search

idanr1986 / cuckoo-droid

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.
580 stars 134 forks source link

how does it work??? #10

Open p2rate opened 8 years ago

p2rate commented 8 years ago

hi I am trying to set up cuckoo for android malware analysis but it seems like I don't get how it works. I have downloaded android sdk, made an AVD, rooted the AVD, ran the create_guest_avd.sh (located in utils/android_emulator_creator in cuckoo-droid archive. and to sum it up my guest emulator is ready to go. what should I do next from here? I reckoned that I should use the cuckoo.py in cukcoo sandbox main distribution (https://github.com/cuckoosandbox/cuckoo). I properly set the conf files for cuckoo and ran cuckoo.py. but when I use submit.py to start an analysis, cuckoo.py reports that the AVD I created to be used as the guest does not exist. and it actually removes the AVD I created.

here is the output: File "/home/ashk/Downloads/cuckoo/modules/machinery/avd.py", line 117, in duplicate_reference_machine shutil.copyfile(avd_config_file, new_config_file) File "/usr/lib/python2.7/shutil.py", line 82, in copyfile with open(src, 'rb') as fsrc: IOError: [Errno 2] No such file or directory: '/root/.android/avd/koad.ini'

idanr1986 commented 8 years ago

this is the path of your reference machine ? /root/.android/avd/koad.ini?

cssanchit commented 8 years ago

(Second Configuration) These steps will install Android virtual machine (AVD) and host on same machine INSTALLATION OF CUCKOO-DROID ON UBUNTU 14.04 64bit

sudo apt-get install python python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg-dev

sudo apt-get install mongodb

sudo apt-get install git

git config --global user.email "you@example.com"

git config --global user.name "Your Name"

git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2

cd cuckoo

git remote add droid https://github.com/idanr1986/cuckoo-droid

git pull --no-edit -s recursive -X theirs droid master

cat conf-extra/processing.conf >> conf/processing.conf

cat conf-extra/reporting.conf >> conf/reporting.conf

rm -r conf-extra

echo "protobuf" >> requirements.txt

sudo pip install -r requirements.txt

sudo apt-get install libstdc++6:i386 libgcc1:i386 zlib1g:i386 libncurses5:i386

sudo add-apt-repository ppa:webupd8team/java -y sudo apt-get update sudo apt-get install oracle-java8-installer sudo apt-get install oracle-java8-set-default

NOTE::: Download the latest SDK from google site unzip it and go to bin in terminal sudo ./studio.sh NOTE::: install with default settings.. Take a break now..:)

press configure->sdk-manager-> check show package details --> select Android SDK platform , sources for Android 16 and ARM EaBI v7a Image in ANDROID 4.1 (jellybin) ---> press OK--> accept-> next.. take a short break now..;)

sudo chmod 777 /root/

export PATH=$PATH:/root/Android/Sdk/tools:/root/Android/Sdk/build-tools/24.0.2/:/root/Android/Sdk/platform-tools

sudo chmod 777 /home/YOUR_Ubuntu_user_Name/.android/ e.g. :: if sanchit is user name ---> sudo chmod 777 /home/sanchit/.android/

NOTE :: Goto cuckoo directory and change following files

conf/cuckoo.conf configuration:

Specify the name of the machinery module to use, this module will

define the interaction between Cuckoo and your virtualization software

of choice.

machinery = avd

[resultserver]

The Result Server is used to receive in real time the behavioral logs

produced by the analyzer.

Specify the IP address of the host. The analysis machines should be able

to contact the host through such address, so make sure it's valid.

NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option

resultserver_ip for all your virtual machines in machinery configuration.

ip = 127.0.0.1

conf/avd.conf configuration:

[avd]

Path to the local installation of the android emulator

emulator_path =

Path to the local installation of the adb - android debug bridge utility.

adb_path =

Path to the emulator machine files is located

avd_path = /.android/avd

name of the reference machine that is used to duplicate

reference_machine = aosx

Specify a comma-separated list of available machines to be used. For each

specified ID you have to define a dedicated section containing the details

on the respective machine. (E.g. aosx_1,aosx_2,aosx_3)

currently supports only 1 machine for network limitations

machines =aosx_1

[aosx_1]

Specify the label name of the current machine as specified in your

aosx_1 configuration.

label = aosx_1

Specify the operating system platform used by current machine

platform = android

Specify the IP address of the current virtual machine. Make sure that the

IP address is valid and that the host machine is able to reach it. If not,

the analysis will fail.

its always 127.0.0.1 because android emulator networking configurations this the loopback of the host machine

ip = 127.0.0.1

Specify the port for the emulator as your adb sees it.

emulator_port=5554

10.0.2.2 is the loopback of the host machine very importent!!!

resultserver_ip = 10.0.2.2

resultserver_port = 2042

Warning

result server ip is always 10.0.2.2! (android emulator network configuration)

conf/auxiliary.conf configuration:

[sniffer]

Enable or disable the use of an external sniffer (tcpdump) [yes/no].

enabled = no

conf/processing.conf configuration:

[droidmon] enabled = yes

[googleplay] enabled = yes android_id = google_login = google_password =

[apkinfo] enabled = yes

Decompiling dex with androguard in a heavy operation and for a big dex's

he can really consume performance from the cuckoo host ,so it's recommended to limit the size of dex that you will decompile

decompilation_threshold=2000000

conf/reporting.conf configuration:

[reporthtml] enabled = no

[reportandroidhtml] enabled = yes

emulator -avd aosx -qemu -nand -system,size=0x1f400000,file=/home/sanchit/Sdk/system-images/android-16/default/armeabi-v7a/system.img

sudo apt-get install android-tools-adb

utils/android_emulator_creator/create_guest_avd.sh

sudo apt-get install mercurial python python-setuptools sudo easy_install ipython sudo pip install python-magic sudo apt-get install -y python-dev libbz2-dev libmuparser-dev libsparsehash-dev python-ptrace python-pygments python-pydot liblzma-dev libsnappy-dev python-pip

download /home/sanchit/Desktop/cuckoo/androguard-2.0.zip make /home/sanchit/Desktop/cuckoo/androguard-2.0.zip sudo python setp.py install

Processing.con data should be merged with processing.conf...

RUN sudo ./cuckoo.py utils/submit.py your-apk

report.html

gavlabs commented 7 years ago

Where do the analyzer and the agent components reside in this setup ?

lovina37 commented 7 years ago

@cssanchit did u make any changes with ubuntu firewall or network and interfaces??