Advice Request Install Cuckoo Sandbox on Ubuntu virtualbox

[gxt123]

Hello everyone,

I'm new to this forum and also quite new to malware analysis, so I hope you can help me. I'm in the process of installing Cuckoo Sandbox in a virtual environment (Ubuntu 20.04 is the host, the guest is a Windows 7 VM). However, when I run the prerequisites, I get stuck. When I follow the official documentation (https://cuckoo.sh/docs/installation/host/requirements.html), I get an error (see screenshot below). I have tried many things to fix the problem (so many things that I don't even know what I tried and what not), e.g. installing Python 2 (2.7, since Cuckoo doesn't support Python 3 yet, etc.), but I can't solve the problem.

Does anyone know how I can fix this? Thank you in advance.

 

[Andrezj]

it really depends upon how and what you did to install python 2
you can check the version of python2 installed with "python2 -V" at the command line
you might just have to uninstall python2 and reinstall
it is hard to know with the limited information how to resolve
there is no guarantee that the below will fix your problem

those command lines in the cuckoo sandbox documentation are obsolete
to install version 2 python and the 2 python-dev package

sudo apt-get install python2 python2-dev

be advised that cuckoo sandbox is a dead project and no longer supported
any product incorporating cuckoo sandbox is making its users rely upon an obsolete, dead project

 

[gxt123]

Andrezj thank you for your response. Is there another sandbox you can recommend? By the way... is there really any added value in using a sandbox (I mean, I know there is, but in my case.... I don't really need the extra information it provides, like API sequences, hashes etc.). I just want a safe environment to install and analyse ransomware (but I will analyse it with my own detection system). In this case, is a sandbox still required or can I just install the ransomware samples in my virtualbox (Windows 7/10) and restrict internet access with NAT (or maybe I should install Windows as a guest in my host Ubuntu VM). I don't know.. I'm a little confused

To be honest, I'm a little afraid that ransomware can, without a sandboxed environment, escape from the virtual environment.

 

[Andrezj]

Is there another sandbox you can recommend?

i do not know how useful this list will be to you as most of these are not open source, at most they offer an upload api

Free Automated Malware Analysis Sandboxes and Services

zeltser.com

however, this list is open source malware analysis sandboxes and you can see the latest commits
not confident you will find anything useful but at least you can separate the currently maintained projects versus the archived

The Top 23 Sandbox Malware Analysis Open Source Projects

Open source projects categorized as Sandbox Malware Analysis

awesomeopensource.com

I just want a safe environment to install and analyse ransomware (but I will analyse it with my own detection system).

build your test environment on a network disconnected (disable the network adapter during testing), this is going to give you what you want - which i am going to assume is to test and develop your detection system

In this case, is a sandbox still required or can I just install the ransomware samples in my virtualbox (Windows 7/10) and restrict internet access with NAT (or maybe I should install Windows as a guest in my host Ubuntu VM). I don't know.. I'm a little confused

this is what most researchers do, they just use a malware analysis sandbox as a quick and easy source of behaviors and other information
do not use any shared folders between the test virtual machines and the host
others say to disable cpu virtualization of the vm, but i could not find the technical reason

To be honest, I'm a little afraid that ransomware can, without a sandboxed environment, escape from the virtual environment.

certainly it is technically possible in some way, but i have never heard of such a case where the ransomware managed to escape a fully and properly configured virtual environment
virtual machine breakouts are possible as VUPEN once showed, but exploiting virtual machines is a tactic that will only be used by sophisticated threat actors and that means those with lots of resources and skilled personnel, think nation state actors

VUPEN Method Breaks Out of Virtual Machine to Attack Hosts

Researchers developed an "advanced exploitation method" which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine.

www.securityweek.com

there are cases of ransomware running in a virtual environment and then infecting the host, but that involved the shared folders (which is not windows smb by the way, it is a proprietary host-guest protocol developed by oracle (and vmware has its own for folder\file sharing between host and guest)

Naked Security – Sophos News

nakedsecurity.sophos.com

Ransomware: Growing Number of Attackers Using Virtual Machines

Tactic hides ransomware payload and lowers the risk of discovery while encryption process is underway.

symantec-enterprise-blogs.security.com

you should be further aware that if you do test malware with the internet enabled, without using a vpn your public ip address could be blacklisted by your isp

ask @harlan4096 about setting up a malware test environment

 

[simmerskool]

be advised that cuckoo sandbox is a dead project and no longer supported
any product incorporating cuckoo sandbox is making its users rely upon an obsolete, dead project

friendly sidenote: Voodooshield does have a cuckoo sandbox feature, apparently cuckoo is open source, and VS' author, @danb here, has a version that he modifies occasionally on one of VS cloud servers to have yet another optional analysis -- no comment on its efficacy. Lately I use Intezer (free) and hybrid analysis (free). Any others that are free and better than these two? VT has summaries of a few too. Intezer limits its free online version to 10 files per month, which is usually more than enough for me.

 

[Andrezj]

friendly sidenote: Voodooshield does have a cuckoo sandbox feature, apparently cuckoo is open source, and VS' author, @danb here, has a version that he modifies occasionally on one of VS cloud servers to have yet another optional analysis -- no comment on its efficacy. Lately I use Intezer (free) and hybrid analysis (free). Any others that are free and better than these two? VT has summaries of a few too. Intezer limits its free online version to 10 files per month, which is usually more than enough for me.

cuckoo sandbox is no longer developed by hatching
hatching used cuckoo sandbox as a test pilot project and then discontinued further development in 2019
hatching used what it learned from cuckoo sandbox to make a paid file analysis sandbox technology called triage

Hatching - Automated malware analysis solutions

Automated malware analysis with Hatching Triage, the high-volume sandbox solution for SOCs, CERTs, SOARs, and MSSPs.

hatching.io

Hatching Triage​

From former developers of Cuckoo sandbox.​

also cuckoo sandbox project repo is in archived status on github
no release since 2019
no documentation update since before

GitHub - cuckoosandbox/cuckoo: Cuckoo Sandbox is an automated dynamic malware analysis system

Cuckoo Sandbox is an automated dynamic malware analysis system - cuckoosandbox/cuckoo

github.com

 

[gxt123]

Andrezj Thank you very much for your extensive answer. I will look at the links you provided, to open source/free sandboxes.
Just to be sure... Cuckoo Sandbox is not updated/maintained anymore, but is it a dead project in the sense of... can't you use it anymore, or is it just not supported? Because I only want to use the sandbox as a setup and to gather some information about the ransomware sample (like API calls/I/O operations etc.), but my anti-ransomware system will not rely on Cuckoo.

 

[Andrezj]

Andrezj Thank you very much for your extensive answer. I will look at the links you provided, to open source/free sandboxes.
Just to be sure... Cuckoo Sandbox is not updated/maintained anymore, but is it a dead project in the sense of... can't you use it anymore, or is it just not supported? Because I only want to use the sandbox as a setup and to gather some information about the ransomware sample (like API calls/I/O operations etc.), but my anti-ransomware system will not rely on Cuckoo.

i reached out to some colleagues and was informed about cuckoo sandbox 3, a full python 3 rewrite of cuckoo v 2.0
note on github page: "This is a development version, we do not recommend its use in production."

https://tf-csirt.org/wp-content/uploads/2021/01/cuckoo3_presentation.pdf

GitHub - cert-ee/cuckoo3: Cuckoo3 is a Python 3 open source automated malware analysis system.

Cuckoo3 is a Python 3 open source automated malware analysis system. - cert-ee/cuckoo3

github.com

Cuckoo 3 installation - Cuckoo 3 docs

cuckoo-hatch.cert.ee

Cuckoo 3 Installation Guide | Nikola's Blog (this appears to be clearest and most detailed installation instructions, you do not need to use vmware vsphere so skip)

Cuckoo3 (use as last resort)

cuckoo 2 can be used too if you can get it installed and fully functional and you are comfortable with analysis output

 

[gxt123]

Thank you Andrezj for your quick and detailed answers. My last question (hope you can help me with this one too): let's assume I install Cuckoo with Python2 (Python 2.7), because that's the latest stable version.In such a case, can I still develop an anti-ransomware/malware system with Python 3? As far as I know, Python 2 is used by Cuckoo for communication and interaction between the host and guest.
I just want to use Cuckoo for some additional information about the malware sample. I will not build anything on top of Cuckoo or extract any data from it (e.g. API calls, registry key operations etc.). I will use Cuckoo for informational purposes only. Therefore, it doesn't really matter to me if I have an old version of Cuckoo, but it would be great if I can develop my own system in Python 3 (however, my own system will be trained/tested on the guest computer, that is part of the Cuckoo environment, so I hope it will work in such a case).

 

[Andrezj]

can I still develop an anti-ransomware/malware system with Python 3?

yes, you can run python 2 and 3 in parallel on ubuntu or windows
there is syntax to invoke version 2 or 3
you will set the version of python to 3 in your python scripting ide
logistical or usability issues might arise, you will have to deal with each one as they happen

you can isolate cuckoo sandbox from the host by running it in a virtual machine and then developing your project on the host system using python 3
there are numerous online guides to install cuckoo sandbox 2 in a virtual machine in ubuntu, however they are all inconsistent

As far as I know, Python 2 is used by Cuckoo for communication and interaction between the host and guest.

yes, it says so in the documentation

 

[gxt123]

Okay thank you Andrezj!

 

[Andrezj]

Okay thank you Andrezj!

cuckoo version 3 supports plugins which version 2 does not
not sure that would be of any benefit to you, it might when you need some specific analysis that can be had with a plugin