Let’s installe Windows 7 as a sandbox for Cuckoo. From the perspective of avoiding detection of virtual environments, it is desirable to prepare a fresh Windows 7, but there are also OS images for verification as follows.
- Free Virtual Machines from IE8 to MS Edge — Microsoft Edge Development
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
We will use the above OS image to try out “MalConfScan with Cuckoo”. You should use a clean copy of Windows 7 to take advantage of this tool. And it can be implemented in much the same way. The big difference is that you don’t have to delete the “VirtualBox Guest Additions” step.
Virtual machines on VirtualBox (Windows 7)
- Machine Name: Win7SP1x86
- Version: Windows 7 SP1 (32-bit)
- CPU Cores: 2
- Memory Size: 1280 MB
- Video Memory Size: 32 MB
- Display - Remote Display: Disable
- Network - Advanced - MAC Address: Change from 080027 (Optional)
- System - Enable I/O APIC: Enable (automatically)
- User Name: IEUser
We are changing the number of CPU cores, memory size and MAC Address to avoid virtual environment detection.
Launch a virtual machine on VirtualBox to change the preferences
- Set display resolution to 1024 x 768
- Disable Windows Update
- Disable Windows Defender
- Disable Windows Firewall
- Disable UAC (Set not to notify)
- Select “Ask me later” when asked to set when starting IE
- Installing Python 2.7 https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
- Installing PIL-1.1.7.win32-py2.7.exe
http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe - Set agent.py in startup folder
agent.py :
https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py
Startup folder :
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup - Network Settings
- IP address:192.168.56.101
- Subnet mask:255.255.255.0
- Default gateway:192.168.56.1
- Preferred DNS server:8.8.8.8
- Alternate DNS server:8.8.4.4 - Disable Noisy Network Services
- Open the Group Policy Editor by typing [Windows key] + R through “gpedit.msc”
- Computer Configuration- > Administrative Templates- > Network- > DNS Client, and open Turn off Multicast Name Resolution. Set the policy to enabled.
- Computer Configuration -> Administrative Templates -> System -> Internet Communication Management, and open Restrict Internet Communication. Set the policy to enabled.
- Enter the following at the command prompt.
netsh interface teredo set state disabled
- Create the following as init.reg (to avoid VM detection)
Source: https://secvision22.wordpress.com/tag/cuckoo-sandbox/
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM]
“SystemBiosDate”=”06/12/10"
“SystemBiosVersion”=”BC1.05"
“VideoBiosVersion”=”VC1.20"[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBox*]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxGuest\Enum]
- Change the network configuration of VirtualBox to “Host-only Adapter”
- Uninstall “Oracle VM VirtualBox Guest Additions”
- Will be asked to reboot, so reboot - Verify agent.py is started after reboot
- You should see a black screen with the title “C:\Python 27\python.exe”
- If not started, check that the contents of agent.py match the contents of the source. - Minimize agent.py’s window so it doesn’t get in the way of screenshots during analysis. (Change the extension to .pyw before running it to suppress the window display.)
- Run the previously created init.reg
When you have completed all of the above steps, take a snapshot of the virtual machine while it is still running. Save the snapshot as “cuckoo”. Be careful not to mistake the virtual machine and snapshot names as they will be used in the Cuckoo configuration file. When you are finished taking snapshots, shut down the virtual machine. You can also terminate VirtualBox itself.
References
- Cuckoo sandbox | secvision22
https://secvision22.wordpress.com/tag/cuckoo-sandbox/ - CAPE/network.rst at 3a3c2e0dc2633b5c6f901ffabf4bd54235c581cd · ctxis/CAPE
https://github.com/ctxis/CAPE/blob/3a3c2e0dc2633b5c6f901ffabf4bd54235c581cd/docs/book/src/installation/guest/network.rst
Update History
- 2019/05/26 New.
- 2019/06/08 Changed the title from “ Build a Sandbox for Cuckoo”.
- 2020/03/03 Revised.