CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Cuckoo Linux Subsystem: Some Love for Windows 10

I normally use Linux for my malware analysis lab machine. But, recently, I got interested in the Windows Subsystem for Linux (WSL) and I thought I should give it a try. And so far, I am enjoying the ease of access to most of the tools I use in Linux side-by-side with the Windows Reverse Engineering tools that we use in Trustwave SpiderLabs.

The Cuckoo Sandbox is one of those tools that I use in Linux. I've been using it since a time when it was less than easy to install. But with Cuckoo 2.0, they made it as easy as 'pip install cuckoo'. Since I wanted to start exploring the WSL, I decided to write up this post as well. Cuckoo's official documentation doesn't currently have any information on how to set it up on a Windows host, so I hope the helps those interested in trying it out.

Let's get started!

As a first step I checked which of Cuckoo's components can be installed under WSL. Not everything is supported under WSL since it isn't using a real Linux kernel. That's the reason why some apps like VirtualBox and some of networking tools like tcpdump and not currently supported under WSL.

To organize the installation, I split which components could be installed under WSL and which ones would be installed under Windows. For instance, I installed a LAMP server (Linux-Apache-Mysql-Php) under WSL and the rest of my tools were installed on the Windows host.

Apache is not requirement for Cuckoo since it uses a built-in Django Web application, but I installed it anyway since I use it on daily basis for malware analysis. It allows me to trick malware and control its data exfiltration process. I also used MySQL for Cuckoo instead of the default database, SQLite.

Setting up your Windows Subsystem for Linux

First, we need to install Windows Subsystem for Linux. It is nicely documented here:

Once you have installed WSL, open-up "Bash on Ubuntu on Windows" app and do the following:

# Get latest updates
$ sudo apt-get update
$ sudo apt-get upgrade

# Install LAMP server
$ sudo apt-get install lamp-server^

# Install MongoDB
$ sudo apt-get install mongodb

# Run Apache, MySQL and MongoDB
$ sudo service apache2 start
$ sudo service mysql start
$ sudo service mongodb start

Open-up a browser, and go to http://localhost/. It should display the default page of Apache as shown below.


Preparing the Host

In this case, Windows 10 is our host and we will be installing Cuckoo and other dependencies there.
Cuckoo has made lots of improvements in 2.0, one of which being that the installation process which is now as easy as the following:

C:\> pip install cuckoo

Optionally you can also install Yara and Volatility. To install Yara under Windows follow these instructions:

To install Volatility, run the following commands:

C:\> pip install distorm3
C:\> pip install pycrypto
C:\> pip install volatility

To test if you have installed Yara for Python and Volatility correctly, you should be able to run the following without any errors:

C:\> python -c "import yara"
C:\> python -c "import volatility"

We also need to install the Python module for MySQL. To install it, run the following command:

C:\> easy_install mysql-python

NOTE: I used easy_install for this Python Module since it seems that it already has the pre-compiled Python Egg uploaded in the repository. If you prefer pip, you may download the Wheel (.WHL) file of mysql-python from this link and run 'pip install <WHEEL_FILE>'. Also if you have proper development environment and simply wish to compile mysql-python from source, you can run 'pip install mysql-python' instead.

Now that we have Cuckoo installed and its dependencies, we can now initialize it:

C:\> cuckoo init

It will create a "Cuckoo Working Directory" (CWD) in the following path:

%USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo)

With the CWD setup, we can start configuring Cuckoo. To do this we need to go to '%USERPROFILE%⧵.cuckoo⧵conf' in Windows Explorer and start modifying the following configuration files:

connection = mysql://cuckoo:cuckoo@
# NOTE: I created a MySQL user 'cuckoo' with 'cuckoo' as the password and a database name of 'cuckoo'

enabled = yes
tcpdump = c:\tools\tcpdump\tcpdump.exe
# NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe

path = C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
interface = \Device\NPF_{57998A2E-0606-4E86-A107-E7856A3794A3}
# NOTE: to list all network interfaces, do the following command:
# C:\tools\tcpdump> tcpdump.exe –D
machines = cuckoo1

label = Win7x64 # The label name of my guest image
platform = windows
ip = # The static IP of my guest image host-only adapter
snapshot = cuckoo # I created a snapshot and called it cuckoo

enabled = yes

Then, download the community-based Cuckoo Signatures by running the following command:

C:\> cuckoo community


WinDump is basically tcpdump for the Windows platform and you can download it from here:

The default file name of WinDump is windump.exe. I just renamed it to tcpdump.exe on my installation.

In addition, Cuckoo has a wrapper for Tcpdump called (C:⧵Python27⧵Lib⧵site-packages⧵cuckoo⧵auxiliary⧵ It calls tcpdump and parses its output. The only problem is that tcpdump's output on Windows behaves slightly different as it adds '⧵r' to its output. Because of this I had to tweak to make it work properly. To make the same change you will need to open the file and edit the following line by adding a "\r" to it:

for line in err.split("\r\n"):

if not line continue or line.startswith(err_whitelist_start):


NOTE: "\r" was added.

You also want to edit the following:

err_whitelist_start = (

"tcpdump: listening on ",

"c:\\tools\\tcpdump\\tcpdump.exe: listening on ",


NOTE: The path should reflect the actual path to where you installed tcpdump.exe

It also seems that is designed to expect only one network adapter for both internet access and to communicate with the Cuckoo agent. However, in this exercise, I setup my Guest Image to use two network adapters. I will be discuss this further in the next section of this blog, "Preparing the Guest". I have modified the following few lines of code in to make the packet capturing work.


NOTE: The default configuration wants to capture packets from the IP you have entered in 'virtualbox.conf', but in my case the Internet connection goes through the NAT adapter. For us to be able to capture network activities of the malware, we will capture packets that come in and out of the host machine ("DESKTOP-FG7MR6D").

Preparing the Guest

I use VirtualBox to create virtual machines and I setup 2 network adapters, one is Host-Only and the other one is NAT. The Host-Only adapter is used by Cuckoo to communicate with the Agent inside the guest image while the NAT adapter is for Internet access. For the Cuckoo setup in Linux, you only need one Host-Only adapter for both Internet access and Cuckoo Agent communication. I haven't explored that possibility on Windows host yet, but if you do, I'd be happy to hear it.

To configure the Host-only adapter with DHCP disabled follow these steps:

  1. Open VirtualBox Manager
  2. Click File > Preferences > Network
  3. Click on Host-only Networks Tab
  4. Highlight "VirtualBox Host-Only Ethernet Adapter" and click on Edit (the icon that looks like Screw-driver)
  5. Click on DHCP Server tab
  6. Uncheck "Enable Server"


Also, make sure to have a static IP address for your Host-only adapter inside the Guest Image. The default IP range for VirtualBox Host-Only adapter is Finally, make sure that you turn off Windows Firewall.


You must install Python inside the Guest image. You can download Python installer from here ( You will also need to install the Pillow Python module. Pillow is used for taking screenshot of the guest image:

C:\> pip install Pillow

Now that you have python installed you can copy Cuckoo's agent (%USERPROFILE%⧵.cuckoo⧵agent⧵ to the Guest image. Execute and then create a snapshot of Guest image.


Using Cuckoo

To use Cuckoo, we run its built-in Web-application as well as Cuckoo itself. We can run the following commands separately:

C:\> cuckoo -d # To Run Cuckoo


C:\> cuckoo web runserver # To Run the built-in Django Web Application

To submit a file to Cuckoo for processing, open-up a browser and go to http://localhost:8000/submit/. This Web User Interface is another improvement in Cuckoo. Below is a screenshot:



My initial excitement deflated when I couldn't install all of Cuckoo's components in WSL, but WSL is still in its early stages and there's a lot more to improve. Nevertheless, I am happy that I can now have Windows as my host and use my favorite tools in Linux without having too many virtual machines running on my PC. With Microsoft and Canonical teaming up together, having the best of two worlds is now a possibility.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More


We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More