Public | Automated Build

Last pushed: 8 months ago
Short Description
Works with ESXi
Full Description

-- cuckoodocker --

  • Description *
    This Docker recipe will create Cuckoo Sandbox containers configured to connect to remote ESXi or VirtualBox images. For a description of the Cuckoo Sandbox go to https://cuckoosandbox.org.

Machines or VMs mentioned:

  • The Linux host VM. This vm runs the docker cuckoo container. This VM could be in the ESXi itself or elsewhere. As long as it can connect to it ant its windows VM. For this guide the host ip will be 10.10.10.2.
  • The ESXi or Virtualbox host. This machine has the Windows guest VM. For this guide the ESXi (or VBox) ip will be 10.10.10.1.
  • The Windows guest VM. This vm runs in the ESXi (or VirtualBox) server and will be controlled by cuckoo. For this guide the guest ip will be 10.10.10.3.
  • The cuckoo container. This container runs in the Linux host vm. We dont care about this ip, as the ports will be forwarded from the Linux host VM.
  • Prerequisites *
  • An ESXi or VirtualBox Server
  • A windows VM for the guest.
  • A Linux VM for the docker/cuckoo host.
  • Install docker: https://docs.docker.com/engine/installation/linux/ubuntu/ on the Linux VM.
  • IMPORTANT: Routing between the host and the guest needs to work. i.e:
    • The linux VM needs to ping the guest machine and the guest machine needs to ping the linux VM.
    • The linux VM needs to be able to access the ESXi API, OR in the case of VirtualBox, The linux VM needs to be able to ssh the VirtualBox server.
  • Prepare the windows VM *
  • Follow the instructions from here: https://downloads.cuckoosandbox.org/docs/installation/guest/index.html
  • Namely you need to:
    • Create a Windows VM. (I tried it with Win 7 64, 1Gb RAM, 10Gb HDD).
    • Install Python 2.7
    • Configure the VM networking to bridged and promiscuous.
    • In windows set the ip to static (10.10.10.3 in our example)
    • Disable the firewall.
    • Copy scripts/agent.pyw to the Startup directory in the Start Menu (All users).
    • Reboot the VM.
    • Check the taskmanager to confirm that python is running agent.pyw.
    • Also confirm that you can ping the docker host and that the docker host can ping this VM.
    • Save the snapshot, in our case to Snapshot1
  • Installation *
    0 Assuming you have the linux VM. (I tried it with ubuntu 16, 4Gb RAM, 20Gb HDD).
    1 Copy or clone this directory to the Linux VM

(Option 1) ESXi Configuration
2 Edit conf/cuckoo.conf

- Make sure machinery is set to esx like so: "machinery = esx"
- Make sure resultserver_ip = 0.0.0.0, we will set this in conf/esx.conf

3 Edit conf/esx.conf:

  • This config file is where all analysis Virtual Machines that cuckoo uses are specified. The main section is where we setup our connection these are the details for the ESXi host NOT the cuckoo controller.

    dsn = esx://10.10.10.1/?no_verify=1 <- The ESXi host ip
    username = username_goes_here <- The ESXi user
    password = password_goes_here <- The ESXi pass

    machines = vm_name

    [vm_name]
    label = Win7 <- The windows VM name
    platform = windows
    snapshot = SnapShotName
    ip = 10.10.10.3 <- The windows VM name

    resultserver_ip = 10.10.10.2 <- The linux host ip
    resultserver_port = 2042 <- this port will be forwarded to cuckoo by docker

(Option 2) VirtualBox Configuration
2 Edit conf/cuckoo.conf
Make sure machinery is set to virtualbox like so: "machinery = virtualbox"

3a Edit conf/virtualbox.conf:

  • This config file is where all analysis Virtual Machines that cuckoo uses are specified.

    machines = vm_name

    [vm_name]
    label = Win7
    platform = windows
    snapshot = SnapShotName
    ip = 10.10.10.3

    resultserver_ip = 10.10.10.2 <- The linux host ip
    resultserver_port = 2042 <- this port will be forwarded to cuckoo by docker

3b Edit scripts/VBoxManage with the VirtualBox server SSH details. What this script does is it executes VBoxManage remotely in the VirtualBox host, (from the cuckoo container).
user = "vbox_host_user"
passwd = "vbox_host_pass"
host = "vbox_host_ip"

To test this step do "VBoxManage list vms" from bash.
If it lists the VMs its working if not check that you can ssh to the VBox server and that VBoxManagePath is correct in scripts/VBoxManage.

  • Creating the Cuckoo Docker Image *
    4 On the linux host VM start the Docker service (/etc/init.d/docker start)
    5 Run "make build", this will download and build the images. It will take several minutes.
  • Using Cuckoo - with the web console *

6a Type "make run", this will start the containers. NOTE: This command will first run make clean to stop all previously running containers.
Once make run finishes it should print something like this:

+++ Running containers +++
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                  PORTS                                            NAMES
27176d290ada        cuckoo:latest       "/home/cuckoo/cuck..."   1 second ago        Up Less than a second   0.0.0.0:8080->8080/tcp                           web
6caacff5cc1f        cuckoo:latest       "/home/cuckoo/cuck..."   2 seconds ago       Up Less than a second   0.0.0.0:1337->1337/tcp, 0.0.0.0:2042->2042/tcp   daemon
05e91f0f4f61        mongo               "docker-entrypoint..."   2 seconds ago       Up 1 second             0.0.0.0:27017->27017/tcp                         mongo

If one is missing something went wrong :)
6b To check if something went wrong do:
"make logs daemon" or "make logs web" or "make logs mono". It works like tailf. For the daemon you should see something like this:
.----..--.--..----.| |--..-----..-----.
| || | || || < | || |
|||_||__|||||___||_|

 Cuckoo Sandbox 2.0-rc2
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

2017-04-06 11:06:30,264 [lib.cuckoo.core.scheduler] INFO: Using "esx" as machine manager
2017-04-06 11:06:31,014 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-04-06 11:06:31,025 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 

IF you dont see the "Loaded 1 machines" it did not find the VM and you have to check the esx.conf (or virtualbox.conf and the ssh details) in the configuration section above.

7 Assuming all went well in the previous steps you should have the web interface running in http://10.10.10.2:8080
8 To submit a file go to the Submit tab and select a file to upload. You can use example/pafish.exe to test.
9 Once uploaded you should see this on "make logs daemon":
2017-04-06 11:06:45,237 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "pafish.exe" (task #5, options "route=none,procmemdump=yes")
2017-04-06 11:06:45,287 [lib.cuckoo.core.scheduler] INFO: Task #5: acquired machine windows7 (label=windows7)
2017-04-06 11:06:49,773 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=windows7, ip=10.10.10.3)
10 You should see a VM start in your ESXi (VBox) host. You should see the Windows VM executing the file you uploaded. In the pafish.exe case you should see a CMD consolde. If you dont, them cuckoo cannot connect to the VM, try to ping it and check the .conf settings and routing/firewalls.
11 After 1-2 minutes the test should finish. And you should see this:
2017-04-06 11:08:58,880 [lib.cuckoo.core.guest] INFO: windows7: analysis completed successfully
2017-04-06 11:09:01,269 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources)
2017-04-06 11:09:03,530 [lib.cuckoo.core.scheduler] INFO: Task #5: reports generation completed (path=/home/cuckoo/cuckoo/storage/analyses/5)
2017-04-06 11:09:03,563 [lib.cuckoo.core.scheduler] INFO: Task #5: analysis procedure completed
12 This means that all went well and that the windows guest could connect back to cuckoo (via 10.10.10.2:2042, then forwarded to the cuckoo container) if this is not the case try to ping/telnet and check the .conf settings and routing/firewalls.
13 If all went well you can see the analysis results in the web interface.

For more information on how to use the web interface see here: https://blog.malwarebytes.com/threat-analysis/2014/04/automating-malware-analysis-with-cuckoo-sandbox/

  • Using Cuckoo from command line *

6 Instead of doing "make run" here we do "make dev". To stop previous containers you can do make clean -or just do make dev, which will first cleanup for you. make dev should open a root console in the cuckoo container. Here you will not have a web interface (no web container), just the console.
7 To start cuckoo do "./cuckoo.py &", you should see something like this:
.----..--.--..----.| |--..-----..-----.
| || | || || < | || |
|||_||__|||||___||_|

 Cuckoo Sandbox 2.0-rc2
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

2017-04-06 11:06:30,264 [lib.cuckoo.core.scheduler] INFO: Using "esx" as machine manager
2017-04-06 11:06:31,014 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-04-06 11:06:31,025 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 

IF you dont see the "Loaded 1 machines" it did not find the VM and you have to check the esx.conf (or virtualbox.conf and the ssh details) in the configuration section above.

8 To submit a file do "utils/submit.py --package exe pafish.exe", you should see this on "make logs daemon":
2017-04-06 11:06:45,237 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "pafish.exe" (task #5, options "route=none,procmemdump=yes")
2017-04-06 11:06:45,287 [lib.cuckoo.core.scheduler] INFO: Task #5: acquired machine windows7 (label=windows7)
2017-04-06 11:06:49,773 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=windows7, ip=10.10.10.3)
9 You should see a VM start in your ESXi (VBox) host. You should see the Windows VM executing the file you uploaded. In the pafish.exe case you should see a CMD consolde. If you dont, them cuckoo cannot connect to the VM, try to ping it and check the .conf settings and routing/firewalls.
10 After 1-2 minutes the test should finish. And you should see this:
2017-04-06 11:08:58,880 [lib.cuckoo.core.guest] INFO: windows7: analysis completed successfully
2017-04-06 11:09:01,269 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources)
2017-04-06 11:09:03,530 [lib.cuckoo.core.scheduler] INFO: Task #5: reports generation completed (path=/home/cuckoo/cuckoo/storage/analyses/5)
2017-04-06 11:09:03,563 [lib.cuckoo.core.scheduler] INFO: Task #5: analysis procedure completed
11 This means that all went well and that the windows guest could connect back to cuckoo (via 10.10.10.2:2042, then forwarded to the cuckoo container) if this is not the case try to ping/telnet and check the .conf settings and routing/firewalls.
12 If all went well you can see the analysis results storage/analyses/latest/ (check cuckoo.log and analysis.log)
13 To stop the container just type exit.

For more information on how to use the command line interface see here: https://downloads.cuckoosandbox.org/docs/usage/start.html

  • Other options/commands *
  • make build-clean: deletes ALL docker images and rebuilds the cuckoo image
  • make clean-volumes: deletes ALL docker volumes
  • make clean-images: deletes ALL docker images
Docker Pull Command
Owner
diegobt
Source Repository