automated malware analysis with cuckoo
iSpeech.org
Setup and configuration of Cuckoo framework on Linux, to automate the malaware analysis process.
You need to install the following as prerequisites.
1. Installing Python and dependencies
apt-get install python # installed by default
apt-get install python-magic # for identifying file formats
apt-get install python-dpkt # for extracting info from pcaps
apt-get install python-mako # for rendering html reports and web gui
apt-get install python-sqlalchemy
apt-get install python-jinja2 # necessary for web.py utility
apt-get install python-bottle # necessary for web.py utility
2. Installing SSDEEP for calculating fuzzy hashes
apt-get install ssdeep
apt-get install python-pyrex # required for pyssdeep installation
apt-get install subversion
apt-get install libfuzzy-dev
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
python setup.py build
python setup.py install # run as root user
3. Installing MongoDB and Python support
apt-get install python-pymongo # for mongodb support
apt-get install mongodb # includes server and clients
4. Installing Yara and Python support
apt-get install g++
apt-get install libpcre3 libpcre3-dev
wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
tar -xvzf yara-1.6.tar.gz
cd yara-1.6
./configure
make
make check
make install
wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
tar -xvzf yara-python-1.6.tar.gz
cd yara-python-1.6
python setup.py build
python setup.py install
5. Modifying Tcpdump running privileges
apt-get install libcap2-bin
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump # to check changes have been applied
6. Installing Cuckoo Sandbox
sudo useradd cuckoo
usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group
id cuckoo # checks cuckoo user details
Next Download cuckoo from the official website and extract the TAR package under the desired folder
2014-02-24 07:30:32
source
Gloss