Cuckoo Update Required: OSX sandbox MAC-A-Malware Documentation Needed & Cuckoo Update is required

[seantree]

Hello Guys,

Recently few days ago in blackhat asia 2018 someone created the macosx sandbox and he also submitted his work to github. @jbremer kindly update the cuckoo with that and kindly update the documentation part. So that we can setup the machines.

Thanks & Regards Seantree

[Ryuchen]

Could you past the github address please

[doomedraven]

https://github.com/phdphuc/mac-a-mal-cuckoo

[doomedraven]

feel free to prepare the PR to help to devs :P

[Ryuchen]

Anyone can help build the vm？Any document？

[Ryuchen]

http://www.contrib.andrew.cmu.edu/~somlo/OSXKVM/ this is blog can't see~

[doomedraven]

you can download it from there https://github.com/rodionovd/cuckoo-osx-analyzer/wiki/Setting-up-the-environment

[seantree]

lets see if anyone complete with the document with the MAC-A-Malware it would be great for the researchers.

[jbremer]

We'll look at it eventually, but are also busy with other things @seantree ;-)

[seantree]

ok @jbremer I will try to do something with this, let see where the path will goes )

[seantree]

just want to know few thing getting one error in guest macos while uploading the sample to guest machine of macosx 10.8 agent.py throw 1 error:

Import named error: no module named lib.common.config

I am using the agent (cuckoo v2.0RC2) with cuckoo legacy and I have also cross checked with the file in cuckoo folder config file was present. . Waiting for solution. . Thanks & Regards Seantree

[seantree]

Hi Any Updates??

[doomedraven]

no time :(

[seantree]

I have tried but facing few problems :( no that's why waiting for someone also to contribute their time in this, I thought that you were also working on this :(

[doomedraven]

that is in my ToDo, but idk when i will be able to do that, that isn't a high prior right now

[seantree]

Can you refer some person who is also working on this, I am ready to do work with him, I already spent so much time on this but faces few problems if someone else work on this I can share and exchange my knowledge and experiences on this.

[doomedraven]

no idea who works on this, and why not share here so you maybe can save time to someone who starts?

[seantree]

Definitely I will share it, I need a time to write everything, In my free time I will write it don't worry. Sharing is caring :)

[phdphuc]

Import named error: no module named lib.common.config

@seantree It was fixed in this commit

[zentavr]

@phdphuc - I wonder why you created your code on legacy branch of cuckoo? Can I use that with cuckoo 2.0.6?

[zentavr]

@Ryuchen - I was able to build and run MacOS 10.6 and 10.3 as the guests in Virtualbox.

[seantree]

@zentavr Hi Can you please tell me how did you configure? Can you please share your steps with us? Is your cuckoo is able to analyze MAC OSX samples properly?

[zentavr]

Yes, I can (it is a very long story).

Now I’m on the way what cuckoo version to choose: the vendor’s one (this repo) or the modified code (mac-a-malware cuckoo).

[seantree]

Hi @zentavr I would love to hear your long story because I have also long story how much experiments and struggle I did to make a working OSX sandbox. . I will say you the cuckoo latest version if everything is working for you

[zentavr]

@seantree, making long story short:

Pre: I used VirtualBox 5.2.12-122591 + Extension Pack. CPU: Intel(R) Xeon(R) CPU E3-1246 v3 @ 3.50GHz It crashed on AMD.

So...

1. You need to create an installation ISO file
2. You need to setup the guest Mac OS from that ISO
3. You need to install cuckoo's stuff
4. You need to clone that and do a snapshot in order to have the clean system at the every new run.

Creation of the Installation media

Apple store links:

• MacOS X Sierra 10.12.6
• MacOS X High Sierra 10.13.5

All the steps below were done in MacOS. System Integration Protection (SIP) must be disabled. In order to check this in your system use csrutil status in the Terminal.app. Here are some instructions about how to disable SIP:

• OS X: Disable system integrity checks
• OS X: Disable system integrity check in Virtualbox

MacOS X 10.12.6 Sierra

# Mount the Installer image
hdiutil attach /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg  \
    -noverify -nobrowse -mountpoint /Volumes/install_app

# Create Sierra sparseimage of 7316mb with a Single Partition - Apple Partition Map
hdiutil create -o ~/Desktop/Sierra -size 7316m -layout SPUD -fs HFS+J -type SPARSE

# Mount the Sierra sparseimage
hdiutil attach ~/Desktop/Sierra.sparseimage -noverify -nobrowse -mountpoint /Volumes/install_build

# Restore the Base System into the Sierra Blank sparseimage
asr restore -source /Volumes/install_app/BaseSystem.dmg -target /Volumes/install_build -noprompt -noverify -erase

# Remove Packages link and replace with actual files
rm /Volumes/OS\ X\ Base\ System/System/Installation/Packages
cp -rp /Volumes/install_app/Packages /Volumes/OS\ X\ Base\ System/System/Installation/

# Copy Sierra installer dependencies
cp -rp /Volumes/install_app/BaseSystem.chunklist /Volumes/OS\ X\ Base\ System/BaseSystem.chunklist
cp -rp /Volumes/install_app/BaseSystem.dmg /Volumes/OS\ X\ Base\ System/BaseSystem.dmg

# Unmount the installer image
hdiutil detach /Volumes/install_app

# Enable Ownership on Base System
sudo diskutil enableOwnership /Volumes/OS\ X\ Base\ System

# Copy Kernel & Extra Kexts
sudo cp -R ~/Downloads/BaseSystem/Kernels /Volumes/OS\ X\ Base\ System/System/Library
sudo cp -rp ~/Downloads/BaseSystem/ExtraKexts/* /Volumes/OS\ X\ Base\ System/System/Library/Extensions

# Correct File Permissions and Rebuild Prelinkedkernel
sudo chown -R 0:0 /Volumes/OS\ X\ Base\ System/System/Installation/Packages
sudo chown -R 0:0 /Volumes/OS\ X\ Base\ System/System/Library/Extensions
sudo chmod -R 755 /Volumes/OS\ X\ Base\ System/System/Library/Extensions
touch /Volumes/OS\ X\ Base\ System/System/Library/Extensions
sudo kextcache -i /Volumes/OS\ X\ Base\ System
sudo kextcache -u /Volumes/OS\ X\ Base\ System

# Unmount the Base System image
hdiutil detach /Volumes/OS\ X\ Base\ System/

# Convert the Sierra spareseimage to ISO/CD master
hdiutil convert ~/Desktop/Sierra.sparseimage -format UDTO -o ~/Desktop/Sierra

# Rename the Sierra ISO image
mv ~/Desktop/Sierra.cdr ~/Desktop/SierraCDR.iso

# Delete Sierra.sparseimage file
rm -f ~/Desktop/Sierra.sparseimage

Those additions (kernel and extra kexts) were found in this thread on insanelymac.com. Just download the file Baseystem_CSI.zip from this post.

Probably the creating of the installation media for Sierra could be done without these additional kernel and kexts (see below)

So, SierraCDR.iso is an image which you will insert into VirtualBox and have fun.

Mac OS X 10.13.5 High Sierra

Download MacOS X High Sierra 10.13.5 and create the iso file for Virtualbox:

# Creating a virtual drive for storing the disto
hdiutil create -o /tmp/HighSierra -size 8G -layout SPUD -fs HFS+J -type SPARSE

# Mount it
hdiutil attach /tmp/HighSierra.sparseimage -noverify -mountpoint /Volumes/install_build

# Put the installer files into this new disk image:
sudo /Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/install_build

# Unmount the disk image, so that the resource is not busy for the next step:
sudo diskutil enableOwnership /Volumes/Install\ macOS\ High\ Sierra
sudo chown -R 0:0 /Volumes/Install\ macOS\ High\ Sierra/*
hdiutil detach /Volumes/Install\ macOS\ High\ Sierra/

# Convert the disk image into an ISO file (VirtualBox is not capable of booting from a .dmg or .sparseimage file):
hdiutil convert /tmp/HighSierra.sparseimage -format UDTO -o /tmp/HighSierra

# Move it to the desktop folder and rename the extension of the file to .iso:
mv /tmp/HighSierra.cdr ~/Desktop/HighSierraCDR.iso

# Delete the sparseimage in the tmp folder:
rm /tmp/HighSierra.sparseimage 

As for the rest steps - give me some time to prepare the manual.

[seantree]

Thank you for this but it would be great if you post a video, if it's possible for you

[seantree]

I am using MAC Machine so can you tell me what to do because the steps you given I think it's for fresh CPU machine, it's little bit confusing for me.

[zentavr]

@seantree - unfortunately I cannot do the video. Re: "mac machine" - are you mean MacOS as a host?

[seantree]

Yes @zentavr I have mac Machine as a host and I have installed the cuckoo legacy with VMWARE

[zentavr]

I did on Linux Ubuntu :)

[seantree]

Ok No Problem, I have one CENTOS 7 Machine is setup as host & I am using MACOS 10.8 as a guest with cuckoo legacy or I have also installed the normal cuckoo 2.0.6 on CENTOS also. So, now the question is where to go. I am confused after seeing your previous post of commands

[zentavr]

The next step is to install the OS. The steps are different for Sierra and High Sierra (HS is more complicated :) )

In order to make your life much easier I created 2 helpers which are here. There are 2 scripts inside:

• create-osx.sh - the helper which builds the VM
• clone_medium.sh - the helper which creates the disk clone.

Both guys are the BASH scripts, so you can pass --help to them and see the rest of the parameters.

MacOS X 10.12.6 Sierra installation

I need to mention, that the OSes are not Hackintosh or things like that - they are unmodified and run on VirtualBox as is. A couple of Important settings could nit be done using VirtualBox GUI, so many nights were spent to study the forums and the manual of Virtualbox.

I create the VM in this way:

# su - cuckoo
$ ./create-osx.sh --name "Mac OS X Sierra 10.12" \
    --type "MacOS1012_64" --identifier "iMac11,3" \
    --bios efi --cpus 4 --cpuid "IvyBridge i7-3770" \
    --memory 4096 --videoram 64 \
    --drive 20480 \
    --rdp --rdpuser osx --rdppassword zxcvbn \
    --usb 3 \
    --cd "/VMs/iso/SierraCDR.iso"

After that I start the VM in Virtualbox GUI (Ok, I start it in headless mode and use RDP) and have fun.

MacOS X 10.13.5 High Sierra installation

The process is described in [this guide][https://www.insanelymac.com/forum/topic/309654-run-vanilla-os-x-el-capitan-sierra-or-high-sierra-in-virtualbox-5034-on-a-windows-host/?page=3&tab=comments#comment-2517889] and is a little bit complicated.

Creating the machine:

# su - cuckoo
$ ./create-osx.sh --name "Mac OS X Sierra 10.13" \
    --type "MacOS1013_64" --identifier "iMac11,3" \
    --bios efi --cpus 4 --cpuid "IvyBridge i7-3770" \
    --memory 4096 --videoram 64 \
    --drive 20480 \
    --rdp --rdpuser osx --rdppassword zxcvbn \
    --usb 3 \
    --cd "/VMs/iso/HSierraCDR.iso"

Stage 1: Deploying the installer

1. Boot from High Sierra ISO
2. Choose Disk Utillity from the installer and format Virtual HDD using HFS+J filesystem
3. Back at the main screen, select Reinstall macOS. It will create first phase "/macOS Install Data" on target volume eg "HiSierra".

Stage 2: Install the system

In the second phase, "/macOS Install Data" packages are extracted and installed on the disk. On restarting the system, you will need to jump into UEFI shell (F12 when in VirtualBox GUI/RDP). Type the 2 lines below, followed by after each line...

FS1:
"\macOS Install Data\Locked Files\Boot Files\boot.efi"

will restart the installation process...

Stage 3: Finishing the installation

Final third installation phase is rebuilding kextcaches, booting to the completed installation to select language and setup new user etc.

[zentavr]

I use Objective See as a source of poisoned software. When I tried to upload the zip package (via Cuckoo's web interface) - I had an error.

2018-07-06 18:14:34,645 [cuckoo.core.scheduler] DEBUG: Processing task #3
2018-07-06 18:14:34,650 [cuckoo.core.scheduler] INFO: Starting analysis of ARCHIVE "AbkPro.app.zip" (task #3, options "filename=Contents/MacOS/AbkPro,procmemdump=yes,route=none")
2018-07-06 18:14:34,795 [cuckoo.core.scheduler] INFO: Task #3: acquired machine cuckoo-2.0-sierra-bs (label=cuckoo-2.0-sierra-bs)
2018-07-06 18:14:35,058 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 7728 (interface=vboxnet0, host=192.168.56.105)
2018-07-06 18:14:35,058 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-07-06 18:14:35,066 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo-2.0-sierra-bs
2018-07-06 18:14:35,399 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo-2.0-sierra-bs to vminit
2018-07-06 18:14:44,310 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-06 18:14:45,313 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-06 18:14:46,318 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-06 18:14:47,322 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-06 18:14:48,326 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-06 18:14:49,330 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-06 18:14:49,340 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-06 18:14:49,347 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105, monitor=latest, size=109360)
2018-07-06 18:14:49,511 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-07-06 18:14:49,512 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo-2.0-sierra-bs
2018-07-06 18:14:51,490 [cuckoo.core.scheduler] ERROR: ESC[31mFailure in AnalysisManager.runESC[0m
Traceback (most recent call last):
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/scheduler.py", line 737, in run
    self.launch_analysis()
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/scheduler.py", line 527, in launch_analysis
    self.guest_manage(options)
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/scheduler.py", line 394, in guest_manage
    self.guest_manager.start_analysis(options, monitor)
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/guest.py", line 483, in start_analysis
    self.upload_analyzer(monitor)
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/guest.py", line 390, in upload_analyzer
    self.determine_analyzer_path()
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/guest.py", line 368, in determine_analyzer_path
    r = self.post("/mkdtemp", data={"dirpath": systemdrive})
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/cuckoo/core/guest.py", line 330, in post
    r.raise_for_status()
  File "/opt/.cuckoovenv/local/lib/python2.7/site-packages/requests/models.py", line 909, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
HTTPError: 500 Server Error: Internal Server Error for url: http://192.168.56.105:8000/mkdtemp

[zentavr]

The problem is that I run agent.py as a user, not root in MacOS Guest. When I do the call:

$ curl -X POST -d "dirpath=/" -v http://192.168.56.105:8000/mkdtemp

DirPath for non-windows is always /. I get an error:

{"message": "Error creating temporary directory", "traceback": "Traceback (most recent call last):\n  File \"/usr/local/bin/agent.py\", line 267, in do_mkdtemp\n    dirpath = tempfile.mkdtemp(suffix=suffix, prefix=prefix, dir=dirpath)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/tempfile.py\", line 333, in mkdtemp\n    _os.mkdir(file, 0700)\nOSError: [Errno 13] Permission denied: '/tmpFh2FY6'\n", "error_code": 500}

I wonder if there could be a workaround, like not using dirpath parameter? Seems like python can calculate that itself in tempfile library:

def mkdtemp(suffix="", prefix=template, dir=None):
    """User-callable function to create and return a unique temporary
    directory.  The return value is the pathname of the directory.

    Arguments are as for mkstemp, except that the 'text' argument is
    not accepted.

    The directory is readable, writable, and searchable only by the
    creating user.

    Caller is responsible for deleting the directory when done with it.
    """

    if dir is None:
        dir = gettempdir()

I wonder what is the goal to specify that directly?