev libssl-dev -y

wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz -O yara-3.4.0.tar.gz

tar -zxf yara-3.4.0.tar.gz

cd yara-3.4.0

./bootstrap.sh

./configure –with-crypto –enable-cuckoo –enable-magic

make

sudo make install

We should have yara installed by that point. You can check it out calliing

yara -v

We will finish with yara by installing yara python, an interface for working with cuckoo as it uses python.

cd yara-python

python setup.py build

sudo python setup.py install

The next step is installing pydeep.

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -O ssdeep-2.13.tar.gz

tar -zxf ssdeep-2.13.tar.gz

cd ssdeep-2.13

./configure

make

sudo make install

Again, you should see something like:

It’s python interface can be installed by:

pip install pydeep

The next step is installing volatility. This tool is basically used for extracting artifacts and interesting data in general from the memory of the sandbox (ram). If we are going to do some dynamic analysis we are going to need to use something like this!

pip install openpyxl

pip install ujson

pip install pycrypto

pip install distorm3

pip install pytz

Then after its dependencies:

git clone https://github.com/volatilityfoundation/volatility.git

cd volatility

python setup.py build

python setup.py install

And we are ready

INSTALLING CUCKOO

Now are are ready for cuckoo. At this point I strongly recommend you to read this: http://docs.cuckoosandbox.org/en/latest/installation/host/installation/ before proceeding, you may want to make sure that you’ve followed everything that’s in here for a proper installation, otherwise you may encounter some weird errors during the process.

First we are going to create an user for cuckoo:

adduser cuckoo

And then some other blogs online suggest you to do something like:

chown -R cuckoo:cuckoo <path/to/cuckoo/folder>

Doesn’t mind if you created the cuckoo user with adduser. But doing that may help your security

VIRTUALBOX

The cuckoo framework works by launching suspicious files on a virtual machine that runs under monitorization, so the procedure is simple: We create a virtual machine, we make that VM  ready  (emulating as much as we can a real one), then we configure that machine for accessing the internet through our real machine, we install an agent for the monitorization process and we save a snapshot of it, so we can restore it anytime we want to analyze a new malware (you know, malwares use to break machines…).

We will use virtualbox as our VM engine.

sudo apt-get install vitualbox

sudo usermod -a -G vboxusers cuckoo

Now we can start creating our virtual machine with:

vboxmanage createvm –name “windowsxp” –ostype WindowsXP –register

vboxmanage modifyvm “windowsxp” –memory 1000 –acpi on –boot1 dvd –nic1 nat

vboxmanage createhd –filename “windowsxp.vdi” –size 12000

vboxmanage storagectl “windowsxp” –name “IDE Controller” –add ide –controller PIIX4

vboxmanage storageattach “windowsxp” –storagectl “IDE Controller” –port 0 –device 0 –type hdd –medium “windowsxp.vdi”

vboxmanage storageattach “windowsxp” –storagectl “IDE Controller” –port 0 –device 1 –type dvddrive –medium /home/cuckoo/windowsxpsp3.iso

vboxmanage hostonlyif create

vboxmanage modifyvm “windowsxp” –nic1 hostonly

vboxmanage modifyvm “windowsxp” –hostonlyadapter1 vboxnet0

I personally suggest you to follow all the virtualbox/networks steps just as I did here as it is a really important part and if you screw something here you’ll go up the wall. Note that here I’m using a windowsxp box for the sandbox.

Now the network stuff which is also important. We’ll be doing something like a MITM for getting all the traffic that goes through our sandbox for analysis so we do:

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack –ctstate NEW -j ACCEPT

sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A POSTROUTING -t nat -j MASQUERADE

sudo sysctl -w net.ipv4.ip_forward=1

Now we start our sandbox machine with:

vboxmanage startvm “windowsxp”

Here I suggest you to create a share between your xp and your ubuntu machines so you can use that for sending files such as the python installer, the agent.py or even programs like the Microsoft Office or some old adobte/java for making your box look even more real.

If you want to follow this example just configure your vm like this

Also go to the python website and download and install python 2.7 and then go install this library: http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe it will be useful as cuckoo takes screen shots of the malware behavior.

You may also want to move the “agent.py” https://github.com/spender-sandbox/cuckoo-modified/blob/master/agent/agent.py to your windows startup programs in that winxp box.

Right after that, run the agent.py which is a server used for communicating with cuckoo, make sure everything is working fine and start a snapshot of your VM.

vboxmanage snapshot “windowsxp” take “snapshot1” –pause

vboxmanage controlvm “windowsxp” poweroff

vboxmanage snapshot “windowsxp” restorecurrent

Make sure everything went OK and remember the name of your snapshot.

Now it’s time to install cuckoo itself. You can just use:

pip install -U cuckoo

But as it is a really s*tty program it probably won’t work and you may have tons of errors yourself. So an alternative to that, if it does not work is  to just clone the cuckoo repo:

su cuckoo

cd ~

git clone https://github.com/cuckoosandbox/cuckoo

python setup.py build

sudo python setup.py build install

sudo cuckoo -d

Probably you’ll experience some errors, but just follow the logs and maybe re-check the installation guide on the docs if you get stuck.

CONFIGURATION

Now we’ll configure cuckoo. First of all we have to edit cuckoo.conf

machinery = virtualbox
[resultserver]
ip = 192.168.56.1 #This is the IP address of the host
port = 2042 #leave default unless you have services running

You can change that but if you remember our proposed configuration it may work.

Then we go for auxiliary.conf

[sniffer]
enabled = yes
# path is correct.
# You can check this using the command: whereis tcpdump
tcpdump = /usr/sbin/tcpdump

# traffic. Make sure the interface is active.
# The ifconfig command will show you the interface name.
interface = vboxnet0

Make sure every path is correct and  check if you have a vboxnet0 when running ifconfig -a. Now virtualbox.conf

machines = windowsxp
[windowsxp]
label = windowsxp
platform = windows
ip = 192.168.56.10 # IP address of the guest
snapshot = snapshot1 # name of snapshot

Now here make sure you don’t miss the winxp machine name and ip, also the snapshot this is important do it well or it won’t work at all.

Finally reporting.conf

[mongodb]
enabled = yes

We will use mongodb but other databases such as postgree may be used.

Now we will start cuckoo with:

sudo cuckoo -d

And that’s all, cuckoo is running we can test if everything worked fine by submiting a file for analysis with:

sudo cuckoo submit evilbot.exe

And we see something like:

Meanwhile in the cuckoo window we see:

Once the analysis is finished we see something like:

But how to check these results? We’ll learn how to do that while we learn how to use cuckoo web GUI which is a fantastic tool for making malware analysis even more easy. For launching cuckoo web we do:

sudo cuckoo web -H 0.0.0.0

This will start cuckoo web on port 8000 for all of our interfaces. It looks like this:

We can easily submit files for analysis by grabbing and dropping:

We can check our analyses at the taks screen:

Note that we have a score option at the right of the screen, if you don’t see this you may want to check this:

sudo cuckoo community -fb package

For getting the last community updates for cuckoo.

Once we jump into an analysis we see something like this:

Here we can see some different signatures, very useful if you want to share the IoC of this and of course you can see the score proveided by some indications and also these indicators theirselves.

I ran the test by analyzing some different wannacry samples so you can figure out how it works. A really cool feature is that we can have the screenshots of the malware behavior, cool huh?

We can also check out the static analysis section and for example see the imports that the program does in many libraries:

Which is useful for doing really cool things. We are automatic the feature extraction process so, this may be a first approach or step on creating a neural network for threat detection right?

So as you see we can see some functions being called by our sample:

And also some registry keys being added which is a common thing in these lame malwares.

And also my favorite part. The network analysis. cuckoo uses tcpdump for capturing the traffic session and here we can, for example, see that evil domain used by wannacry to look for sandboxes:

A quick couple of other things you can do with cuckoo are; changing the theme at the top right of the screen aaaand also submitting urls for evil stuff happening there here we see an example:

Now that we have cuckoo ready and working we may want to think about some creative ways to get MOAR malware samples to play with. The key point of these programs is the automation. Actually, there is nothing that eye of a well experienced malware researcher, but as we can see cuckoo can automate the things a lot and… if we are submiting all of our suspicious (in our network) files to cuckoo and we are getting straight >8 scores we may have a problem, also we may be interested in doing an overview on what’s there and then picking some suspicious files to run an in-depth reverse engineering process on them. We can also use other programs such as yara or snort along with a well configured cuckoo sandbox to automatically generate signatures, or as I said before we may be interested in considering a neural network.

For the next trick I will need our cuckoo sandbox, a postfix server and some python. Here we goo

We install postfix (in another box) by

sudo apt-get install postfix

Internet site should be fine for this example.

We then proceed to send a couple of mails to a local mailbox with some evil exe attachments and then another couple with just non executable attachments like this:

As it is a simple setup, all mails will be stored at /var/mail, exe attachments will be stored as base64 if I’m not wrong. Something like this:

Now we can use the mbox lib included in python to extract the attachments of a mail box and the magic library to get the attachment format.

To make this simple I just wrote this script:

https://github.com/dc170/mbox-to-cuckoo

Before running this script we have to start the cuckoo api which is something really simple to do:

sudo cuckoo api

Cucko comes with its own REST api so if you just don’t like its web interface you can easily build your own. Or you can make cuckoo work with cool-ass scripts like the one I have. After launching the script:

Cuckoo will start analyzing the file as soon as possible and if we go to the web interface again we’ll see the report:

uhmm not bad.

The code that does the client-api work is this:

Another interesting tool for working with cuckoo and MX servers such as postfix is this one: https://github.com/xme/cuckoomx check it out!

I’ll be back with more stuff like this one. Hope you find it useful

Category : hacking seriesinteresting stuff

Tags :