How to Use Cuckoo Sandbox for Malware Analysis
Cuckoo Sandbox detonates suspicious files inside an isolated virtual machine, captures all system calls, network connections, file operations, and registry changes, then produces a structured report. This guide covers installation, Windows guest configuration, sample submission, and interpreting results.
Architecture
Host (Ubuntu) ──── VirtualBox ──── Windows 7/10 Guest (agent.py)
│ │
Cuckoo Manager malware runs here
Web interface reports sent back
Network capture (tcpdump)
Result processing
The host runs the Cuckoo coordinator. A Windows guest VM runs agent.py (the Cuckoo agent), which receives samples and executes them. The host captures all traffic from the guest network.
1. Host Prerequisites
sudo apt update && sudo apt install -y \
python3 python3-pip python3-venv \
virtualbox virtualbox-ext-pack \
tcpdump libcap-dev \
mongodb postgresql \
ssdeep libfuzzy-dev \
yara
# Add your user to vboxusers
sudo usermod -aG vboxusers $USER
# Allow tcpdump without root for cuckoo user
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
2. Create a Dedicated User
sudo adduser cuckoo --disabled-password --gecos ""
sudo usermod -aG vboxusers cuckoo
sudo su - cuckoo
All subsequent commands run as the cuckoo user.
3. Install Cuckoo
python3 -m venv ~/cuckoo-env
source ~/cuckoo-env/bin/activate
pip install --upgrade pip setuptools wheel
pip install cuckoo
# Initialize Cuckoo working directory
cuckoo init
cuckoo community # download community signatures
# Expected structure:
ls ~/.cuckoo/
# conf/ db/ log/ storage/
4. Create and Configure the Windows Guest VM
Step 1: Download a Windows 7 or Windows 10 ISO. Microsoft’s official evaluation ISOs work.
Step 2: Create VM in VirtualBox:
VBoxManage createvm --name "cuckoo-win7" --ostype Windows7 --register
VBoxManage modifyvm "cuckoo-win7" \
--memory 2048 --cpus 2 \
--vram 64 --graphicscontroller vboxvga \
--audio none \
--usb off --usbehci off
# Create disk
VBoxManage createhd --filename ~/vms/cuckoo-win7.vdi --size 40960
# Attach disk and ISO
VBoxManage storagectl "cuckoo-win7" --name "SATA" --add sata
VBoxManage storageattach "cuckoo-win7" \
--storagectl "SATA" --port 0 --device 0 \
--type hdd --medium ~/vms/cuckoo-win7.vdi
VBoxManage storageattach "cuckoo-win7" \
--storagectl "SATA" --port 1 --device 0 \
--type dvddrive --medium ~/isos/Win7_SP1.iso
Step 3: Set up host-only networking (isolates the guest from the internet):
# Create host-only adapter
VBoxManage hostonlyif create
# Note the name: e.g., vboxnet0
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
VBoxManage modifyvm "cuckoo-win7" --nic1 hostonly --hostonlyadapter1 vboxnet0
Step 4: Install Windows, disable Windows Defender, disable automatic updates, enable Python 3.
Step 5: Copy the Cuckoo agent to the guest:
# From host:
cp ~/.cuckoo/agent/agent.py /tmp/agent.py
# Then copy into VM via shared folder or via VBoxManage guestcontrol
VBoxManage guestcontrol "cuckoo-win7" \
copyto /tmp/agent.py "C:\\agent.py" \
--username Administrator --password yourpass
On the Windows guest, set agent.py to run at startup:
- Place in
C:\agent.py - Create scheduled task or add to registry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Step 6: Take a snapshot named clean:
VBoxManage snapshot "cuckoo-win7" take "clean"
This snapshot is restored before each analysis.
5. Configure Cuckoo
# ~/.cuckoo/conf/virtualbox.conf
[virtualbox]
mode = gui # use headless for production
path = /usr/bin/VBoxManage
machines = cuckoo-win7
[cuckoo-win7]
label = cuckoo-win7
platform = windows
ip = 192.168.56.101
snapshot = clean
interface = vboxnet0
resultserver_ip = 192.168.56.1
resultserver_port = 2042
# ~/.cuckoo/conf/cuckoo.conf — key settings
[resultserver]
ip = 192.168.56.1
port = 2042
[processing]
enable_memory = no # memory dump analysis (requires volatility, resource intensive)
[reporting]
[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
6. Enable Internet Routing (Optional, Careful)
By default, the guest has no internet access. Some malware requires internet to phone home. Only enable this on a fully isolated lab network:
# Enable IP forwarding and NAT for the guest network
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
# Capture all guest traffic with INetSim to simulate internet without real access
sudo apt install -y inetsim
# Configure /etc/inetsim/inetsim.conf to listen on 192.168.56.1
INetSim responds to DNS queries, HTTP requests, and SMTP connections with fake responses — malware thinks it has internet but you capture everything safely.
7. Submit a Sample
source ~/cuckoo-env/bin/activate
# Start Cuckoo (keep this terminal open)
cuckoo
# In a second terminal, submit a sample
cuckoo submit /tmp/suspicious.exe
# Submit with options
cuckoo submit --timeout 120 --package exe /tmp/suspicious.exe
# Submit a URL
cuckoo submit --url https://suspicious-domain.example.com
# Check task status
cuckoo api & # start REST API
curl http://127.0.0.1:8090/tasks/list
8. View Reports via Web Interface
# Start the web interface
cuckoo web runserver 0.0.0.0:8000
# Open in browser: http://localhost:8000
The report includes:
- Summary: verdict, score, detected families
- Behavioral analysis: process tree, file operations, registry changes, API calls
- Network analysis: DNS queries, HTTP requests, TCP/UDP connections
- Dropped files: any files written to disk during execution
- Screenshots: VM screen captures at intervals
9. Read Reports from CLI
# Reports stored in ~/.cuckoo/storage/analyses/<task_id>/
ls ~/.cuckoo/storage/analyses/1/
# Key files:
# reports/report.json — full JSON report
# dump.pcap — full network capture
# files/ — dropped files
# shots/ — screenshots
# Extract network IOCs
python3 - <<'EOF'
import json
report = json.load(open("/root/.cuckoo/storage/analyses/1/reports/report.json"))
network = report.get("network", {})
print("DNS queries:")
for dns in network.get("dns", []):
print(f" {dns['request']} -> {dns['answers']}")
print("\nHTTP requests:")
for http in network.get("http", []):
print(f" {http['method']} {http['host']}{http['uri']}")
EOF
YARA Rule Scanning
Add YARA rules for automatic signature matching:
# Place .yar files in
~/.cuckoo/yara/
# Example rule
cat > ~/.cuckoo/yara/ransomware.yar <<'EOF'
rule RansomwareExtensionChange {
meta:
description = "Detects mass file extension changes"
strings:
$ext1 = ".locked"
$ext2 = ".encrypted"
$ext3 = ".crypto"
condition:
2 of them
}
EOF
Cuckoo automatically runs YARA against all dropped files and memory dumps.
Related Reading
- How to Use Volatility for Memory Forensics
- How to Set Up Snort IDS on Linux
- How to Use Zeek for Network Monitoring
- How Blockchain Analysis Companies Track Your Crypto
- AI Coding Assistant Session Data Lifecycle
- Claude Code for Taint Analysis Workflow Tutorial Guide
Built by theluckystrike — More at zovo.one