Requirements

Before proceeding on configuring Cuckoo, you’ll need to install some required softwares and libraries.

Installing Python libraries

Cuckoo host components are completely written in Python, therefore make sure to have an appropriate version installed. For current release Python 2.7 is preferred.

Install Python on Ubuntu:

$ sudo apt-get install python

In order to properly function, Cuckoo requires SQLAlchemy to be installed.

Install with apt-get:

$ sudo apt-get install python-sqlalchemy

Install with pip:

$ sudo pip install sqlalchemy

There are other optional dependencies that are mostly used by modules and utilities. The following libraries are not strictly required, but their installation is recommended:

  • Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
  • Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
  • Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
  • Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
  • Pymongo (Optional): for storing the results in a MongoDB database.
  • Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
  • Libvirt (Optional): for using the KVM machine manager.
  • Bottlepy (Optional): for using the web.py and api.py utilities.
  • Pefile (Optional): used for static analysis of PE32 binaries.

Some of them are already packaged in Debian/Ubuntu and can be installed with the following command:

$ sudo apt-get install python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile

Except for python-magic and python-libvirt, the others can be installed through pip too:

$ sudo pip install dpkt jinja2 pymongo bottle pefile

Yara and Pydeep will have to be installed manually, so please refer to their websites.

If want to use KVM it’s packaged too and you can install it with the following command:

$ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils

Virtualization Software

Despite heavily relying on VirtualBox in the past, Cuckoo has moved on being architecturally independent from the virtualization software. As you will see throughout this documentation, you’ll be able to define and write modules to support any software of your choice.

For the sake of this guide we will assume that you have VirtualBox installed (which still is the default option), but this does not affect anyhow the execution and general configuration of the sandbox.

You are completely responsible for the choice, configuration and execution of your virtualization software, therefore please hold from asking help on it in our channels and lists: refer to the software’s official documentation and support.

Assuming you decide to go for VirtualBox, you can get the proper package for your distribution at the official download page. The installation of VirtualBox is not in the purpose of this documentation, if you are not familiar with it please refer to the official documentation.

Installing Tcpdump

In order to dump the network activity performed by the malware during execution, you’ll need a network sniffer properly configured to capture the traffic and dump it to a file.

By default Cuckoo adopts tcpdump, the prominent open source solution.

Install it on Ubuntu:

$ sudo apt-get install tcpdump

Tcpdump requires root privileges, but since you don’t want Cuckoo to run as root you’ll have to set specific Linux capabilities to the binary:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

You can verify the results of last command with:

$ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Or otherwise (not recommended) do:

$ sudo chmod +s /usr/sbin/tcpdump