How to Setup Your Own Malware Analysis Box – Cuckoo Sandbox

I am writing this blog entry because I know I was not the only one who had trouble setting up my own malware analysis box – Cuckoo. I have tried many tutorials, both written and video recorded, and I could never make it work. Finally, I decided to work on it until I came up with the process that successfully deployed Cuckoo for me. This is me putting things together from different sources. I hope someone will find this entry helpful.

I am also a visual learner, so in addition to the text commands, I’ve also included screenshots of each step I took:


  • Ubuntu 18.04 – This is your Guest OS in VMWare Workstation
  • Windows 7 – This is your Guest OS in VirtualBox inside the Ubuntu Guest OS
  • Enable virtualization within VMWare in Ubuntu VM:


  1. Update Ubuntu box:
    • sudo apt-get update
  2. Install required packages and apt repositories:
    • sudo apt-get -y install python python-pip python-dev libffi-dev libssl-dev
    • sudo apt-get -y install python-virtualenv python-setuptools
    • sudo apt-get -y install libjpeg-dev zlib1g-dev swig
  3. Install MongoDB:
    • sudo apt-get -y install mongodb
  4. Install PostgreSQL:
    • sudo apt-get -y install postgresql libpq-dev
  5. Install VirtualBox:
    • sudo apt-get -y install virtualbox
  6. Install tcpdump AppArmor:
    • sudo apt-get -y install tcpdump apparmor-utils
    • sudo aa-disable /usr/sbin/tcpdump
  7. Add a new group and add a user so you don’t have to run as root:
    • sudo adduser –disabled-password –gecos “” jonaldtest
    • sudo groupadd pcap
    • sudo usermod -a -G pcap jonaldtest
    • sudo chgrp pcap /usr/sbin/tcpdump
    • sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
  8. Verify the last command:
    • getcap /usr/sbin/tcpdump
  9. Install M2Crypto:
    • sudo pip install m2crypto
  10. Add the account you created in step 7 to vboxusers group:
    • sudo usermod -a -G vboxusers jonaldtest
  11. Create a virtual environment by using a script. Save the script as (Shoutout to Josh Stroschein for the code) You can download the script at the end of this post:
  12. Change the permission of the script:
    • sudo chmod +x
  13. Run the script using your current logged-in user and not the one you created in step 7:
    • sudo -u jonald ./
  14. Update your current shell environment:
    • source ~/.bashrc
  15. Create a virtual environment. You can name your virtual environment anything you want, I am using sandbox:
    • mkvirtualenv -p python2.7 sandbox
  16. Setup and install cuckoo while you are inside your newly created virtual env (sandbox):
    • pip install -U pip setuptools
    • pip install -U cuckoo
  17. Create a directory to mount Windows 7 iso (open a new terminal):
    • sudo mkdir /mnt/win7
    • sudo chown jonaldtest:jonaldtest /mnt/win7
    • sudo mount -o ro,loop win7ultimate.iso /mnt/win7
  18. Install packages again just to make sure that there are no missing packages after everything that we have installed so far:
    • sudo apt-get -y install build-essential libssl-dev libffi-dev python-dev genisoimage
    • sudo apt-get -y install zlib1g-dev libjpeg-dev
    • sudo apt-get -y install python-pip python-virtualenv python-setuptools swig
  19. Install vmcloak and run it (inside the virtual environment):
    • pip install -U vmcloak
    • vmcloak
  20. Create a HOST-ONLY network adapter using vmcloak:
    • vmcloak-vboxnet0
  21. Setup Windows VM (this takes between 45 – 60 minutes):
    • vmcloak init –verbose –win7x64 win7x64base –cpus 2 –ramsize 2048
  22. Clone the Windows VM:
    • vmcloak clone win7x64base win7x64cuckoo
  23. Install some basic software packages:
    • vmcloak install win7x64cuckoo adobepdf pillow java flash vcredist vcredist.version=2015u3 wallpaper ie11 office office.version=2013 office.isopath=/home/jonald/Office_2013_Plus.iso office.serialkey= XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  24. Create the Windows VMs:
    • vmcloak snapshot –count 4 win7x64cuckoo
  25. View the list of VMs:
    • vmcloak list vms
  26. Create the cuckoo directory where all config files get saved (still inside the virtual environment):
    • cuckoo init
  27. Update cuckoo to the latest signature (you have to do this regularly so the signature gets updated with the current known threats signature):
    • cd .cuckoo/conf
    • cuckoo community –force
  28. Open .cuckoo/conf/virtualbox.conf and change the MODE to GUI:
    • nano virtualbox.conf
    • mode = gui (from headless)
    • save the change
  29. Copy and paste the below command to add the 4 VMs we created to the conf file:
    • while read -r vm ip; do cuckoo machine –add $vm $ip; done < <(vmcloak list vms)
  30. Open virtualbox.conf again, remove cuckoo1 under machines, delete everything after controlports and stop when you see the first IP address that matches the IP under machines:
    • Delete cuckoo1
  31. Check your network adapter for the next setup steps:
    • ip a
  32. Run the following commands inside of the virtual environment:
    • sudo sysctl -w net.ipv4.conf.vboxnet0.forwarding=1
    • sudo sysctl -w net.ipv4.conf.ens33.forwarding=1
    • sudo iptables -t nat -A POSTROUTING -o ens33 -s -j MASQUERADE
    • sudo iptables -P FORWARD DROP
    • sudo iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
    • sudo iptables -A FORWARD -s -j ACCEPT
  33. OPTIONAL: Install terminator:
    • sudo apt-get install terminator
  34. Open Terminator and split it to four windows:
    • Split to 4 windows
  35. Enter the virtual environment in all terminals:
    • workon sandbox
  36. (Terminator window 1) type:
    • cuckoo rooter –sudo –group jonald
    • Leave terminal window 1 running
  37. Change the routing information. Open routing.conf and change the internet entry to your network adapter (ens33):
    • internet = ens33
    • save the file
  38. Change the reporting information. Open reporting.conf and change the MongoDB entry to yes:
    • enabled = yes
    • save the file
  39. Do not touch the first window with command “cuckoo rooter –sudo –group jonald”. Go to another and start cuckoo:
    • cuckoo
    • Leave terminal window 2 running
  40. In a third terminal, start the cuckoo web server:
    • cuckoo web –host –port 8080
    • Leave terminal window 3 running
  41. Open a web browser to access the cuckoo web interface:
  42. This is how your Terminator should look like while using cuckoo sandbox:
    • Terminator
    • Don’t forget to take a snapshot of your Ubuntu VM. I would recommend reverting to a snapshot after a verified malicious file analysis. You don’t want to take the risk of an 0-day VM escape vulnerability. Haha

I hope you find this helpful. If you haven’t subscribed here, please do so.

Below is the script I used in step 11.

#!/usr/bin/env bash

# Author: Josh Stroschein
# Source:
# NOTES: Run this script as: sudo -u <USERNAME>
#        Additionally, your environment may not allow the script to source bashrc and you may need to do this manually after the script completes

# install virtualenv
sudo apt-get update && sudo apt-get -y install virtualenv

# install virtualenvwrapper
sudo apt-get -y install virtualenvwrapper

echo "source /usr/share/virtualenvwrapper/" >> ~/.bashrc

# install pip for python3
sudo apt-get -y install python3-pip

# turn on bash auto-complete for pip
pip3 completion --bash >> ~/.bashrc

# avoid installing with root
pip3 install --user virtualenvwrapper

echo "export VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3" >> ~/.bashrc

echo "source ~/.local/bin/" >> ~/.bashrc

export WORKON_HOME=~/.virtualenvs

echo "export WORKON_HOME=~/.virtualenvs" >> ~/.bashrc

echo "export PIP_VIRTUALENV_BASE=~/.virtualenvs" >> ~/.bashrc 

source ~/.bashrc

Published by lightkunyagami

Join the Conversation


Leave a comment

Leave a Reply to jdmorto Cancel reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: