A How-To guide to deploying a malware analysis lab on macOS High Sierra (10.13.1)

This manual describes all the necessary steps to deploy a malware analysis lab based on Cuckoo Sandbox.

Tools list:

• Cuckoo Sandbox (latest, as for now - 2.0.4.4)
• Cuckoo Spender Sandbox
• Elasticsearch (5.3.3)
• Volatility (2.6)
• Yara (3.6.3)
• Moloch (20.0.2)
• Malheur
• VMCloak (0.4.4)
• Loki IOC Scanner(0.24.3)

 So less talk, more rock!

All the necessary preparations

Install brew

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Install latest Python 2.7

curl https://www.python.org/ftp/python/2.7.14/python-2.7.14-macosx10.6.pkg -o python-2.7.14-macosx10.6.pkg
sudo installer -pkg python-2.7.14-macosx10.6.pkg -target /

Upgrade pip & setuptools

pip install -U pip setuptools --user

Install & link latest tcpdump

brew install tcpdump
brew link tcpdump

Install latest openssl

brew install openssl
echo 'PATH="$(brew --prefix openssl)/bin:$PATH"' >> ~/.bash_profile
echo 'LD_LIBRARY_PATH=/usr/local/opt/openssl/lib:"${LD_LIBRARY_PATH}" >> ~/.bash_profile 
echo 'CPATH=/usr/local/opt/openssl/include:"${CPATH}"' >> ~/.bash_profile 
echo 'PKG_CONFIG_PATH=/usr/local/opt/openssl/lib/pkgconfig:"${PKG_CONFIG_PATH}"' >> ~/.bash_profile 
echo 'export LD_LIBRARY_PATH CPATH PKG_CONFIG_PATH' >> ~/.bash_profile

Install python modules required by Cuckoo

pip install distorm3 PyCrypto pillow OpenPyxl ujson pytz psycopg2 --user

Install PyDeep

curl http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download -o ssdeep-2.13.tar.gz
tar -zxf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
make install
pip install pydeep --user

Install Volatility

git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install

Install Yara

brew install swig
env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" pip install m2crypto
curl https://pypi.python.org/packages/57/4a/aa0aeb948bb3cd355281ee40401b6673df2f809ed36afc35993c8f02a4d1/yara-python-3.6.3.tar.gz -o yara-python-3.6.3.tar.gz
tar -zxf yara-python-3.6.3.tar.gz
cd yara-python-3.6.3/
python setup.py build
python setup.py install

Install libmagic, cairo, pango, gdk-pixbuf

brew install libmagic cairo pango gdk-pixbuf

Deploying the DB (cuckoo db & username are given as an example)

brew install mongodb postgresql
createdb cuckoo
psql cuckoo
CREATE USER cuckoo WITH PASSWORD 'your_cuckoo_password';
GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;
\q
brew services start postgresql

Install VMCloak for creating VMs

pip install vmcloak --user

Install Elasticsearch

Download latest openjdk 1.8.0_X and install it

sudo installer -pkg jdk-8u152-macosx-x64.dmg -target /

Modify path variables in .bash_profile

echo export ES_HOME="/full/path/to/elasticsearch/" ~/.bash_profile
echo export JAVA_HOME="/Library/Java/JavaVirtualMachines/jdk1.8.0_X.jdk/Contents/Home/" ~/.bash_profile
echo export PATH="$ES_HOME/bin:$JAVA_HOME/bin:$PATH" ~/.bash_profile

Edit pf.conf if you want to enable port forwarding. Add after "nat anchor" line in pf.conf with your VirtualBox Host-Only network address

nat on en1 from x.x.x.0/24 to any -> (en1)

Install Cuckoo!

pip install cuckoo --user

I recommend you to set a proper working directory

cuckoo --cwd /working/directory

If you want to generate PDF reports

pip install -U weasyprint==0.36 --user

Install MOLOCH

Install node.js v6.x

curl https://nodejs.org/dist/latest-v6.x/node-v6.12.0.pkg -o node-v6.12.0.pkg
sudo installer -pkg node-v6.12.0.pkg -target /

Some more preparations

brew install libffi
brew link libffi --force
brew link gettext --force
brew install geoip ossp-uuid libyaml jansson cpanm
sudo cpanm -V JSON

Finally you can install MOLOCH

git clone https://github.com/aol/moloch
cd moloch

The secret spell to compile MOLOCH on macOS

./configure --with-libpcap=/usr/local/opt/libpcap --with-yara=/usr/local/opt/yara --with-GeoIP=/usr/local/opt/geoip --with-glib2=no GLIB2_CFLAGS="-I/usr/local/opt/glib/include/glib-2.0 -I/usr/local/opt/glib/lib/glib-2.0/include/" GLIB2_LIBS="-L/usr/local/opt/glib/lib -lglib-2.0 -lgmodule-2.0 -lgobject-2.0 -lgio-2.0 -lgthread-2.0 -L/usr/local/lib" LDFLAGS="-L/usr/local/lib" LIBS="-L/usr/local/opt/openssl/lib"
make

Do chown -R your_user:your_group /data/moloch

cd viewer && npm update
cd .. && make install

Edit /data/moloch/bin/moloch_add_user.sh , replace '/data/moloch/bin/node' with 'node'

Edit config.ini.sample in /data/moloch/etc and save your results in config.ini

First run

Setting a host-only ip-address

sudo ifconfig vboxnet0 x.x.x.x

Enabling ip forwarding

sudo sysctl -w net.inet.ip.forwarding=1
sudo pfctl -f /etc/pf.conf
sudo pfctl -e

Tweaking & running mongod (should be done in a new terminal)

sudo launchctl limit maxfiles 65536 65536
sudo launchctl limit maxproc 2048 2048
ulimit -n 65536
mongod --dbpath /your/db/path

Run elasticsearch (should be done in a new terminal)

elasticsearch

Moloch first run (should be done a new terminal)

/data/moloch/db/db.pl http://127.0.0.1:9200 init
/data/moloch/bin/moloch_add_user.sh *YOUR_CUCKOO_USERNAME_HERE* admin *YOUR_CUCKOO_PASS* --admin
/data/moloch/bin/moloch-capture

Run moloch viewer (should be done a new terminal)

node /data/moloch/viewer/viewer.js -c /data/moloch/etc/config.ini

Update & run cuckoo (should be done a new terminal)

cuckoo community
cuckoo -d

Run cuckoo web (should be done a new terminal)

cuckoo web

Still WIP