apt-get install sudo adduser cuckoo usermod -G sudo cuckoo apt-get install python-pip build-essential git python-all-dev python-setuptools apt-get install python python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile bridge-utils python-pyrex pip install jinja2 pymongo bottle pefile cybox maec django chardet apt-get install jinja2 pymongo bottle pefile cybox maec django chardet python-lxml pip install jinja2 pymongo bottle pefile cybox maec django chardet apt-get install tcpdump setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz tar xvzf ssdeep-2.12.tar.gz cd ssdeep-2.12/ ./configure make make install git clone https://github.com/kbandla/pydeep cd pydeep/ python setup.py build python setup.py install cd wget https://yara-project.googlecode.com/files/yara-1.7.tar.gz tar -xvf yara-1.7.tar.gz cd yara-1.7 ./configure apt-get install libpcre3 libpcre3-dev ./configure make make install echo "/usr/local/lib" >> /etc/ld.so.conf ldconfig wget https://yara-project.googlecode.com/files/yara-python-1.7.tar.gz tar xvzf yara-python-1.7.tar.gz cd yara-python-1.7/ python setup.py build python setup.py install wget https://distorm.googlecode.com/files/distorm3.zip unzip distorm3.zip cd distorm3 python setup.py build python setup.py install wget https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz tar xvzf volatility-2.3.1.tar.gz python setup.py build python setup.py install cd apt-get install dkms libgsoap5 libvncserver0 linux-headers-amd64 virtualbox virtualbox-dkms virtualbox-qt libvpx1 VBoxManage hostonlyif create ip link set vboxnet0 up ip addr add 192.168.56.1/24 dev vboxnet0 echo "VBoxManage list vms 2>&1 >> /dev/null" >> /etc/rc.local Not quite - now: nano /etc/rc.local' and switch exit 0 to the final line create a virtual machine -base- image loaded with obsolete software. I chose adobe reader 10.0.12 and flash 10.2.1 for the initial VMs. As I run the sandbox in production I will add more groups of VMs. Cuckoo lets you organise groups logically. You can select individual or multiple groups for testing too. At this point I seemed to have a dependency mismatch: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution). apt-get -f install Reading package lists... Done Building dependency tree Reading state information... Done Correcting dependencies... Done The following extra packages will be installed: libqt4-network libqt4-opengl The following NEW packages will be installed: libqt4-network libqt4-opengl 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 948 kB of archives. After this operation, 3,293 kB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://ftp.uk.debian.org/debian/ jessie/main libqt4-network amd64 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [605 kB] Get:2 http://ftp.uk.debian.org/debian/ jessie/main libqt4-opengl amd64 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [343 kB] Fetched 948 kB in 8s (114 kB/s) Selecting previously unselected package libqt4-network:amd64. (Reading database ... 116950 files and directories currently installed.) Preparing to unpack .../libqt4-network_4%3a4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1_amd64.deb ... Unpacking libqt4-network:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ... Selecting previously unselected package libqt4-opengl:amd64. Preparing to unpack .../libqt4-opengl_4%3a4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1_amd64.deb ... Unpacking libqt4-opengl:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ... Setting up libqt4-network:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ... Setting up libqt4-opengl:amd64 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) ... Setting up virtualbox-5.0 (5.0.0~rc3-101436~Debian~jessie) ... Adding group `vboxusers' (GID 125) ... Done. Processing triggers for libc-bin (2.19-18+deb8u4) ... Processing triggers for systemd (215-17+deb8u4) ... usermod -G vboxusers cuckoo git clone git://github.com/cuckoobox/cuckoo.git Reload your shell using su or exit + reconnect to reflect group memberships. Actually at this point my bash skills became useless as virtualbox has a very extensive commandline interface (which I don't know) and we want to skip the OS loading part of starting each VM by snapshotting all the guests at a state perfectly ripe for incoming malware injection - not something I fancy doing using bash just yet. apt-get install task-lxde-desktop startx login as cuckoo import all VMS, make sure they have the python agent installed and a fixed IP that won't conflict - they should all be set to use vboxnet0 which is the virtualbox 192.168.56.1/24 default network. once all your VMS are in a saved snapshotted state, cd /home/cuckoo/cuckoo # Start the engine ./cuckoo.py # Start the web UI utils/web.py runserver 0.0.0.0:8888 Have fun.
Here’s an actual Outlook inbox (On-premise exchange, note that Office 365 mailboxes are silently discarding this attachment)
From the offset Gmail and Office365 were not spreading the malware forward. 365 silently drops the mail, Gmail sends you a friendly heads-up…
Namecheap private email is blissfully unaware 20 hours after the first report of a suspicious attachment.
ESET has added signatures for this outbreak at last, many hours behind other antivirus vendors but still not as late as; ALYac AVware Agnitum AhnLab-V3 Alibaba Antiy-AVL Baidu Baidu-International Bkav ByteHero CAT-QuickHeal CMC ClamAV Comodo DrWeb F-Secure Ikarus Jiangmin K7AntiVirus K7GW Malwarebytes Microsoft NANO-Antivirus Panda Qihoo-360 Rising SUPERAntiSpyware Symantec TheHacker TrendMicro TrendMicro-HouseCall VBA32 ViRobot Zillya Zoner nProtect
At the end of today (actually well into the following day now) all the above vendors haven’t added signatures for this seriously damaging ransom-ware infection.
Researchers and analysts: download payload
If you don’t know the password, email firstname.lastname@example.org and ask nicely.