Analysis VM - Clevero/BeatMyPeekaboo GitHub Wiki

Analysis VM

Checklist for setting up

Capev2 Sandbox (Capev2 is recommended over Cuckoo)

  • Installation of Windows 10 x64
  • Install latest Python 3 x86
  • Install pywin32 inside the vm (required for dealing with Microsoft Office files)

Cuckoo Sandbox

  • Installation of Winows 7 x64

Checklist for both

  • Give the VM internet access for installing software and updates
  • Deactivate automatic updates for windows
  • Run updates of Windows if necessary
  • Install Software like Firefox, Google Chrome, Skype, 7-zip, Notepad++, Java JRE, Python, Adobe Acrobat Reader, Microsoft Office (see "Software Versions")
  • Install Python package "pillow" (used for screenshots during analysis)
  • Deactivate UAC
  • Install the agent.py to the startup folder of the admin
  • Disable Windows Firewall
  • Configure the internal network to the cuckoo host
    • Remove the NAT (i.e.) NIC and put a NIC that is only be used for the communication between the cuckoo/peekaboo host and this specific analysis vm
    • static IP configuration for that NIC
  • Create a snapshot for that vm in a state that should be used for analysis

Notes for Microsoft Office

In the security center of office, enable macros, VBA scripts, etc.

Software Versions:

Note that those Software Versions are tested in my setups

  • Windows 10 x64 (Capev2 specific)

  • Windows 7 x64 (Cuckoo specific)

    • Microsoft Office 2010
    • Adobe Acrobat Reader 9.0
      • From version 10.0, Adobe introduced some sandboxing for opening PDF's where they inject a DDL at startup of the corresponding process. But that conflicts with the DDL injection of cuckoo at startup (I assume you don't deactivated it)
      • I saw that disabling the sandbox mode (see ...) should help. But in later versions I tested, some errors persisted so I stick to 9.0
      • You can get these old version from ftp://ftp.adobe.com/pub/adobe/reader/win
    • Java 8 32 Bit
      • I had some trouble with the 64 version where the corresponding process did not started correctly when DDL injection was enabled
    • Python 2 (latest version, 2.7.15 as time of writing)
    • Cuckoo Agent 0.8
      • There is 0.9 as a newer version available but also here, I had some trouble with it. So I stick with 0.8 at least to a new version of cuckoo

How do I deactivate the sandbox mode of newer Adobe Acrobat Reader?

Edit -> Preferences and select Security (Enhanced). Make sure that Enabled Protected Mode at Startup and Enable Enhanced Security are unchecked.

See: https://github.com/cuckoosandbox/community/issues/421#issuecomment-402150495

Why there aren't any screenshots in my analysis?

Please go trough the checklist for setting up an analysis vm. You most likely forgot to install the python package "pillow"

Cuckoo throws 'NoneType' object has no attribute 'rootSnapshotList' (vSphere related)

In my setups, cuckoo actually COULD connect to the vSphere host. Ensure that all configured VM's have a snapshot that are listed in the vsphere.conf

Full error: [cuckoo] CRITICAL: CuckooCriticalError: Couldn't connect to vSphere host: 'NoneType' object has no attribute 'rootSnapshotList'