Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Cuckoo generates a handful of different raw data which include:
Native functions and Windows API calls traces
Copies of files created and deleted from the filesystem
Dump of the memory of the selected process
Full memory dump of the analysis machine
Screenshots of the desktop during the execution of the malware analysis
Network dump generated by the machine used for the analysis.
In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:
cuckoo [-h] [-q] [-d] [-v] [-a] [-t] [-m MAX_ANALYSIS_COUNT]
-h, --help show this help message and exit -q, --quiet Display only error messages -d, --debug Display debug messages -v, --version show program's version number and exit -a, --artwork Show artwork -t, --test Test startup -m MAX_ANALYSIS_COUNT, --max-analysis-count MAX_ANALYSIS_COUNT Maximum number of analyses
Create a VM named cuckoo1 with any version of Windows. Write down the IP address. Download Python , Python Imaging Library, and Adobe Reader. Reader allows you to analyze pdf files as well as executables. You can also install MS Word if you want to analyze .doc files.
Copy the agent.py file form the /pentest/forensics/cuckoo-master/agent folder to the Windows machine and set it to run at startup. Take a snapshot of the VM and name it cuckoo1.
Back on the Linux host, open up /pentest/forensics/cuckoo-master/conf/cuckoo.conf and change the resultserver IP address to that of your Linux host and change the interface to the one you are using for VMware or Virtualbox. (Usually vmnet0 for VMware and vboxnet0 for Virtualbox)
Next edit your appropriate virtualization software .conf file such as vmware or virtualbox. In that .conf file, change the IP to that of the Windows host and verify that all the info about the VM is correct.
One last thing before you begin, edit the reporting.conf and enable mongodb.
Open up a terminal
cyborg@cyborg:~$ sudo cuckoo