Before proceeding on configuring Cuckoo, you’ll need to install some required software and libraries.
Installing Python libraries¶
Cuckoo host components are completely written in Python, therefore make sure to have an appropriate version installed. For the current release Python 2.7 is preferred.
Install the basic dependencies:
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg-dev
If you want to use the Django-based web interface, you’ll have to install MongoDB too:
$ sudo apt-get install mongodb
In order to properly function, Cuckoo requires some dependencies. They can all be installed through PyPI like this:
$ sudo pip install -r requirements.txt
If you want to use KVM it’s packaged too and you can install it with the following command:
$ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt
If you want to use XenServer you’ll have to install the XenAPI Python package:
$ sudo pip install XenAPI
If you want to use the mitm auxiliary module (to intercept SSL/TLS generated traffic), you need to install mitmproxy. Please refer to its website for installation instructions.
Despite heavily relying on VirtualBox in the past, Cuckoo has moved on being architecturally independent from the virtualization software. As you will see throughout this documentation, you’ll be able to define and write modules to support any software of your choice.
For the sake of this guide we will assume that you have VirtualBox installed (which still is the default option), but this does not affect anyhow the execution and general configuration of the sandbox.
You are completely responsible for the choice, configuration and execution of your virtualization software, therefore please refrain from asking for help on it in our channels and lists: refer to the software’s official documentation and support.
Assuming you decide to go for VirtualBox, you can get the proper package for your distribution at the official download page. The installation of VirtualBox is outside the scope of this documentation, if you are not familiar with it please refer to the official documentation.
In order to dump the network activity performed by the malware during execution, you’ll need a network sniffer properly configured to capture the traffic and dump it to a file.
By default Cuckoo adopts tcpdump, the prominent open source solution.
Install it on Ubuntu:
$ sudo apt-get install tcpdump
Tcpdump requires root privileges, but since you don’t want Cuckoo to run as root you’ll have to set specific Linux capabilities to the binary:
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
You can verify the results of last command with:
$ getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
If you don’t have setcap installed you can get it with:
$ sudo apt-get install libcap2-bin
Or otherwise (not recommended) do:
$ sudo chmod +s /usr/sbin/tcpdump
Please keep in mind that even the setcap method is definitely not perfectly safe if the system has other users which are potentially untrusted. We recommend to run Cuckoo on a dedicated system or a trusted environment where the privileged tcpdump execution is contained otherwise.
Volatility is an optional tool to do forensic analysis on memory dumps. In combination with Cuckoo, it can automatically provide additional visibility into deep modifications in the operating system as well as detect the presence of rootkit technology that escaped the monitoring domain of Cuckoo’s analyzer.
In order to function properly, Cuckoo requires at least version 2.3 of Volatility. You can get it from the official repository.
See the volatility documentation for detailed instructions on how to install it.