To day, i will guide you install cuckooDroid.
What is cuckooDroid?
CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files. CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.
How to install?
– Ubuntu 14.04 on VMware Workstation 11
a. Setup ubuntu on VMware Workstation 11
+ RAM 2GB
+ Process 4(2 processors, 2 cores per processor)
+ Hard Disk (SCSI): 80 GB
b. Download CuckooDroid
+ You must install git to download CuckuDroid
$sudo apt-get install git
- Download CuckuDroid
We will using command:
$ git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2 $ cd cuckoo $ git checkout -b 1.2 $ git remote add droid https://github.com/idanr1986/cuckoo-droid $ git pull --no-edit -s recursive -X theirs droid master $ cat conf-extra/processing.conf >> conf/processing.conf $ cat conf-extra/reporting.conf >> conf/reporting.conf $ rm -r conf-extra $ echo "protobuf" >> requirements.txt
We will change file requirements.txt with content:
Open file with command:
$sudo gedit requirements.txt
alembic==0.8.0 beautifulsoup4==4.4.1 cffi==1.6.0 chardet==2.3.0 cryptography==1.3.2 Django==1.8.4 dpkt==126.96.36.199 ecdsa==0.13 elasticsearch==2.2.0 enum34==1.0.4 Flask==0.10.1 HTTPReplay==0.1.15 idna==2.0 ipaddress==1.0.14 itsdangerous==0.24 Jinja2==2.8 jsbeautifier==1.5.10 Mako==1.0.1 MarkupSafe==0.23 ndg-httpsclient==0.4.0 oletools==0.42 http://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz#egg=pefile pyasn1==0.1.8 pycparser==2.14 pymisp==2.4.36 pymongo==3.0.3 pyOpenSSL==0.15.1 python-dateutil==2.4.2 python-editor==0.3 python-magic==0.4.6 requests==2.7.0 six==1.9.0 SQLAlchemy==1.0.8 tlslite-ng==0.6.0-alpha3 wakeonlan==0.2.2 Werkzeug==0.10.4 protobuf
1. Install lib python and mongodb
$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev $ sudo apt-get install mongodb $ cd ~/cuckoo $ sudo pip install -r requirements.txt $ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils $ python-libvirt $ sudo pip install XenAPI
$ sudo apt-get install tcpdump $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump $ sudo apt-get install libcap2-bin $ sudo chmod +s /usr/sbin/tcpdump
- Install CookuDroid
i. Host Configuration
[cuckoo] # Enable or disable startup version check. When enabled, Cuckoo will connect # to a remote location to verify whether the running version is the latest # one available. version_check = on # If turned on, Cuckoo will delete the original file after its analysis # has been completed. delete_original = off # If turned on, Cuckoo will delete the copy of the original file in the # local binaries repository after the analysis has finished. (On *nix this # will also invalidate the file called "binary" in each analysis directory, # as this is a symlink.) delete_bin_copy = off # Specify the name of the machinery module to use, this module will # define the interaction between Cuckoo and your virtualization software # of choice. machinery = avd # Enable creation of memory dump of the analysis machine before shutting # down. Even if turned off, this functionality can also be enabled at # submission. Currently available for: VirtualBox and libvirt modules (KVM). memory_dump = off # When the timeout of an analysis is hit, the VM is just killed by default. # For some long-running setups it might be interesting to terminate the # monitored processes before killing the VM so that connections are closed. terminate_processes = off # Enable automatically re-schedule of "broken" tasks each startup. # Each task found in status "processing" is re-queued for analysis. reschedule = off # Enable processing of results within the main cuckoo process. # This is the default behavior but can be switched off for setups that # require high stability and process the results in a separate task. process_results = on # Limit the amount of analysis jobs a Cuckoo process goes through. # This can be used together with a watchdog to mitigate risk of memory leaks. max_analysis_count = 0 # Limit the number of concurrently executing analysis machines. # This may be useful on systems with limited resources. # Set to 0 to disable any limits. max_machines_count = 0 # Limit the amount of VMs that are allowed to start in parallel. Generally # speaking starting the VMs is one of the more CPU intensive parts of the # actual analysis. This option tries to avoid maxing out the CPU completely. max_vmstartup_count = 10 # Minimum amount of free space (in MB) available before starting a new task. # This tries to avoid failing an analysis because the reports can't be written # due out-of-diskspace errors. Setting this value to 0 disables the check. # (Note: this feature is currently not supported under Windows.) freespace = 64 # Temporary directory containing the files uploaded through Cuckoo interfaces # (api.py and Django web interface). tmppath = /tmp # Path to the unix socket for running root commands. rooter = /tmp/cuckoo-rooter [routing] # Default network routing mode; "none", "internet", or "vpn_name". # In none mode we don't do any special routing - the VM doesn't have any # network access (this has been the default actually for quite a while). # In internet mode by default all the VMs will be routed through the network # interface configured below (the "dirty line"). # And in VPN mode by default the VMs will be routed through the VPN identified # by the given name of the VPN (as per vpn.conf). # Note that just like enabling VPN configuration setting this option to # anything other than "none" requires one to run utils/rooter.py as root next # to the Cuckoo instance (as it's required for setting up the routing). route = none # Network interface that allows a VM to connect to the entire internet, the # "dirty line" so to say. Note that, just like with the VPNs, this will allow # malicious traffic through your network. So think twice before enabling it. # (For example, to route all VMs through eth0 by default: "internet = eth0"). internet = none # Routing table name/id for "dirty line" interface. If "dirty line" is # also default gateway in the system you can leave "main" value. Otherwise add # new routing table by adding " " line to /etc/iproute2/rt_tables # (e.g., "200 eth0"). ID and name must be unique across the system (refer to # /etc/iproute2/rt_tables for existing names and IDs). rt_table = main # To route traffic through multiple network interfaces Cuckoo uses # Policy Routing with separate routing table for each output interface # (VPN or "dirty line"). If this option is enabled Cuckoo on start will try # to automatically initialise routing tables by copying routing entries from # main routing table to the new routing tables. Depending on your network/vpn # configuration this might not be sufficient. In such case you would need to # initialise routing tables manually. Note that enabling this option won't # affect main routing table. auto_rt = yes [resultserver] # The Result Server is used to receive in real time the behavioral logs # produced by the analyzer. # Specify the IP address of the host. The analysis machines should be able # to contact the host through such address, so make sure it's valid. # NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option # `resultserver_ip` for all your virtual machines in machinery configuration. ip = 0.0.0.0 # Specify a port number to bind the result server on. port = 2042 # Force the port chosen above, don't try another one (we can select another # port dynamically if we can not bind this one, but that is not an option # in some setups) force_port = no # Maximum size of uploaded files from VM (screenshots, dropped files, log) # The value is expressed in bytes, by default 10Mb. upload_max_size = 10485760 [processing] # Set the maximum size of analyses generated files to process. This is used # to avoid the processing of big files which may take a lot of processing # time. The value is expressed in bytes, by default 100Mb. analysis_size_limit = 104857600 # Enable or disable DNS lookups. resolve_dns = on # Enable PCAP sorting, needed for the connection content view in the web interface. sort_pcap = on [database] # Specify the database connection string. # NOTE: If you are using a custom database (different from sqlite), you have to # use utf-8 encoding when issuing the SQL database creation statement. # Examples, see documentation for more: # sqlite:///foo.db # postgresql://foo:[email protected]:5432/mydatabase # mysql://foo:[email protected]/mydatabase # If empty, default is a SQLite in db/cuckoo.db. connection = # Database connection timeout in seconds. # If empty, default is set to 60 seconds. timeout = [timeouts] # Set the default analysis timeout expressed in seconds. This value will be # used to define after how many seconds the analysis will terminate unless # otherwise specified at submission. default = 120 # Set the critical timeout expressed in (relative!) seconds. It will be added # to the default timeout above and after this timeout is hit # Cuckoo will consider the analysis failed and it will shutdown the machine # no matter what. When this happens the analysis results will most likely # be lost. critical = 60 # Maximum time to wait for virtual machine status change. For example when # shutting down a vm. Default is 60 seconds. vm_state = 60
[avd] #Path to the local installation of the android emulator emulator_path = /home/thuanlv/android-sdk-linux/tools/emulator #Path to the local installation of the adb - android debug bridge utility. adb_path = /home/thuanlv/android-sdk-linux/platform-tools/adb #Path to the emulator machine files is located avd_path = /home/thuanlv/.android/avd #name of the reference machine that is used to duplicate reference_machine = aosx # Specify a comma-separated list of available machines to be used. For each # specified ID you have to define a dedicated section containing the details # on the respective machine. (E.g. aosx_1,aosx_2,aosx_3) #currently supports only 1 machine for network limitations machines =aosx_1 [aosx_1] # Specify the label name of the current machine as specified in your # aosx_1 configuration. label = aosx_1 # Specify the operating system platform used by current machine platform = android # Specify the IP address of the current virtual machine. Make sure that the # IP address is valid and that the host machine is able to reach it. If not, # the analysis will fail. # its always 127.0.0.1 because android emulator networking configurations this the loopback of the host machine ip = 127.0.0.1 #Specify the port for the emulator as your adb sees it. emulator_port=5554 # (Optional) Specify the IP of the Result Server, as your virtual machine sees it. # The Result Server will always bind to the address and port specified in cuckoo.conf, # however you could set up your virtual network to use NAT/PAT, so you can specify here # the IP address for the Result Server as your machine sees it. If you don't specify an # address here, the machine will use the default value from cuckoo.conf. # NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. # Example: resultserver_ip = 10.0.2.2 # (Optional) Specify the port for the Result Server, as your virtual machine sees it. # The Result Server will always bind to the address and port specified in cuckoo.conf, # however you could set up your virtual network to use NAT/PAT, so you can specify here # the port for the Result Server as your machine sees it. If you don't specify a port # here, the machine will use the default value from cuckoo.conf. # Example: resultserver_port = 2042 [sniffer] # Enable or disable the use of an external sniffer (tcpdump) [yes/no]. enabled = yes # Specify the path to your local installation of tcpdump. Make sure this # path is correct. tcpdump = /usr/sbin/tcpdump # Specify the network interface name on which tcpdump should monitor the # traffic. Make sure the interface is active. interface = vboxnet0 # Specify a Berkeley packet filter to pass to tcpdump. # bpf = not arp
# Enable or disable the available reporting modules [on/off]. # If you add a custom reporting module to your Cuckoo setup, you have to add # a dedicated entry in this file, or it won't be executed. # You can also add additional options under the section of your module and # they will be available in your Python class. [jsondump] enabled = yes indent = 4 encoding = latin-1 [reporthtml] enabled = yes [mmdef] enabled = no [maec40] enabled = no mode = overview processtree = true output_handles = false static = true strings = true virustotal = true [mongodb] enabled = yes host = 127.0.0.1 port = 27017 db = cuckoo store_memdump = yes [reportandroidhtml] enabled = yes
[sniffer] # Enable or disable the use of an external sniffer (tcpdump) [yes/no]. enabled = yes # Specify the path to your local installation of tcpdump. Make sure this # path is correct. tcpdump = /usr/sbin/tcpdump # Specify the network interface name on which tcpdump should monitor the # traffic. Make sure the interface is active. interface = vboxnet0 # Specify a Berkeley packet filter to pass to tcpdump. # bpf = not arp
- Create emulator
Download and install sdk on ubuntu in here.
Install Android SDK Build-tools và System image
Create emulator with configuration:
AVD Name - aosx Device - Nexus One Target - android 4.1.2 Cpu/Abi - arm Ram - 512mb Vm Heap - 32 Internal Storage - 512mb Sdcard size - 512 mib Emulation options - use host GPU
Open emulator with command:
$ emulator -avd aosx -qemu -nand -system,size=0x1f400000,file=/system-images/android-16/default/armeabi-v7a/system.img& $ cd utils/android_emulator_creator
Setting on emulator:
● Press settings->security->screenlock->none
● Press settings->Display->sleep->30 minutes
● Start Generate contacts app
● Start Supersuser app
● Start xposedinstaller app
● In Modules, check both packages Droidmon , Android Blue Pill
● Press framework -> install -> cancel-> soft reboot
● After the reboot, close the machine.
● You have now created a reference machine to duplicate each analysis instead of reverting to snapshot
$ cd ~/cuckoo/agent/android/java_agent $ adb install CuckooAgent.apk
Open two tag terminal with command:
Tag 1: $ python cuckoo.py Tag 2: $ cd android_web $ python manage.py runserver
Address: http://127.0.0.1:8000(or http://ip_server:8000)
Install complete! We can using CookuDroid to analysic file .apk.