Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Cuckoo Linux Subsystem: Some Love for Windows 10

I normally use Linux for my malware analysis lab machine. But, recently, I got interested in the Windows Subsystem for Linux (WSL) and I thought I should give it a try. And so far, I am enjoying the ease of access to most of the tools I use in Linux side-by-side with the Windows Reverse Engineering tools that we use in Trustwave SpiderLabs.

The Cuckoo Sandbox is one of those tools that I use in Linux. I've been using it since a time when it was less than easy to install. But with Cuckoo 2.0, they made it as easy as 'pip install cuckoo'. Since I wanted to start exploring the WSL, I decided to write up this post as well. Cuckoo's official documentation doesn't currently have any information on how to set it up on a Windows host, so I hope the helps those interested in trying it out.

Let's get started!

As a first step I checked which of Cuckoo's components can be installed under WSL. Not everything is supported under WSL since it isn't using a real Linux kernel. That's the reason why some apps like VirtualBox and some of networking tools like tcpdump and not currently supported under WSL.

To organize the installation, I split which components could be installed under WSL and which ones would be installed under Windows. For instance, I installed a LAMP server (Linux-Apache-Mysql-Php) under WSL and the rest of my tools were installed on the Windows host.

Apache is not requirement for Cuckoo since it uses a built-in Django Web application, but I installed it anyway since I use it on daily basis for malware analysis. It allows me to trick malware and control its data exfiltration process. I also used MySQL for Cuckoo instead of the default database, SQLite.

Setting up your Windows Subsystem for Linux

First, we need to install Windows Subsystem for Linux. It is nicely documented here: https://msdn.microsoft.com/en-us/commandline/wsl/install_guide

Once you have installed WSL, open-up "Bash on Ubuntu on Windows" app and do the following:

# Get latest updates
$ sudo apt-get update
$ sudo apt-get upgrade

# Install LAMP server
$ sudo apt-get install lamp-server^

# Install MongoDB
$ sudo apt-get install mongodb

# Run Apache, MySQL and MongoDB
$ sudo service apache2 start
$ sudo service mysql start
$ sudo service mongodb start

Open-up a browser, and go to http://localhost/. It should display the default page of Apache as shown below.

11045_a5cc2862-bb2c-46aa-9e25-d85349f716d8

Preparing the Host

In this case, Windows 10 is our host and we will be installing Cuckoo and other dependencies there.
Cuckoo has made lots of improvements in 2.0, one of which being that the installation process which is now as easy as the following:

C:\> pip install cuckoo

Optionally you can also install Yara and Volatility. To install Yara under Windows follow these instructions: http://yara.readthedocs.io/en/v3.4.0/gettingstarted.html#installing-on-windows.

To install Volatility, run the following commands:

C:\> pip install distorm3
C:\> pip install pycrypto
C:\> pip install volatility

To test if you have installed Yara for Python and Volatility correctly, you should be able to run the following without any errors:

C:\> python -c "import yara"
C:\> python -c "import volatility"

We also need to install the Python module for MySQL. To install it, run the following command:

C:\> easy_install mysql-python

NOTE: I used easy_install for this Python Module since it seems that it already has the pre-compiled Python Egg uploaded in the repository. If you prefer pip, you may download the Wheel (.WHL) file of mysql-python from this link and run 'pip install <WHEEL_FILE>'. Also if you have proper development environment and simply wish to compile mysql-python from source, you can run 'pip install mysql-python' instead.

Now that we have Cuckoo installed and its dependencies, we can now initialize it:

C:\> cuckoo init

It will create a "Cuckoo Working Directory" (CWD) in the following path:

%USERPROFILE%\.cuckoo (C:\Users\<username>\.cuckoo)

With the CWD setup, we can start configuring Cuckoo. To do this we need to go to '%USERPROFILE%⧵.cuckoo⧵conf' in Windows Explorer and start modifying the following configuration files:

cuckoo.conf
[database]
connection = mysql://cuckoo:cuckoo@127.0.0.1/cuckoo
# NOTE: I created a MySQL user 'cuckoo' with 'cuckoo' as the password and a database name of 'cuckoo'

auxillary.conf
[sniffer]
enabled = yes
tcpdump = c:\tools\tcpdump\tcpdump.exe
# NOTE: the location path depends on where you installed windump.exe. And I renamed windump.exe to tcpdump.exe

virtualbox.conf
[virtualbox]
path = C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
interface = \Device\NPF_{57998A2E-0606-4E86-A107-E7856A3794A3}
# NOTE: to list all network interfaces, do the following command:
# C:\tools\tcpdump> tcpdump.exe –D
machines = cuckoo1

[cuckoo1]
label = Win7x64 # The label name of my guest image
platform = windows
ip = 192.168.56.101 # The static IP of my guest image host-only adapter
snapshot = cuckoo # I created a snapshot and called it cuckoo

reporting.conf
[mongodb]
enabled = yes

Then, download the community-based Cuckoo Signatures by running the following command:

C:\> cuckoo community

Tcpdump

WinDump is basically tcpdump for the Windows platform and you can download it from here: https://www.winpcap.org/windump/install/default.htm.

The default file name of WinDump is windump.exe. I just renamed it to tcpdump.exe on my installation.

In addition, Cuckoo has a wrapper for Tcpdump called sniffer.py (C:⧵Python27⧵Lib⧵site-packages⧵cuckoo⧵auxiliary⧵sniffer.py). It calls tcpdump and parses its output. The only problem is that tcpdump's output on Windows behaves slightly different as it adds '⧵r' to its output. Because of this I had to tweak sniffer.py to make it work properly. To make the same change you will need to open the file sniffer.py and edit the following line by adding a "\r" to it:

for line in err.split("\r\n"):

if not line continue or line.startswith(err_whitelist_start):

continue

NOTE: "\r" was added.

You also want to edit the following:

err_whitelist_start = (

"tcpdump: listening on ",

"c:\\tools\\tcpdump\\tcpdump.exe: listening on ",

)

NOTE: The path should reflect the actual path to where you installed tcpdump.exe

It also seems that sniffer.py is designed to expect only one network adapter for both internet access and to communicate with the Cuckoo agent. However, in this exercise, I setup my Guest Image to use two network adapters. I will be discuss this further in the next section of this blog, "Preparing the Guest". I have modified the following few lines of code in sniffer.py to make the packet capturing work.

12171_dd6d553f-2607-4f04-b2cd-cb037784050a

NOTE: The default configuration wants to capture packets from the IP you have entered in 'virtualbox.conf', but in my case the Internet connection goes through the NAT adapter. For us to be able to capture network activities of the malware, we will capture packets that come in and out of the host machine ("DESKTOP-FG7MR6D").

Preparing the Guest

I use VirtualBox to create virtual machines and I setup 2 network adapters, one is Host-Only and the other one is NAT. The Host-Only adapter is used by Cuckoo to communicate with the Agent inside the guest image while the NAT adapter is for Internet access. For the Cuckoo setup in Linux, you only need one Host-Only adapter for both Internet access and Cuckoo Agent communication. I haven't explored that possibility on Windows host yet, but if you do, I'd be happy to hear it.

To configure the Host-only adapter with DHCP disabled follow these steps:

  1. Open VirtualBox Manager
  2. Click File > Preferences > Network
  3. Click on Host-only Networks Tab
  4. Highlight "VirtualBox Host-Only Ethernet Adapter" and click on Edit (the icon that looks like Screw-driver)
  5. Click on DHCP Server tab
  6. Uncheck "Enable Server"

12846_fc0a81a2-2190-4ffd-a117-f64110c60fbf

Also, make sure to have a static IP address for your Host-only adapter inside the Guest Image. The default IP range for VirtualBox Host-Only adapter is 192.168.56.0/24. Finally, make sure that you turn off Windows Firewall.

10416_88226fc1-9b42-44bc-a492-f816e46ec95b

You must install Python inside the Guest image. You can download Python installer from here (https://www.python.org/downloads/). You will also need to install the Pillow Python module. Pillow is used for taking screenshot of the guest image:

C:\> pip install Pillow

Now that you have python installed you can copy Cuckoo's agent (%USERPROFILE%⧵.cuckoo⧵agent⧵agent.py) to the Guest image. Execute agent.py and then create a snapshot of Guest image.

11731_c75b8999-6e58-4632-a56d-140d2231f5ae

Using Cuckoo

To use Cuckoo, we run its built-in Web-application as well as Cuckoo itself. We can run the following commands separately:

C:\> cuckoo -d # To Run Cuckoo

9599_62aebc0b-5b5e-49b4-a154-bf8c83a4e1ef

C:\> cuckoo web runserver # To Run the built-in Django Web Application

To submit a file to Cuckoo for processing, open-up a browser and go to http://localhost:8000/submit/. This Web User Interface is another improvement in Cuckoo. Below is a screenshot:

11308_b2a6a19c-761d-4b24-a5ca-a1a1bd682759

Conclusion

My initial excitement deflated when I couldn't install all of Cuckoo's components in WSL, but WSL is still in its early stages and there's a lot more to improve. Nevertheless, I am happy that I can now have Windows as my host and use my favorite tools in Linux without having too many virtual machines running on my PC. With Microsoft and Canonical teaming up together, having the best of two worlds is now a possibility.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo