Advice Request Install Cuckoo Sandbox on Ubuntu virtualbox

Please provide comments and solutions that are helpful to the author of this topic.

gxt123

New Member
Thread author
Dec 27, 2022
5
Hello everyone,

I'm new to this forum and also quite new to malware analysis, so I hope you can help me. I'm in the process of installing Cuckoo Sandbox in a virtual environment (Ubuntu 20.04 is the host, the guest is a Windows 7 VM). However, when I run the prerequisites, I get stuck. When I follow the official documentation (https://cuckoo.sh/docs/installation/host/requirements.html), I get an error (see screenshot below). I have tried many things to fix the problem (so many things that I don't even know what I tried and what not), e.g. installing Python 2 (2.7, since Cuckoo doesn't support Python 3 yet, etc.), but I can't solve the problem.

Does anyone know how I can fix this? Thank you in advance.

Ubuntu.png
 

Andrezj

Level 6
Nov 21, 2022
248
it really depends upon how and what you did to install python 2
you can check the version of python2 installed with "python2 -V" at the command line
you might just have to uninstall python2 and reinstall
it is hard to know with the limited information how to resolve
there is no guarantee that the below will fix your problem

those command lines in the cuckoo sandbox documentation are obsolete
to install version 2 python and the 2 python-dev package

sudo apt-get install python2 python2-dev

be advised that cuckoo sandbox is a dead project and no longer supported
any product incorporating cuckoo sandbox is making its users rely upon an obsolete, dead project
 
  • Like
Reactions: simmerskool

gxt123

New Member
Thread author
Dec 27, 2022
5
Andrezj thank you for your response. Is there another sandbox you can recommend? By the way... is there really any added value in using a sandbox (I mean, I know there is, but in my case.... I don't really need the extra information it provides, like API sequences, hashes etc.). I just want a safe environment to install and analyse ransomware (but I will analyse it with my own detection system). In this case, is a sandbox still required or can I just install the ransomware samples in my virtualbox (Windows 7/10) and restrict internet access with NAT (or maybe I should install Windows as a guest in my host Ubuntu VM). I don't know.. I'm a little confused :)

To be honest, I'm a little afraid that ransomware can, without a sandboxed environment, escape from the virtual environment.
 

Andrezj

Level 6
Nov 21, 2022
248
Is there another sandbox you can recommend?
i do not know how useful this list will be to you as most of these are not open source, at most they offer an upload api


however, this list is open source malware analysis sandboxes and you can see the latest commits
not confident you will find anything useful but at least you can separate the currently maintained projects versus the archived


I just want a safe environment to install and analyse ransomware (but I will analyse it with my own detection system).
build your test environment on a network disconnected (disable the network adapter during testing), this is going to give you what you want - which i am going to assume is to test and develop your detection system

In this case, is a sandbox still required or can I just install the ransomware samples in my virtualbox (Windows 7/10) and restrict internet access with NAT (or maybe I should install Windows as a guest in my host Ubuntu VM). I don't know.. I'm a little confused :)
this is what most researchers do, they just use a malware analysis sandbox as a quick and easy source of behaviors and other information
do not use any shared folders between the test virtual machines and the host
others say to disable cpu virtualization of the vm, but i could not find the technical reason

To be honest, I'm a little afraid that ransomware can, without a sandboxed environment, escape from the virtual environment.
certainly it is technically possible in some way, but i have never heard of such a case where the ransomware managed to escape a fully and properly configured virtual environment
virtual machine breakouts are possible as VUPEN once showed, but exploiting virtual machines is a tactic that will only be used by sophisticated threat actors and that means those with lots of resources and skilled personnel, think nation state actors


there are cases of ransomware running in a virtual environment and then infecting the host, but that involved the shared folders (which is not windows smb by the way, it is a proprietary host-guest protocol developed by oracle (and vmware has its own for folder\file sharing between host and guest)


you should be further aware that if you do test malware with the internet enabled, without using a vpn your public ip address could be blacklisted by your isp

ask @harlan4096 about setting up a malware test environment
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,088
be advised that cuckoo sandbox is a dead project and no longer supported
any product incorporating cuckoo sandbox is making its users rely upon an obsolete, dead project
friendly sidenote: Voodooshield does have a cuckoo sandbox feature, apparently cuckoo is open source, and VS' author, @danb here, has a version that he modifies occasionally on one of VS cloud servers to have yet another optional analysis -- no comment on its efficacy. Lately I use Intezer (free) and hybrid analysis (free). Any others that are free and better than these two? VT has summaries of a few too. Intezer limits its free online version to 10 files per month, which is usually more than enough for me.
 

Andrezj

Level 6
Nov 21, 2022
248
friendly sidenote: Voodooshield does have a cuckoo sandbox feature, apparently cuckoo is open source, and VS' author, @danb here, has a version that he modifies occasionally on one of VS cloud servers to have yet another optional analysis -- no comment on its efficacy. Lately I use Intezer (free) and hybrid analysis (free). Any others that are free and better than these two? VT has summaries of a few too. Intezer limits its free online version to 10 files per month, which is usually more than enough for me.
cuckoo sandbox is no longer developed by hatching
hatching used cuckoo sandbox as a test pilot project and then discontinued further development in 2019
hatching used what it learned from cuckoo sandbox to make a paid file analysis sandbox technology called triage

Hatching Triage​

From former developers of Cuckoo sandbox.​


also cuckoo sandbox project repo is in archived status on github
no release since 2019
no documentation update since before
 

gxt123

New Member
Thread author
Dec 27, 2022
5
Andrezj Thank you very much for your extensive answer. I will look at the links you provided, to open source/free sandboxes.
Just to be sure... Cuckoo Sandbox is not updated/maintained anymore, but is it a dead project in the sense of... can't you use it anymore, or is it just not supported? Because I only want to use the sandbox as a setup and to gather some information about the ransomware sample (like API calls/I/O operations etc.), but my anti-ransomware system will not rely on Cuckoo.
 

Andrezj

Level 6
Nov 21, 2022
248
Andrezj Thank you very much for your extensive answer. I will look at the links you provided, to open source/free sandboxes.
Just to be sure... Cuckoo Sandbox is not updated/maintained anymore, but is it a dead project in the sense of... can't you use it anymore, or is it just not supported? Because I only want to use the sandbox as a setup and to gather some information about the ransomware sample (like API calls/I/O operations etc.), but my anti-ransomware system will not rely on Cuckoo.
i reached out to some colleagues and was informed about cuckoo sandbox 3, a full python 3 rewrite of cuckoo v 2.0
note on github page: "This is a development version, we do not recommend its use in production."


Cuckoo 3 Installation Guide | Nikola's Blog (this appears to be clearest and most detailed installation instructions, you do not need to use vmware vsphere so skip)

Cuckoo3 (use as last resort)

cuckoo 2 can be used too if you can get it installed and fully functional and you are comfortable with analysis output
 

gxt123

New Member
Thread author
Dec 27, 2022
5
Thank you Andrezj for your quick and detailed answers. My last question (hope you can help me with this one too): let's assume I install Cuckoo with Python2 (Python 2.7), because that's the latest stable version.In such a case, can I still develop an anti-ransomware/malware system with Python 3? As far as I know, Python 2 is used by Cuckoo for communication and interaction between the host and guest.
I just want to use Cuckoo for some additional information about the malware sample. I will not build anything on top of Cuckoo or extract any data from it (e.g. API calls, registry key operations etc.). I will use Cuckoo for informational purposes only. Therefore, it doesn't really matter to me if I have an old version of Cuckoo, but it would be great if I can develop my own system in Python 3 (however, my own system will be trained/tested on the guest computer, that is part of the Cuckoo environment, so I hope it will work in such a case).
 

Andrezj

Level 6
Nov 21, 2022
248
can I still develop an anti-ransomware/malware system with Python 3?
yes, you can run python 2 and 3 in parallel on ubuntu or windows
there is syntax to invoke version 2 or 3
you will set the version of python to 3 in your python scripting ide
logistical or usability issues might arise, you will have to deal with each one as they happen

you can isolate cuckoo sandbox from the host by running it in a virtual machine and then developing your project on the host system using python 3
there are numerous online guides to install cuckoo sandbox 2 in a virtual machine in ubuntu, however they are all inconsistent

As far as I know, Python 2 is used by Cuckoo for communication and interaction between the host and guest.
yes, it says so in the documentation
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top