cephurs

How to Build a Cuckoo Sandbox Malware Analysis System

I had a heck of a time getting a Cuckoo sandbox running, and below I hope to help you get one up and running relatively quickly by detailing out the steps and gotchas I stumbled across along the way. I mention this in the references at the end of this gist, but what you see here is heavily influenced by this article from Nviso

Build your Linux Cuckoo VM

Setup a Ubuntu 16.04 64-bit desktop VM (download here) in VMWare with the following properties:

100GB hard drive
2 procs
8 gigs of RAM

references:

	// ██████╗ █████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██████╗ ██████╗ █████╗ ██████╗ ██████╗ ██╗
	// ██╔══██╗██╔══██╗██╔══██╗██║ ██╔╝██╔════╝╚██╗ ██╔╝██╔══██╗██╔═══██╗██╔══██╗██╔══██╗██╔══██╗██║
	// ██████╔╝███████║██║ ██║█████╔╝ █████╗ ╚████╔╝ ██████╔╝██║ ██║███████║██████╔╝██║ ██║██║
	// ██╔══██╗██╔══██║██║ ██║██╔═██╗ ██╔══╝ ╚██╔╝ ██╔══██╗██║ ██║██╔══██║██╔══██╗██║ ██║╚═╝
	// ██████╔╝██║ ██║██████╔╝██║ ██╗███████╗ ██║ ██████╔╝╚██████╔╝██║ ██║██║ ██║██████╔╝██╗
	// ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝
	// No Donut!
	// Built from code by : https://gist.github.com/jiaaro and a twitter post from: https://twitter.com/zackwhittaker/status/1084554101625626624
	// Not for malicious use. You assume all responsibility for anything you do with this. Don't be a jerk. If I find out you used this to hurt people.
	// Just remember TAKEN. Get what I'm sayin?

	143 function Invoke-Mimidogz
	140 function Invoke-Mimikatz
	29 function Invoke-Mimi
	10 function Chokorun
	7 function Invoke-Ttest
	7 function Invoke-Mimiwormz
	7 function Invoke-Me
	6 function Invoke-Mimiturtle
	6 function Invoke-Mimimi
	5 function output

	# Dracula Theme for Consoles
	#
	# Console colors are set by the `setvtrgb` command which takes as argument a
	# file of exactly three lines of text. These lines are the 0..255 values for
	#
	# red: black,red,green,yellow,blue,magenta,cyan,white,bold_black,bold_red,bold_green,bold_yellow,bold_blue,bold_magenta,bold_cyan,bold_white
	# grn: black,red,green,yellow,blue,magenta,cyan,white,bold_black,bold_red,bold_green,bold_yellow,bold_blue,bold_magenta,bold_cyan,bold_white
	# blu: black,red,green,yellow,blue,magenta,cyan,white,bold_black,bold_red,bold_green,bold_yellow,bold_blue,bold_magenta,bold_cyan,bold_white
	#
	# Needless to say, this is a very annoying format. Here are the values for

	This is a pretty simple setup:
	Siri is used to control Homebridge using the HomeKit protocol.
	Homebridge has a module named Homebridge-ssh that allows you to run commands over ssh.
	There is a shell script on an OpenWrt box to enable, disable, and check the status of a MAC Address block in the FORWARD table.


	1. Install node on your platform. I went with 8.9 for no specific reason other than I initially had issues with 10 that probably weren't related..
	2. Install homebridge and homebridge-ssh. You should probably also put hombridge-config-ui-x on there too... I used the unsafe-perm parameter after getting a significant number of errors:
	sudo -i npm install -g homebridge --unsafe-perm
	sudo -i npm install -g homebridge-ssh --unsafe-perm

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="DemoClass">
	<ClassExample />
	</Target>
	<UsingTask
	TaskName="ClassExample"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs">

	import shodan
	import sys
	import requests

	API_KEY = "apitoken"


	try:
	api = shodan.Shodan(API_KEY)
	result = api.search('port:3000 product:"Apache httpd" centOS')

	@ECHO OFF
	set IPADDRESS=x.x.x.x
	set INTERVAL=3
	:PINGINTERVAL
	ping google.com
	timeout %INTERVAL%
	GOTO PINGINTERVAL

	#!/usr/bin/env python3
	'''
	A simplified FLOSS implementation that only supports stackstrings.

	requirements:
	- yara-python
	- unicorn

	author: Willi Ballenthin
	email: [email protected]