I normally use Linux for my malware analysis lab machine. But, recently, I got interested in the Windows Subsystem for Linux (WSL) and I thought I should give it a try. And so far, I am enjoying the ease of access to most of the tools I use in Linux side-by-side with the Windows Reverse Engineering tools that we use in Trustwave SpiderLabs.
The Cuckoo Sandbox is one of those tools that I use in Linux. I've been using it since a time when it was less than easy to install. But with Cuckoo 2.0, they made it as easy as 'pip install cuckoo'. Since I wanted to start exploring the WSL, I decided to write up this post as well. Cuckoo's official documentation doesn't currently have any information on how to set it up on a Windows host, so I hope the helps those interested in trying it out.
As a first step I checked which of Cuckoo's components can be installed under WSL. Not everything is supported under WSL since it isn't using a real Linux kernel. That's the reason why some apps like VirtualBox and some of networking tools like tcpdump and not currently supported under WSL.
To organize the installation, I split which components could be installed under WSL and which ones would be installed under Windows. For instance, I installed a LAMP server (Linux-Apache-Mysql-Php) under WSL and the rest of my tools were installed on the Windows host.
Apache is not requirement for Cuckoo since it uses a built-in Django Web application, but I installed it anyway since I use it on daily basis for malware analysis. It allows me to trick malware and control its data exfiltration process. I also used MySQL for Cuckoo instead of the default database, SQLite.
First, we need to install Windows Subsystem for Linux. It is nicely documented here: https://msdn.microsoft.com/en-us/commandline/wsl/install_guide
Once you have installed WSL, open-up "Bash on Ubuntu on Windows" app and do the following:
# Get latest updates
$ sudo apt-get update
$ sudo apt-get upgrade
# Install LAMP server
$ sudo apt-get install lamp-server^
# Install MongoDB
$ sudo apt-get install mongodb
# Run Apache, MySQL and MongoDB
$ sudo service apache2 start
$ sudo service mysql start
$ sudo service mongodb start
Open-up a browser, and go to http://localhost/. It should display the default page of Apache as shown below.
In this case, Windows 10 is our host and we will be installing Cuckoo and other dependencies there.
Cuckoo has made lots of improvements in 2.0, one of which being that the installation process which is now as easy as the following:
C:\> pip install cuckoo
Optionally you can also install Yara and Volatility. To install Yara under Windows follow these instructions: http://yara.readthedocs.io/en/v3.4.0/gettingstarted.html#installing-on-windows.
To install Volatility, run the following commands:
C:\> pip install distorm3
C:\> pip install pycrypto
C:\> pip install volatility
To test if you have installed Yara for Python and Volatility correctly, you should be able to run the following without any errors:
C:\> python -c "import yara"
C:\> python -c "import volatility"
We also need to install the Python module for MySQL. To install it, run the following command:
C:\> easy_install mysql-python
NOTE: I used easy_install for this Python Module since it seems that it already has the pre-compiled Python Egg uploaded in the repository. If you prefer pip, you may download the Wheel (.WHL) file of mysql-python from this link and run 'pip install <WHEEL_FILE>'. Also if you have proper development environment and simply wish to compile mysql-python from source, you can run 'pip install mysql-python' instead.
Now that we have Cuckoo installed and its dependencies, we can now initialize it:
C:\> cuckoo init
It will create a "Cuckoo Working Directory" (CWD) in the following path:
%USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo)
With the CWD setup, we can start configuring Cuckoo. To do this we need to go to '%USERPROFILE%⧵.cuckoo⧵conf' in Windows Explorer and start modifying the following configuration files:
cuckoo.conf
[database]
connection = mysql://cuckoo:cuckoo@127.0.0.1/cuckoo
# NOTE: I created a MySQL user 'cuckoo' with 'cuckoo' as the password and a database name of 'cuckoo'
auxillary.conf
[sniffer]
enabled = yes
tcpdump = c:\tools\tcpdump\tcpdump.exe
# NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe
virtualbox.conf
[virtualbox]
path = C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
interface = \Device\NPF_{57998A2E-0606-4E86-A107-E7856A3794A3}
# NOTE: to list all network interfaces, do the following command:
# C:\tools\tcpdump> tcpdump.exe –D
machines = cuckoo1
[cuckoo1]
label = Win7x64 # The label name of my guest image
platform = windows
ip = 192.168.56.101 # The static IP of my guest image host-only adapter
snapshot = cuckoo # I created a snapshot and called it cuckoo
reporting.conf
[mongodb]
enabled = yes
Then, download the community-based Cuckoo Signatures by running the following command:
C:\> cuckoo community
WinDump is basically tcpdump for the Windows platform and you can download it from here: https://www.winpcap.org/windump/install/default.htm.
The default file name of WinDump is windump.exe. I just renamed it to tcpdump.exe on my installation.
In addition, Cuckoo has a wrapper for Tcpdump called sniffer.py (C:⧵Python27⧵Lib⧵site-packages⧵cuckoo⧵auxiliary⧵sniffer.py). It calls tcpdump and parses its output. The only problem is that tcpdump's output on Windows behaves slightly different as it adds '⧵r' to its output. Because of this I had to tweak sniffer.py to make it work properly. To make the same change you will need to open the file sniffer.py and edit the following line by adding a "\r" to it:
for line in err.split("\r\n"):
if not line continue or line.startswith(err_whitelist_start):
continue
NOTE: "\r" was added.
You also want to edit the following:
err_whitelist_start = (
"tcpdump: listening on ",
"c:\\tools\\tcpdump\\tcpdump.exe: listening on ",
)
NOTE: The path should reflect the actual path to where you installed tcpdump.exe
It also seems that sniffer.py is designed to expect only one network adapter for both internet access and to communicate with the Cuckoo agent. However, in this exercise, I setup my Guest Image to use two network adapters. I will be discuss this further in the next section of this blog, "Preparing the Guest". I have modified the following few lines of code in sniffer.py to make the packet capturing work.
NOTE: The default configuration wants to capture packets from the IP you have entered in 'virtualbox.conf', but in my case the Internet connection goes through the NAT adapter. For us to be able to capture network activities of the malware, we will capture packets that come in and out of the host machine ("DESKTOP-FG7MR6D").
I use VirtualBox to create virtual machines and I setup 2 network adapters, one is Host-Only and the other one is NAT. The Host-Only adapter is used by Cuckoo to communicate with the Agent inside the guest image while the NAT adapter is for Internet access. For the Cuckoo setup in Linux, you only need one Host-Only adapter for both Internet access and Cuckoo Agent communication. I haven't explored that possibility on Windows host yet, but if you do, I'd be happy to hear it.
To configure the Host-only adapter with DHCP disabled follow these steps:
Also, make sure to have a static IP address for your Host-only adapter inside the Guest Image. The default IP range for VirtualBox Host-Only adapter is 192.168.56.0/24. Finally, make sure that you turn off Windows Firewall.
You must install Python inside the Guest image. You can download Python installer from here (https://www.python.org/downloads/). You will also need to install the Pillow Python module. Pillow is used for taking screenshot of the guest image:
C:\> pip install Pillow
Now that you have python installed you can copy Cuckoo's agent (%USERPROFILE%⧵.cuckoo⧵agent⧵agent.py) to the Guest image. Execute agent.py and then create a snapshot of Guest image.
To use Cuckoo, we run its built-in Web-application as well as Cuckoo itself. We can run the following commands separately:
C:\> cuckoo -d # To Run Cuckoo
C:\> cuckoo web runserver # To Run the built-in Django Web Application
To submit a file to Cuckoo for processing, open-up a browser and go to http://localhost:8000/submit/. This Web User Interface is another improvement in Cuckoo. Below is a screenshot:
My initial excitement deflated when I couldn't install all of Cuckoo's components in WSL, but WSL is still in its early stages and there's a lot more to improve. Nevertheless, I am happy that I can now have Windows as my host and use my favorite tools in Linux without having too many virtual machines running on my PC. With Microsoft and Canonical teaming up together, having the best of two worlds is now a possibility.