Building cuckoo sandbox 2 from source

apt-get install sudo
adduser cuckoo
usermod -G sudo cuckoo
apt-get install python-pip build-essential git python-all-dev python-setuptools
apt-get install python python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile bridge-utils python-pyrex
pip install jinja2 pymongo bottle pefile cybox maec django chardet
apt-get install jinja2 pymongo bottle pefile cybox maec django chardet python-lxml
pip install jinja2 pymongo bottle pefile cybox maec django chardet
apt-get install tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
tar xvzf ssdeep-2.12.tar.gz
cd ssdeep-2.12/
make install
git clone
cd pydeep/
python build
python install
tar -xvf yara-1.7.tar.gz
cd yara-1.7
apt-get install libpcre3 libpcre3-dev
make install
echo "/usr/local/lib" >> /etc/
tar xvzf yara-python-1.7.tar.gz
cd yara-python-1.7/
python build
python install
cd distorm3
python build
python install
tar xvzf volatility-2.3.1.tar.gz
python build
python install
apt-get install dkms libgsoap5 libvncserver0 linux-headers-amd64 virtualbox virtualbox-dkms
virtualbox-qt libvpx1
VBoxManage hostonlyif create
ip link set vboxnet0 up
ip addr add dev vboxnet0
echo "VBoxManage list vms 2>&1 >> /dev/null" >> /etc/rc.local

Not quite - now: nano /etc/rc.local' and switch exit 0 to the final line

create a virtual machine -base- image loaded with obsolete software. I chose adobe reader 10.0.12 and flash 10.2.1 for the initial VMs. As I run the sandbox in production I will add more groups of VMs. Cuckoo lets you organise groups logically. You can select individual or multiple groups for testing too.

At this point I seemed to have a dependency mismatch:

Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).

apt-get -f install

Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following extra packages will be installed:
libqt4-network libqt4-opengl
The following NEW packages will be installed:
libqt4-network libqt4-opengl
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 948 kB of archives.
After this operation, 3,293 kB of additional disk space will be used.
Do you want to continue? [Y/n]


Get:1 jessie/main libqt4-network amd64 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [605 kB]
 Get:2 jessie/main libqt4-opengl amd64 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [343 kB]
 Fetched 948 kB in 8s (114 kB/s)
 Selecting previously unselected package libqt4-network:amd64.
 (Reading database ... 116950 files and directories currently installed.)
 Preparing to unpack .../libqt4-network_4%3a4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1_amd64.deb ...
 Unpacking libqt4-network:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ...
 Selecting previously unselected package libqt4-opengl:amd64.
 Preparing to unpack .../libqt4-opengl_4%3a4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1_amd64.deb ...
 Unpacking libqt4-opengl:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ...
 Setting up libqt4-network:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ...
 Setting up libqt4-opengl:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ...
 Setting up virtualbox-5.0 (5.0.0~rc3-101436~Debian~jessie) ...
 Adding group `vboxusers' (GID 125) ...
 Processing triggers for libc-bin (2.19-18+deb8u4) ...
 Processing triggers for systemd (215-17+deb8u4) ...

usermod -G vboxusers cuckoo
 git clone git://

Reload your shell using su or exit + reconnect to reflect group memberships.

Actually at this point my bash skills became useless as virtualbox has a very extensive commandline interface (which I don't know) and we want to skip the OS loading part of starting each VM by snapshotting all the guests at a state perfectly ripe for incoming malware injection - not something I fancy doing using bash just yet.

apt-get install task-lxde-desktop

login as cuckoo

import all VMS, make sure they have the python agent installed and a fixed IP that won't conflict - they should all be set to use vboxnet0 which is the virtualbox default network.

once all your VMS are in a saved snapshotted state,

cd /home/cuckoo/cuckoo

# Start the engine
 # Start the web UI
 utils/ runserver

Have fun.

Teslacrypt malware undetected by most major AV after 18 hours and counting.

Teslacrypt malware infection has spiked today, a javascript loader is being circlated around by various webmail providers and downloaded and run on windows machines thanks to MBAM, Win Defender, ESET, and Avast (that I know of) … not identifying it as a threat.

Here’s an actual Outlook inbox (On-premise exchange, note that Office 365 mailboxes are silently discarding this attachment)


From the offset Gmail and Office365 were not spreading the malware forward. 365 silently drops the mail, Gmail sends you a friendly heads-up…


Namecheap private email is blissfully unaware 20 hours after the first report of a suspicious attachment.


ESET has added signatures for this outbreak at last, many hours behind other antivirus vendors but still not as late as;  ALYac AVware Agnitum AhnLab-V3 Alibaba Antiy-AVL Baidu Baidu-International Bkav ByteHero CAT-QuickHeal CMC ClamAV Comodo DrWeb F-Secure Ikarus Jiangmin K7AntiVirus K7GW Malwarebytes Microsoft NANO-Antivirus Panda Qihoo-360 Rising SUPERAntiSpyware Symantec TheHacker TrendMicro TrendMicro-HouseCall VBA32 ViRobot Zillya Zoner nProtect

At the end of today (actually well into the following day now) all the above vendors haven’t added signatures for this seriously damaging ransom-ware infection.

Researchers and analysts: download payload

If you don’t know the password, email and ask nicely.