Open garyflick opened 5 years ago
Hey @garyflick,
Thanks for posting an issue.
If you have manually created the VMs, you have to add the agent yourself. It is not shipped in the Windows iso. That is simply a Windows iso.
VMCloak does many things, among those things is adding the Cuckoo agent. I do recommend you use it to create VMs.
The VMs must be under the same user as is used to run Cuckoo. VirtualBox VMs are per user by default. If you created your VMs under your user, and run Cuckoo under the cuckoo user, it will not be able to find the VMs.
This step is mentioned:
Now that the dependencies have been installed, we can install Cuckoo and VMCloak. Start by switching to the cuckoo user and creating a new virtualenv:
sudo su cuckoo virtualenv ~/cuckoo . ~/cuckoo/bin/activate
The virtualenv will allow us to install dependencies within our home directory and to prevent >interference with other, globally installed, Python packages.
Install both VMCloak and Cuckoo Sandbox within the same virtualenv:
pip install -U cuckoo vmcloak
I should probably add a warning to the blog, telling users that VMs must be created under same user as Cuckoo will run.
@RicoVZ
Thank you so much for replying- I've been going absolutely crazy trying to set this up the past month.
Would it be an issue to set up the virtual interface under where the VM is currently installed? So the user, John, I would set a virtualenv ~/john then reconfigure settings. The box is currently all clean, I would just change the current user to a standard user. I don't know how to go about setting up the VM manually under the Cuckoo user. VMCloak is sprouting file errors when I try to install it under Cuckoo. I've had issues in the past with the web server when I've had cuckoo install under multiple environments.
It's a completely fresh stock Ubuntu LTS image- besides the hatch documentation changes.
My issue is: When running cuckoo under the cuckoo user (with the . ~/cuckoo/bin/activate environment) it is producing the error, "CuckooCriticalError: Please update your configuration. Unable to shut 'cuckoo1' down or find the machine in its proper state: The virtual machine 'cuckoo1' doesn't exist! Please create one or more Cuckoo analysis VMs and properly fill out the Cuckoo configuration!". My Vm, under the cuckoo1 name is running in headless mode with virtualbox 6.0 . Virtualbox is not running under the cuckoo user but under the original user used to set up cuckoo.
My Cuckoo version and operating system are: Cuckoo Sandbox 2.0.6 Ubuntu Desktop 18.04.2 LTS
This can be reproduced by: Following the https://hatching.io/blog/cuckoo-sandbox-setup documentation and skipping over the vmcloak section. This section was skipped over as it was unable to locate the virtual machine then. Vm creation was created manually after downloading and mounting the wget https://cuckoo.sh/win7ultimate.iso
I don't know if the win7ultimate.iso already has the agent.py install- I believe it does though as Hatches documentation does not mention installing it.
The log, error, files etc can be found at: /home/cuckoo/.cuckoo/conf$
I have never run cuckoo under sudo as my cuckoo account is not a sudo user. I have also only ran it under the virtual user enviroment. cuckoo1 is running in host only mode in virtual box. It is running in headless mode.
Web server is already up and running at: 127.0.0.1:8080 with mongodb working
All Cong files are as follows:
auxiliary.conf
[sniffer]
Enable or disable the use of an external sniffer (tcpdump) [yes/no]. enabled = yes
Specify the path to your local installation of tcpdump. Make sure this path is correct. tcpdump = /usr/sbin/tcpdump
We used to define the network interface to capture on in auxiliary.conf, but this has been moved to the "interface" field of each Virtual Machinery configuration. Specify a Berkeley packet filter to pass to tcpdump. Note: packer filtering is not possible when using "nictrace" functionality from VirtualBox (for example dumping inter-VM traffic). bpf =
[mitm]
Enable man in the middle proxying (mitmdump) [yes/no]. enabled = no
Specify the path to your local installation of mitmdump. Make sure this path is correct. mitmdump = /usr/local/bin/mitmdump
Listen port base. Each virtual machine will use its own port to be able to make a good distinction between the various running analyses. Generally port 50000 should be fine, in this case port 50001, 50002, etc will also be used - again, one port per analyses. port_base = 50000
Script file to interact with the network traffic. Please refer to the documentation of mitmproxy/mitmdump to get an understand of their internal workings. (https://mitmproxy.org/doc/scripting/inlinescripts.html) script = stuff/mitm.py
Path to the certificate to be used by mitmdump. This file will be automatically generated for you if you run mitmdump once. It's just that you have to copy it from ~/.mitmproxy/mitmproxy-ca-cert.p12 to somewhere in the analyzer/windows/ directory. Recommended is to write the certificate to analyzer/windows/bin/cert.p12, in that case the following option should be set to bin/cert.p12. certificate = bin/cert.p12
[replay]
Enable PCAP replay capabilities. enabled = yes
Specify the path to your local installation of mitmdump. Make sure this path is correct. Note that this should be mitmproxy 3.0.5 or higher, installed in a separate virtualenv (or similar). mitmdump = /usr/local/bin/mitmdump
Listen port base. Each virtual machine will use its own port to be able to make a good distinction between the various running analyses. Generally port 51000 should be fine, in this case port 51001, 51002, etc will also be used - again, one port per analyses. port_base = 51000
Path to the certificate to be used by mitmdump. This file will be automatically generated for you if you run mitmdump once. It's just that you have to copy it from ~/.mitmproxy/mitmproxy-ca-cert.p12 to somewhere in the analyzer/windows/ directory. Recommended is to write the certificate to analyzer/windows/bin/cert.p12, in that case the following option should be set to bin/cert.p12. certificate = bin/cert.p12
[services]
Provide extra services accessible through the network of the analysis VM provided in separate, standalone, Virtual Machines [yes/no]. enabled = no
Comma-separated list with each Virtual Machine containing said service(s). services = honeyd
Time in seconds required to boot these virtual machines. E.g., some services will only get online after a minute because initialization takes a while. timeout = 0
[reboot]
This auxiliary module should be enabled for reboot analysis support. enabled = yes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
avd.conf
[avd]
Specify whether we're running the Android emulator in headless mode (no GUI) or with GUI - for an interactive session. mode = headless
Path to the local installation of the android emulator. emulator_path = /home/cuckoo/android-sdk-linux/tools/emulator
Path to the local installation of the adb (android debug bridge) utility. adb_path = /home/cuckoo/android-sdk-linux/platform-tools/adb
Path where the emulator files are located. avd_path = /home/cuckoo/.android/avd
Name of the reference machine that is used to duplicate. reference_machine = cuckoo-bird
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. machines = cuckoo1
[cuckoo1] label = cuckoo1
Specify the operating system platform used by current machine. platform = android
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. It's always 127.0.0.1 because the android emulator runs on the loopback network interface. ip = 127.0.0.1
Specify the port for the emulator as your adb sees it. emulator_port = 5554
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip = 10.0.2.2
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port = 2042
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile = ~
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cuckoo.conf
[cuckoo]
Enable or disable startup version check. When enabled, Cuckoo will connect to a remote location to verify whether the running version is the latest one available. version_check = yes
Cuckoo will stop at startup if the version check reports vulnerabilities in one of Cuckoo's dependencies. This setting ignores the vulnerabilities and starts anyway ignore_vulnerabilities = no
The authentication token that is required to access the Cuckoo API, using HTTP Bearer authentication. This will protect the API instance against unauthorized access and CSRF attacks. It is strongly recommended to set this to a secure value. api_token = 8Pq6nySpKtnVN-7jwL2TiQ
The Web secret is used as a very basic, but successful way to provide basic authentication to the Cuckoo Web Interface. This is a shared secret amongst all users of this Cuckoo instance and will "protect" usage from users outside of this instance. Therefore, if you'd like to share this Cuckoo instance with the outside world, then don't use the Web secret functionality. web_secret =
If turned on, Cuckoo will delete the original file after its analysis has been completed. delete_original = no
If turned on, Cuckoo will delete the copy of the original file in the local binaries repository after the analysis has finished. (On *nix this will also invalidate the file called "binary" in each analysis directory, as this is a symlink.) delete_bin_copy = no
Specify the name of the machinery module to use, this module will define the interaction between Cuckoo and your virtualization software of choice. machinery = virtualbox
Enable creation of memory dump of the analysis machine before shutting down. Even if turned off, this functionality can also be enabled at submission. Currently available for: VirtualBox and libvirt modules (KVM). memory_dump = no
When the timeout of an analysis is hit, the VM is just killed by default. For some long-running setups it might be interesting to terminate the monitored processes before killing the VM so that connections are closed. terminate_processes = no
Enable automatically re-schedule of "broken" tasks each startup. Each task found in status "processing" is re-queued for analysis. reschedule = no
Enable processing of results within the main cuckoo process. This is the default behavior but can be switched off for setups that require high stability and process the results in a separate task. process_results = yes
Limit the amount of analysis jobs a Cuckoo process goes through. This can be used together with a watchdog to mitigate risk of memory leaks. max_analysis_count = 0
Limit the number of concurrently executing analysis machines. This may be useful on systems with limited resources. Set to 0 to disable any limits. max_machines_count = 0
Limit the amount of VMs that are allowed to start in parallel. Generally speaking starting the VMs is one of the more CPU intensive parts of the actual analysis. This option tries to avoid maxing out the CPU completely. max_vmstartup_count = 10
Minimum amount of free space (in MB) available before starting a new task. This tries to avoid failing an analysis because the reports can't be written due out-of-diskspace errors. Setting this value to 0 disables the check. (Note: this feature is currently not supported under Windows.) freespace = 1024
Temporary directory containing the files uploaded through Cuckoo interfaces (api.py and Django web interface). Defaults to the default temporary directory of the operating system (e.g., /tmp on Linux). Overwrite the value if you'd like to specify an alternative path. tmppath =
Path to the unix socket for running root commands. rooter = /tmp/cuckoo-rooter
[feedback]
Cuckoo is capable of sending "developer feedback" to the developers so that they can more easily improve the project. This functionality also allows the user to quickly request new features, report bugs, and get in touch with support in general, etc. enabled = no name = company = email =
[resultserver]
The Result Server is used to receive in real time the behavioral logs produced by the analyzer. Specify the IP address of the host. The analysis machines should be able to contact the host through such address, so make sure it's valid. NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option resultserver_ip for all your virtual machines in machinery configuration. ip = 192.168.56.1
Specify a port number to bind the result server on. Set to 0 to use a random port. port = 2042
Maximum size of uploaded files from VM (screenshots, dropped files, log). The value is expressed in bytes, by default 128 MB. upload_max_size = 134217728
[processing]
Set the maximum size of analyses generated files to process. This is used to avoid the processing of big files which may take a lot of processing time. The value is expressed in bytes, by default 128 MB. analysis_size_limit = 134217728
Enable or disable DNS lookups. resolve_dns = yes
Enable PCAP sorting, needed for the connection content view in the web interface. sort_pcap = yes
[database]
Specify the database connection string. NOTE: If you are using a custom database (different from sqlite), you have to use utf-8 encoding when issuing the SQL database creation statement. Examples, see documentation for more: sqlite:///foo.db postgresql://foo:bar@localhost:5432/mydatabase mysql://foo:bar@localhost/mydatabase If empty, defaults to a SQLite3 database at $CWD/cuckoo.db. connection =
Database connection timeout in seconds. If empty, default is set to 60 seconds. timeout = 60
[timeouts]
Set the default analysis timeout expressed in seconds. This value will be used to define after how many seconds the analysis will terminate unless otherwise specified at submission. default = 120
Set the critical timeout expressed in (relative!) seconds. It will be added to the default timeout above and after this timeout is hit Cuckoo will consider the analysis failed and it will shutdown the machine no matter what. When this happens the analysis results will most likely be lost. critical = 60
Maximum time to wait for virtual machine status change. For example when shutting down a vm. Default is 60 seconds. vm_state = 60
[remotecontrol]
Enable for remote control of analysis machines inside the web interface. enabled = no
Set host of the running guacd service. guacd_host = localhost
Set port of the running guacd service. guacd_port = 4822
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
exc.conf
[esx]
?no_verify disables the SSL signature check. By default it is self signed dsn = esx://127.0.0.1/?no_verify=1 username = username_goes_here password = password_goes_here
machines = analysis1
Specify the name of the default network interface that will be used when dumping network traffic with tcpdump. Example (eth0 is the interface name): interface = eth0
[analysis1]
Specify the label name of the current machine as specified in your libvirt configuration. label = cuckoo1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Please specify the name of the base snapshot. This snapshot should be taken with agent in startup and the machine shut down. snapshot = clean_snapshot
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. You may want to configure your network settings in /etc/libvirt//networks/ ip = 192.168.122.101
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (eth0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. when dumping network traffic from this machine with tcpdump. Example (eth0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
kvm
[kvm]
Specify a libvirt URI connection string dsn = qemu:///system
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = cuckoo1
Specify the name of the default network interface that will be used when dumping network traffic with tcpdump. Example (virbr0 is the interface name): interface = virbr0
[cuckoo1]
Specify the label name of the current machine as specified in your libvirt configuration. label = cuckoo1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. You may want to configure your network settings in /etc/libvirt//networks/ ip = 192.168.122.101
(Optional) Specify the snapshot name to use. If you do not specify a snapshot name, the KVM MachineManager will use the current snapshot. Example (Snapshot1 is the snapshot name): snapshot =
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (virbr0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. (Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (virbr0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
memory.conf
Volatility configuration Basic settings [basic]
Profile to avoid wasting time identifying it guest_profile = WinXPSP2x86
Delete memory dump after volatility processing. delete_memdump = no
List of available modules enabled: enable this module filter: use filters to remove benign system data from the logs Filters are defined in the mask section at below Scans for hidden/injected code and dlls http://code.google.com/p/volatility/wiki/CommandReferenceMal23#malfind [malfind] enabled = yes filter = yes
Lists hooked api in user mode and kernel space Expect it to be very slow when enabled http://code.google.com/p/volatility/wiki/CommandReferenceMal23#apihooks [apihooks] enabled = no filter = yes
Lists official processes. Does not detect hidden processes http://code.google.com/p/volatility/wiki/CommandReference23#pslist [pslist] enabled = yes filter = no
Lists hidden processes. Uses several tricks to identify them http://code.google.com/p/volatility/wiki/CommandReferenceMal23#psxview [psxview] enabled = yes filter = no
Show callbacks http://code.google.com/p/volatility/wiki/CommandReferenceMal23#callbacks [callbacks] enabled = yes filter = no
Show idt http://code.google.com/p/volatility/wiki/CommandReferenceMal23#idt [idt] enabled = yes filter = no
Show timers http://code.google.com/p/volatility/wiki/CommandReferenceMal23#timers [timers] enabled = yes filter = no
Show messagehooks Expect it to be very slow when enabled http://code.google.com/p/volatility/wiki/CommandReferenceGui23#messagehooks [messagehooks] enabled = no filter = no
Show sids http://code.google.com/p/volatility/wiki/CommandReference23#getsids [getsids] enabled = yes filter = no
Show privileges http://code.google.com/p/volatility/wiki/CommandReference23#privs [privs] enabled = yes filter = no
Display processes' loaded DLLs- Does not display hidden DLLs http://code.google.com/p/volatility/wiki/CommandReference23#dlllist [dlllist] enabled = yes filter = yes
List open handles of processes http://code.google.com/p/volatility/wiki/CommandReference23#handles [handles] enabled = yes filter = yes
Displays processes' loaded DLLs - Even hidden one (unlinked from PEB linked list) http://code.google.com/p/volatility/wiki/CommandReferenceMal23#ldrmodules [ldrmodules] enabled = yes filter = yes
Scan for Mutexes (whole system) http://code.google.com/p/volatility/wiki/CommandReference23#mutantscan [mutantscan] enabled = yes filter = yes
List devices and drivers http://code.google.com/p/volatility/wiki/CommandReferenceMal23#devicetree [devicetree] enabled = yes filter = yes
Scan for services http://code.google.com/p/volatility/wiki/CommandReferenceMal23#svcscan [svcscan] enabled = yes filter = yes
Scan for kernel drivers (includes hidden, unloaded) http://code.google.com/p/volatility/wiki/CommandReference23#modscan [modscan] enabled = yes filter = yes
[yarascan] enabled = yes filter = yes
[ssdt] enabled = yes filter = yes
[gdt] enabled = yes filter = yes
This will only run on XP profiles. [sockscan] enabled = yes filter = no
This will only run on Vista/7 profiles. [netscan] enabled = yes filter = no
Masks. Data that should not be logged Just get this information from your plain VM Snapshot (without running malware) This will filter out unwanted information in the logs [mask] enabled = no pid_generic =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
physical.conf
[physical]
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. physical1,physical2,physical3) machines = physical1
Credentials to access the machine user = username password = password
Default network interface. interface = eth0
[fog]
Credentials to access the FOG website. We're using basic screenscraping techniques to programmatically schedule new "image download tasks", i.e., to instruct FOG to make a laptop restore the original image on the next reboot. Note: if you're using FOG to manage your physical machines without the cronjob functionality as per documentation you will have to change the following "none" to "localhost" or similar (the "none" is for backwards compatibility where users are still using the cronjob-style tasking, and thus effectively ignore the FOG integration). The FOG functionality has only been tested against the FOG 1.2.0 stable release. hostname = none username = fog password = password
[physical1]
Specify the label name of the current machine as specified in your physical machine configuration. label = physical1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Specify the IP address of the current machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.56.101
(Optional) Specify the OS profile to be used by volatility for this machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
processing.conf
Enable or disable the available processing modules [yes/no]. If you add a custom processing module to your Cuckoo setup, you have to add a dedicated entry in this file, or it won't be executed. You can also add additional options under the section of your module and they will be available in your Python class. [analysisinfo] enabled = yes
[apkinfo] enabled = no
Decompiling dex files with androguard in a heavy operation. For large dex files it can really take quite a while - it is recommended to limit to a certain filesize. decompilation_threshold = 5000000
[baseline] enabled = no
[behavior] enabled = yes
[buffer] enabled = yes
[debug] enabled = yes
[droidmon] enabled = no
[dropped] enabled = yes
[dumptls] enabled = yes
[extracted] enabled = yes
[googleplay] enabled = no android_id = google_login = google_password =
[memory]
Create a memory dump of the entire Virtual Machine. This memory dump will then be analyzed using Volatility to locate interesting events that can be extracted from memory. enabled = no
[misp] enabled = no url = apikey =
Maximum amount of IOCs to look up (hard limit). maxioc = 100
[network] enabled = yes
Allow domain whitelisting whitelist_dns = no
Allow DNS responses from your configured DNS server for whitelisting to deactivate when responses come from some other DNS Can be also multiple like : 8.8.8.8,8.8.4.4 allowed_dns =
[procmemory]
Enables the creation of process memory dumps for each analyzed process right before they terminate themselves or right before the analysis finishes. enabled = yes
It is possible to load these process memory dumps in IDA Pro through the generation of IDA Python-based script files. Although currently symbols and such are not properly recovered, it is still nice to get a quick look at specific memory addresses of a process. idapro = no
Extract executable images from this process memory dump. This allows us to relatively easily extract injected executables. extract_img = yes
Also extract DLL files from the process memory dump. extract_dll = no
Delete process memory dumps after analysis to save disk space. dump_delete = no
[procmon]
Enable procmon processing. This only takes place when the "procmon=1" option is set for an analysis. enabled = yes
[screenshots] enabled = yes
Set to the actual tesseract path (i.e., /usr/bin/tesseract or similar) rather than "no" to enable OCR analysis of screenshots. Note: doing OCR on the screenshots is a rather slow process. tesseract = no
[snort] enabled = no
Following are various configurable settings. When in use of a recent 2.9.x.y version of Snort there is no need to change any of the following settings as they represent the defaults. snort = /usr/local/bin/snort conf = /etc/snort/snort.conf
[static] enabled = yes
On bigger PDF files PeePDF may take a substantial amount of time to perform static analysis of PDF files, with times of over an hour per file estimated in production. This option will by default limit the maximum processing time to one minute, but this may be adjusted accordingly. Note that if the timeout is hit, no static analysis results through PeePDF will be available. pdf_timeout = 60
[strings] enabled = yes
Following are various configurable settings. When in use of a recent version of Suricata there is no need to change any of the following settings as they represent the defaults. suricata = /usr/bin/suricata conf = /etc/suricata/suricata.yaml eve_log = eve.json files_log = files-json.log files_dir = files
By specifying the following line our processing module can use the socket mode in Suricata. This is quite the performance improvement as instead of having to load all the Suricata rules for each time the processing module is ran (i.e., for every task), the rules are only loaded once and then we talk to its API. This does require running Suricata as follows or similar; "suricata --unix-socket -D". (Please find more information in utils/suricata.sh for now). socket = /var/run/suricata/cuckoo.socket socket =
[targetinfo] enabled = yes
[virustotal] enabled = no
How much time we can wait to establish VirusTotal connection and get the report. timeout = 60
Enable this option if you want to submit files to VirusTotal not yet available in their database. NOTE: if you are dealing with sensitive stuff, enabling this option you could leak some files to VirusTotal. scan = no
Add your VirusTotal API key here. The default API key, kindly provided by the VirusTotal team, should enable you with a sufficient throughput and while being shared with all our users, it shouldn't affect your use. key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088
[irma] enabled = no
IRMA @ github : https://github.com/quarkslab/irma How much time we can wait to establish IRMA connection and get the report. timeout = 60
Enable this option if you want to submit files to IRMA not yet available. scan = no
Force scan of submitted files force = no
URL to your IRMA installation For example : https://your.irma.host url =
Probes to use on your IRMA instance If not specified, will default to using all available probes Expects comma separated list For example : ClamAV,F-Secure,Avast,ESET,eScan,Avira,Sophos,McAfee,Kaspersky,GData,Comodo,Bitdefender probes =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
qemu
[qemu]
Path to one qemu binary (assumes the other ones are there as well) path = /usr/bin/qemu-system-x86_64
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = vm1, vm2, vm3
Specify the name of the default network interface that will be used when dumping network traffic with tcpdump. Example (qemubr is the interface name): interface = qemubr
[vm1] label = vm1
image path image = /home/rep/vms/qvm_wheezy64_1.qcow2
saved snapshot name snapshot =
vm arch (mips/mipsel/arm/x64/x86) arch =
use kvm virtualization enable_kvm = no
path to kernel image kernel =
path to initrd image initrd =
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = linux
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.55.2
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (qemubr is the interface name): interface = qemubr
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip = 192.168.55.1
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags = debian_wheezy,64_bit
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
[vm2] label = vm2
image path image = /home/rep/vms/qvm_wheezy64_1.qcow2
saved snapshot name snapshot =
vm arch (mips/mipsel/arm/x64/x86) arch = mipsel
use kvm virtualization enable_kvm = no
path to kernel image kernel = {imagepath}/vmlinux-3.16.0-4-4kc-malta-mipsel
path to initrd image initrd =
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = linux
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.55.3
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (qemubr is the interface name): interface = qemubr
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip = 192.168.55.1
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags = debian_wheezy,mipsel
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
[vm3] label = vm3
image path image = /home/rep/vms/qvm_wheezy64_1.qcow2
saved snapshot name snapshot =
vm arch (mips/mipsel/arm/x64/x86) arch = arm
use kvm virtualization enable_kvm = no
path to kernel image kernel = {imagepath}/vmlinuz-3.2.0-4-versatile-arm
path to initrd image initrd = {imagepath}/initrd-3.2.0-4-versatile-arm
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = linux
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.55.4
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (qemubr is the interface name): interface = qemubr
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags = debian_wheezy,arm
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
reporting.conf
Enable or disable the available reporting modules [on/off]. If you add a custom reporting module to your Cuckoo setup, you have to add a dedicated entry in this file, or it won't be executed. You can also add additional options under the section of your module and they will be available in your Python class. [feedback]
Automatically report errors that occurred during an analysis. Requires the Cuckoo Feedback settings in cuckoo.conf to have been filled out properly. enabled = no
[jsondump] enabled = yes indent = 4 calls = yes
[singlefile]
Enable creation of report.html and/or report.pdf? enabled = no
Enable creation of report.html? html = no
Enable creation of report.pdf? pdf = no
[misp] enabled = no url = apikey =
The various modes describe which information should be submitted to MISP, separated by whitespace. Available modes: maldoc ipaddr hashes url. mode = maldoc ipaddr hashes url
distribution = 0 analysis = 0 threat_level = 4
The minimum Cuckoo score for a MISP event to be created min_malscore = 0
tag = Cuckoo upload_sample = no
[mongodb] enabled = yes host = 127.0.0.1 port = 27017 db = cuckoo store_memdump = yes paginate = 100
MongoDB authentication (optional). username = password =
[elasticsearch] enabled = no
Comma-separated list of ElasticSearch hosts. Format is IP:PORT, if port is missing the default port is used. Example: hosts = 127.0.0.1:9200, 192.168.1.1:80 hosts = 127.0.0.1
Increase default timeout from 10 seconds, required when indexing larger analysis documents. timeout = 300
Set to yes if we want to be able to search every API call instead of just through the behavioral summary. calls = no
Index of this Cuckoo instance. If multiple Cuckoo instances connect to the same ElasticSearch host then this index (in Moloch called "instance") should be unique for each Cuckoo instance. index = cuckoo
Logging time pattern. This sets how elasticsearch creates indexes by default it is yearly in most instances this will be sufficient valid options: yearly, monthly, daily index_time_pattern = yearly
Cuckoo node name in Elasticsearch to identify reporting host. Can be useful for automation and while referring back to correct Cuckoo host. cuckoo_node =
[moloch] enabled = no
If the Moloch web interface is hosted on a different IP address than the Cuckoo Web Interface then you'll want to override the IP address here. host =
If you wish to run Moloch in http (insecure) versus https (secure) mode, set insecure to yes. insecure = no
Following are various configurable settings. When in use of a recent version of Moloch there is no need to change any of the following settings as they represent the defaults. moloch_capture = /data/moloch/bin/moloch-capture conf = /data/moloch/etc/config.ini instance = cuckoo
[notification]
Notification module to inform external systems that analysis is finished. You should consider keeping this as very last reporting module. enabled = no
External service URL where info will be POSTed. example : https://my.example.host/some/destination/url url =
Cuckoo host identifier - can be hostname. for example : my.cuckoo.host identifier =
[mattermost] enabled = no
Mattermost webhook URL. example : https://my.mattermost.host/hooks/yourveryrandomkey url =
Cuckoo host URL to make analysis ID clickable. example : https://my.cuckoo.host/ myurl =
Username to show when posting message username = cuckoo
What kind of data to show apart from default. Show virustotal hits. show_virustotal = no
Show matched cuckoo signatures. show_signatures = no
Show collected URL-s by signature "network_http". show_urls = no
Hide filename and create hash of it hash_filename = no
Hide URL and create hash of it hash_url = no
routing.conf
[routing]
Default network routing mode if none is specified by the user. In none mode we don't do any special routing - the VM doesn't have any network access (this has been the default actually for quite a while) aside from the subnet it exists in. In internet mode by default all the VMs will be routed through the network interface configured below (the "dirty line"). And in VPN mode by default the VMs will be routed through the VPN identified by the given name of the VPN (as per the VPNs listed in the vpn section). Note that just like enabling VPN configuration setting this option to anything other than "none" requires one to run utils/rooter.py as root next to the Cuckoo instance (as it's required for setting up the routing). route = none
Network interface that allows a VM to connect to the entire internet, the "dirty line" so to say. Note that, just like with the VPNs, this will allow malicious traffic through your network. So think twice before enabling it. (For example, to use eth0 as dirty line: "internet = eth0"). internet = none
Routing table name/id for "dirty line" interface. If "dirty line" is also default gateway in the system you can leave "main" value. Otherwise add new routing table by adding " " line to /etc/iproute2/rt_tables (e.g., "200 eth0"). ID and name must be unique across the system (refer to /etc/iproute2/rt_tables for existing names and IDs). rt_table = main
To route traffic through multiple network interfaces Cuckoo uses Policy Routing with separate routing table for each output interface (VPN or "dirty line"). If this option is enabled Cuckoo on start will try to automatically initialise routing tables by copying routing entries from main routing table to the new routing tables. Depending on your network/vpn configuration this might not be sufficient. In such case you would need to initialise routing tables manually. Note that enabling this option won't affect main routing table. auto_rt = yes
The drop route basically drops any outgoing network (except for Cuckoo traffic) whereas the regular none route still allows a VM to access its own subnet (e.g., 192.168.56.1/24). It is disabled by default as it does require the optional rooter to run (unlike the none route, where literally nothing happens). One can either explicitly enable the drop route or if the rooter is enabled anyway, it is automatically enabled. drop = no
[inetsim]
Route a VM to your local InetSim setup (could in theory also be any other type of web service / etc). enabled = no server = 192.168.56.1
Redirect TCP ports (should we also support UDP?). If specified, this should represent whitespace-separated src:dst pairs. E.g., "80:8080 443:8080" will redirect all 80/443 traffic to 8080 on the specified InetSim host. ports =
[tor]
Route a VM through Tor, requires a local setup of Tor (please refer to our documentation). enabled = no dnsport = 5353 proxyport = 9040
[vpn]
Are VPNs enabled? enabled = no
Comma-separated list of the available VPNs. vpns = vpn0
[vpn0]
Name of this VPN. The name is represented by the filepath to the configuration file, e.g., cuckoo would represent /etc/openvpn/cuckoo.conf Note that you can't assign the names "none" and "internet" as those would conflict with the routing section in cuckoo.conf. name = vpn0
The description of this VPN which will be displayed in the web interface. Can be used to for example describe the country where this VPN ends up. description = Spain, Europe
The tun device hardcoded for this VPN. Each VPN must be configured to use a hardcoded/persistent tun device by explicitly adding the line "dev tunX" to its configuration (e.g., /etc/openvpn/vpn1.conf) where X in tunX is a unique number between 0 and your lucky number of choice. interface = tun0
Routing table name/id for this VPN. If table name is used it must be added to /etc/iproute2/rt_tables as " " line (e.g., "201 tun0"). ID and name must be unique across the system (refer /etc/iproute2/rt_tables for existing names and IDs). rt_table = tun0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
virtualbox.conf
[virtualbox]
Specify which VirtualBox mode you want to run your machines on. Can be "gui" or "headless". Please refer to VirtualBox's official documentation to understand the differences. mode = headless
Path to the local installation of the VBoxManage utility. path = /usr/bin/vboxmanage
If you are running Cuckoo on Mac OS X you have to change the path as follows: path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage Default network interface. interface = vboxnet0
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = cuckoo1
If remote control is enabled in cuckoo.conf, specify a port range to use. Virtualbox will bind the VRDP interface to the first available port. controlports = 5000-5050
[cuckoo1]
Specify the label name of the current machine as specified in your VirtualBox configuration. label = cuckoo1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.56.1
(Optional) Specify the snapshot name to use. If you do not specify a snapshot name, the VirtualBox MachineManager will use the current snapshot. Example (Snapshot1 is the snapshot name): snapshot = cuckoo2
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. If specified, overrides the default interface specified in auxiliary.conf Example (vboxnet0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags =
Mostly unused for now. Please don't fill it out. options =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
[honeyd]
For more information on this VM please refer to the "services" section of the conf/auxiliary.conf configuration file. This machine is a bit special in the way that its used as an additional VM for an analysis. NOTE that if this functionality is used, the VM should be registered in the "machines" list in the beginning of this file. label = honeyd platform = linux ip = 192.168.56.102
The tags should at least contain "service" and the name of this service. This way the services auxiliary module knows how to find this particular VM. tags = service, honeyd
Not all services actually have a Cuckoo Agent running in the VM, for those services one can specify the "noagent" option so Cuckoo will just wait until the end of the analysis instead of trying to connect to the non-existing Cuckoo Agent. We can't really intercept any inter-VM communication from the host / gateway so in order to dump traffic between VMs we have to use a different network dumping approach. For this machine we use the "nictrace" functionality from VirtualBox (which is basically their internal tcpdump) and thus properly dumps inter-VM traffic. options = nictrace noagent
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vmware.conf
[vmware]
Specify which Vmware Workstation mode you want to run your machines on. Can be "gui" or "nogui". Refer to VMware's official documentation to understand the differences. mode = gui
Path to the local installation of the vmrun utility. path = /usr/bin/vmrun
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = cuckoo1
Specify the name of the default network interface that should be used when dumping network traffic with tcpdump. Example (virbr0 is the interface name): interface = virbr0
[cuckoo1]
Specify the path to vmx file of this virtual machine. vmx_path = ../cuckoo1/cuckoo1.vmx
Specify the snapshot name to use. snapshot = Snapshot1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.54.111
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (virbr0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vsphere.conf
[vsphere]
Host connection parameters. This host can be a standalone ESXi hypervisor, or a vCenter host. It must be licensed for vSphere Web API access (the free edition of ESXi is insufficient). NOTE: In order for the full memory dump feature to work, the credentials must have permission to access the datastore files for the relevant machine via HTTP, otherwise you will see HTTP status errors (Unauthorized) in the Cuckoo log while attempting to download the .vmsn or .vmem memory dump file. Consult the VMware documentation for more details: http://pubs.vmware.com/vsphere-60/topic/com.vmware.wssdk.pg.doc/PG_Appx_Http_Access.21.3.html host = 10.0.0.1 port = 443 user = username_goes_here pwd = password_goes_here
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = analysis1
Specify the name of the default network interface that should be used when dumping network traffic with tcpdump. Example (eth0 is the interface name): interface = eth0
Turn this on if you have a self-signed certificate on your vSphere host and need to work around the stricter PEP-0476 validation in recent Python versions unverified_ssl = no
[analysis1]
Specify the label name of the current machine as specified on your vSphere host. label = cuckoo1
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Please specify the name of the snapshot. This snapshot should be taken while the machine is running and the agent started. snapshot = snapshot_name
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.122.101
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (eth0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. Note that the 64_bit tag is currently special. For submitted 64-bit PE files, the 64_bit tag will automatically be added, forcing them to be run on a 64-bit VM. For this reason, make sure all 64-bit VMs have the 64_bit tag. tags =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
xenserver
[xenserver]
Specify the XenServer username for authentication. user = root
Specify the XenServer password for authentication. password = changeme
Specify the XenServer URL. The url is the XMLRPC location of the XenServer, which can be either a hostname or IP address. url = https://xenserver
Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3) machines = cuckoo1
Specify the name of the default network interface that should be used when dumping network traffic with tcpdump. Example (virbr0 is the interface name): interface = virbr0
[cuckoo1]
Specify the virtual machine uuid. uuid = 00000000-0000-0000-0000-000000000000
Specify the snapshot uuid to use. Snapshots are not required, but if they are not used, the virtual machine's disks must be configured to reset on boot. Resetting the disks on boot ensures that samples cannot permanently modify the analysis virtual machine past a shutdown. Refer to the "Saving the Virtual Machine" section in the Cuckoo documentation for details on how to enable disk resetting on boot. Example: snapshot =
Specify the operating system platform used by current machine [windows/darwin/linux]. platform = windows
Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail. ip = 192.168.54.111
(Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. Example (virbr0 is the interface name): interface =
(Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip =
(Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port =
(Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags =
(Optional) Specify the OS profile to be used by volatility for this virtual machine. This will override the guest_profile variable in memory.conf which solves the problem of having multiple types of VMs and properly determining which profile to use. osprofile =
======================================
IP configration for the actual box
$ifconfig on ubuntu box printout
enp4s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.56.13.10 netmask 255.255.255.128 broadcast 10.56.13.127 inet6 fe80::a61d:451e:4f37:7685 prefixlen 64 scopeid 0x20 ether e4:11:5b:b2:8f:aa txqueuelen 1000 (Ethernet) RX packets 96287 bytes 65814246 (65.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 76720 bytes 14509931 (14.5 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp4s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether e4:11:5b:b2:8f:ac txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp5s0f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether e4:11:5b:b2:8f:ae txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp5s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether e4:11:5b:b2:8f:b0 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 95386 bytes 13502185 (13.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 95386 bytes 13502185 (13.5 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vboxnet0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.56.1 netmask 255.255.255.0 broadcast 192.168.56.255 ether 0a:00:27:00:00:00 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP configration for the VM as follows
Print on the cuckoo1 vm with the ipconfig command
Ipv4 : 192.168.56.101 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.56.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cuckoo1 is running in host only mode in virtual box. It is running in headless mode.