This is an old revision of the document!
For this exercise you will need a virtual machine with Cuckoo Sandbox installed.
Start the X server on the VMWare guest and then run the followings commands (without privileges) in two separate terminal windows to lunch cuckoo sandbox services. Make sure that from the GUI you can open the VirtualBox application (and that all the VMs within it are powered off). You can try to enter full screen mode at this time with the VMWare guest if you want to. To verify that cuckoo sandboxing is running open the hxxp://127.0.0.1:8000 into a browser.
#cuckoo web runserver #cuckoo -d
In the case of misconfigured guest VM (i.e., the Windows 7 VirtualBox VM), you can reset it to the initial configuration. 1
VBoxManage snapshot "win7cuckoo" take "original" --pause
VBoxManage controlvm "win7cuckoo" poweroff
VBoxManage snapshot "win7cuckoo" restorecurrent
To start the malware investigation, submit the received files using the dashboard and select Analyze from the “Configure your Analysis” page. Please configure a 500 seconds Timeout to allow enough time for execution and make sure that the package type is “exe” from the left-side panel for a proper lunch.
After the report has been generated, you should be able to answer the following questions.
All the monitored actions are stored by Cuckoo in the “.cuckoo” configuration folder under the storage directory.
Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github repository. Just copy them in the yara configuration directory and re-run the analysis.