Cuckoo Sandbox开源免费的自动分析可疑文件沙盒系统-摩杜云开发者社区

Cuckoo Sandbox

Cuckoo Sandbox开源免费的自动分析可疑文件沙盒系统_恶意软件

**沙盒(Sanbox)**是一种将未知、不可信的软件隔离执行的安全机制。恶意软件分析沙盒一般用来将不可信软件放在隔离环境中自动地动态执行，然后提取其运行过程中的进程行为、网络行为、文件行为等动态行为，安全研究员可以根据这些行为分析结果对恶意软件进行更深入地分析。

Cuckoo sandbox是一款用 Python和C/C++ 编写的开源的自动化恶意软件分析系统，且跨越Windows、Android、Linux和Darwin四种操作系统平台。

1.1主要功能

跟踪记录恶意软件所有的调用状况；
恶意软件文件行为：恶意软件执行过程中创建新文件、修改文件、删除文件、读取文件或下载文件的行为；
获取恶意软件的内存镜像；
以 PCAP 格式记录恶意软件的网络流量；
获取恶意软件执行过程中的屏幕截图；
获取执行恶意软件的客户机的完整内存镜像

Cuckoo 可以分析的几乎所有的文件格式

1.2 架构设计

Cuckoo 的架构也比较简单，在 Host 机上运行 Cuckoo 主程序，多个 Guest 机通过虚拟网络与 Host 机相连，每个 Guest 机上有一个 Cuckoo Agent 程序，用来做 Cuckoo 的监控代理，结构图如下：

Cuckoo Sandbox开源免费的自动分析可疑文件沙盒系统_安装配置_02

其实就是说，在host的web上提交的文件，会被分配到各个guest上运行，收集该文件调用的状况。

安装

主要说明如何安装Cuckoo。推荐Linux系统（Debian 或者 Ubuntu 等）。

依赖

在安装和配置Cuckoo之前，需要先安装依赖的一些软件和库。

Debian下Apt软件安装，可以去掉命令前面的sudo

安装 Python 库 (Ubuntu/Debian-based)

Cuckoo的管理组件完全由Python脚本编写，所以就需要适合的Python版本。当前，我们完全兼容的Python版本是 2.7。

老版本的Python和Python 3（未来可能会支持）目前都是不支持的。

以下一些通过Apt安装的软件都是必须的:

$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
$ sudo apt-get install python-virtualenv python-setuptools
$ sudo apt-get install libjpeg-dev zlib1g-dev swig

如果要使用我们基于Django开发的Web界面, 则MongoDB是必须要安装的:

$ sudo apt-get install mongodb

如果要使用PostgreSQL数据库(推荐), PostgreSQL也必须安装:

$ sudo apt-get install postgresql libpq-dev

Yara 和 Pydeep 是可选的插件。如果选择安装的话，具体安装步骤可以参考他们的官网.

如果使用KVM的话，则需要安装KVM相关依赖:

$ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt

如果要使用 XenServer，则必须安装 XenAPI Python 包：

$ sudo pip install XenAPI

如果要使用*mitm*辅助模块 ( SSL/TLS 中间人攻击), 需要安装 mitmproxy. 可以参考官网的相关安装说明.

安装 Python 库（在 Mac OS X 上）

这与 Ubuntu/Debian 上的安装基本相同，除了我们将使用包管理器。安装所有必需的依赖项如下所示（此列表为 WIP）：brew

$ brew install libmagic cairo pango openssl

除此之外，您还需要在标准 GCC/Clang 包含目录，以便可以编译成功。这可以按如下方式完成：yara-python

$ cd /usr/local/include
$ ln -s ../opt/openssl/include/openssl .

安装 Python 库（在 Windows 7 上）

自行百度

虚拟化软件

Cuckoo沙箱支持大部分的虚拟化软件，可以很方便的添加和使用各种虚拟化支持。

本文档以VirtualBox为例。选择哪种虚拟机软件并不影响后续的分析，但是如果你选择了相应的虚拟机，应该按照我们相应的文档和FAQ去配置。

注解

【译者注】测试过程中选择了KVM

假设您决定使用VirtualBox，则可以获得合适的软件包您在官方下载页面上的分发。请在以下命令在 Ubuntu LTS 上安装最新版本的 VirtualBox 机器。请注意，Cuckoo 支持 VirtualBox 4.3、5.0 和 5.1：

$ echo deb http://download.virtualbox.org/virtualbox/debian xenial contrib | sudo tee -a /etc/apt/sources.list.d/virtualbox.list
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install virtualbox-5.1

有关VirtualBox的更多信息，请参阅官方文档。

安装 tcpdump

Tcpdump用于抓取恶意软件运行过程中产生的所有流量。

安装命令:

$ sudo apt-get install tcpdump apparmor-utils
$ sudo aa-disable /usr/sbin/tcpdump

AppArmor 只有当PCAP文件生成没有权限的时候才需要，可以参考 Permission denied for tcpdump

禁用了AppArmor 的Linux的平台下，比如Debian，仅需要安装 tcpdump:

$ sudo apt-get install tcpdump

Tcpdump需要root权限，如果不想运行在root用户下，需要做以下设置:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

可以用以下命令验证是否配置正确:

$ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

如果没有`setcap`命令，则需要安装下面的包:

$ sudo apt-get install libcap2-bin

或者 (不推荐)

$ sudo chmod +s /usr/sbin/tcpdump

需要注意的是 setcap 命令不安全，有可能造成提权漏洞，我们建议将Cuckoo安装在专有的环境里。

安装 Volatility

Volatility 用于分析内存转储文件的可选工具. Cuckoo与Volatility配合，可以更深度和全面的分析，可以防止恶意软件利用rookit技术逃逸沙箱的监控。

为了能够工作正常，Cuckoo要求Volatility版本不低于 2.3，推荐最新版本2.5。可以从官网下载 official repository.

可以查阅Volatility官方文档的安装说明.

安装 M2Crypto

当前库需要 SWIG 支持. Ubuntu/Debian-like 系统下可以通过以下命令安装:M2Crypto

$ sudo apt-get install swig

SWIG 安装好之后，通过以下命令安装 :M2Crypto

$ sudo pip install m2crypto==0.24.0

安装 guacd

guacd 是RDP，SSH，VNC等远程控制的代理层，是Cuckoo的Web界面的远程终端中使用，可选。

没有它，远程控制功能就无法使用，版本要求0.9.9及以上。我们推荐安装最新版本使用如下命令安装:

$ sudo apt install libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd

如果只需要远程桌面功能，则可以跳过和两个包.libguac-client-vnc0libguac-client-ssh0

如果你使用了较老的Linux发行版，又想使用最新的guacd，那只能自己动手编译，就不做过多说明了:

$ sudo apt -y install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev libfreerdp-dev
$ mkdir /tmp/guac-build && cd /tmp/guac-build
$ wget https://www.apache.org/dist/guacamole/0.9.14/source/guacamole-server-0.9.14.tar.gz
$ tar xvf guacamole-server-0.9.14.tar.gz && cd guacamole-server-0.9.14
$ ./configure --with-init-dir=/etc/init.d
$ make && sudo make install && cd ..
$ sudo ldconfig
$ sudo /etc/init.d/guacd start

从源代码安装时，请确保您没有其他版本的从包管理器安装的库，或者您可能由于不兼容而导致的体验问题，可能会使 guacd 崩溃。libguac-

请注意，还必须安装VirtualBox扩展包才能使用控制功能的优势。

Cuckoo 安装

创建用户

Cuckoo可以运行在已有用户下面，也可以新建一个用户来跑Cuckoo。但是要保证虚拟机和Cuckoo运行在相同的用户下。

创建新用户:

$ sudo adduser cuckoo

如果您使用的是VirtualBox，请确保新用户属于“vboxusers” 组（或你用来运行VirtualBox的组）：

$ sudo usermod -a -G vboxusers cuckoo

如果使用KVM，要将用户加入到Libvirtd用户组:

$ sudo usermod -a -G libvirtd cuckoo

增加打开文件数限制

在 FAQ 文档里的问题 IOError: [Errno 24] Too many open files 由于操作系统的打开文件数限制，会导致报表生成失败。

安装 Cuckoo

安装最新版本的Cuckoo比较简单. 我们推荐使用和 ``setuptools``来安装最新版本的Cuckoo。 (一些可能存在的问题 DistributionNotFound / No distribution matching the version..).pip

警告

缺少依赖的时候会导致各种问题. 建议安装前仔细阅读依赖章节.

$ sudo pip install -U pip setuptools
$ sudo pip install -U cuckoo

全局安装Cuckoo是没有问题的，但是我们 强力推荐 用来安装virtualenv

$ virtualenv venv
$ . venv/bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo

为什么我们推荐使用呢:virtualenv

Cuckoo的依赖并不是用的最新版本，可能会与系统已有的版本冲突.
系统中其他软件的安装，可能会导致Cuckoo的依赖产生问题.
使用virtualenv，可以让非root用户也可以安装相关软件.
简单来说virtualenv是最佳实践.

Please refer to Cuckoo 工作目录 and Cuckoo 工作目录使用说明 to learn more about the and how to operate it.Cuckoo Working Directory

从文件安装

通过下载Cuckoo软件包的硬拷贝并离线安装，可以使用缓存副本设置Cuckoo和/或拥有当前备份副本未来的Cuckoo版本。我们还提供下载此类我们网站上的压缩包。

手动获取杜鹃及其所有依赖项的压缩包可能是完成如下：

$ pip download cuckoo

你最终会得到一个文件（或一个更大的数字，取决于最新发布的稳定版本）及其所有依赖关系（例如，）。Cuckoo-2.0.0.tar.gzalembic-0.8.8.tar.gz

安装确切版本的布谷鸟可以按照您熟悉的方式完成从直接安装它使用，除了现在使用文件名柏油球：pip

$ pip install Cuckoo-2.0.0.tar.gz

在没有互联网连接可用的系统上，该命令可用于获取所有必需的依赖项，并且作为这样的人应该能够 - 理论上 - 完全离线安装 Cuckoo 使用这些文件，即通过执行类似以下内容的内容：$ pip download cuckoo

$ pip install *.tar.gz

从源代码构建/安装 Cuckoo

通过从我们的官方仓库克隆布谷鸟沙盒，您可以从源代码安装它。克隆后，按照使用 Python 包开发中提到的步骤开始安装。

Cuckoo 工作目录

2.0.0 新版功能.

新版本中多了一个 Cuckoo 工作目录 的概念，用来存储之前的所有配置文件，生成的数据以及分析结果。具体包括但不限于以下几种文件:

配置文件
Cuckoo 签名规则
Cuckoo 分析器
Cuckoo 客户端
Yara 规则集
Cuckoo 分析数据存储
其他文件..

Cuckoo 工作目录 相比较之前的方式，有了更多的优点.

配置

Cuckoo 首次运行的时候 CWD 目录会自动创建，输出如下:

$ cuckoo -d

        _       _                   _             _              _            _
        /\ \     /\_\               /\ \           /\_\           /\ \         /\ \
        /  \ \   / / /         _    /  \ \         / / /  _       /  \ \       /  \ \
        / /\ \ \  \ \ \__      /\_\ / /\ \ \       / / /  /\_\    / /\ \ \     / /\ \ \
    / / /\ \ \  \ \___\    / / // / /\ \ \     / / /__/ / /   / / /\ \ \   / / /\ \ \
    / / /  \ \_\  \__  /   / / // / /  \ \_\   / /\_____/ /   / / /  \ \_\ / / /  \ \_\
    / / /    \/_/  / / /   / / // / /    \/_/  / /\_______/   / / /   / / // / /   / / /
    / / /          / / /   / / // / /          / / /\ \ \     / / /   / / // / /   / / /
/ / /________  / / /___/ / // / /________  / / /  \ \ \   / / /___/ / // / /___/ / /
/ / /_________\/ / /____\/ // / /_________\/ / /    \ \ \ / / /____\/ // / /____\/ /
\/____________/\/_________/ \/____________/\/_/      \_\_\\/_________/ \/_________/

Cuckoo Sandbox 2.0.0
www.cuckoosandbox.org
Copyright (c) 2010-2017

=======================================================================
    Welcome to Cuckoo Sandbox, this appears to be your first run!
    We will now set you up with our default configuration.
    You will be able to modify the configuration to your likings
    by exploring the /home/cuckoo/.cuckoo directory.

    Among other configurable things of most interest is the
    new location for your Cuckoo configuration:
            /home/cuckoo/.cuckoo/conf
=======================================================================

Cuckoo has finished setting up the default configuration.
Please modify the default settings where required and
start Cuckoo again (by running `cuckoo` or `cuckoo -d`).

从输出消息中可以看到 CWD 的具体路径。默认是在当前用户目录下 ~/.cuckoo . 配置文件在 $CWD/conf 目录下.

由于现在有了 CWD 目录，配置与Cuckoo的引擎分离，所以以后的版本更新维护会更方便。两边都可以独立升级。

CWD 路径

默认情况下 CWD 默认目录是 ~/.cuckoo 。但是这个路径也是可以通过以下几种方式修改的，优先级从高到低

通过命令行参数 --cwd (e.g., --cwd ~/.cuckoo).
通过配置环境变量 CUCKOO (e.g., export CUCKOO=~/.cuckoo).
通过配置环境变量 CUCKOO_CWD .
当前目录名为 .cuckoo (e.g., cd ~/.cuckoo 则会将当前目录作为 CWD).
默认路径 ~/.cuckoo.

由于 CWD 目录的可配，理论上可以并行Cuckoo进程，例如可以同时运行Windows 和 Android 分析。

下面有一些修改 CWD 路径的命令样例供参考.

# Places the CWD in /opt/cuckoo. Note that Cuckoo will normally create the
# CWD itself, but in order to create a directory in /opt root capabilities
# are usually required.
$ sudo mkdir /opt/cuckoo
$ sudo chown cuckoo:cuckoo /opt/cuckoo
$ cuckoo --cwd /opt/cuckoo

# You could place this line in your .bashrc, for example.
$ export CUCKOO=/opt/cuckoo
$ cuckoo

配置

Cuckoo 中有几个核心的配置文件:

cuckoo.conf: 用于配置通用选项和分析参数.
auxiliary.conf: 用于开启或者分配辅助模块.
<machinery>.conf: 用于配置和填入虚拟机相关参数（使用何种虚拟机，则选择哪种虚拟机配置文件，例如选择kvm，则配置kvm.conf）.
memory.conf: Volatility 配置选项.
processing.conf: 用户开启或者配置数据处理模块.
reporting.conf: 用于开关报表模块.

Cuckoo正常工作至少需要配置两个文件 cuckoo.conf 和 <machinery>.conf.

cuckoo.conf

文件路径 $CWD/conf/cuckoo.conf. 注意下下 $CWD 目录指的Cuckoo工作目录，具体可以参考 Cuckoo 工作目录 . The cuckoo.conf 包含了通用的选项，修改前要熟知其含义.

配置文件中已经对相关选项做了详细的注释，如下几个选项我们做一下特别的说明:

[cuckoo] 中的 machinery :该选项指定使用何种虚拟机引擎 (e.g., virtualbox or vmware).
[resultserver] 中的 ip 和 port :这个IP和端口是Cuckoo的结果服务需要监听的，要确保虚拟机的网络对该IP和端口是可达的，否则可能造成没有分析结果.
[database] 中的 connection :这个配置用于定义数据库链接URL。可以使用任何 SQLAlchemy 支持的 Database Urls 格式.

auxiliary.conf

辅助模块在恶意软件运行的同时运行, 该配置文件中可以修改相关选项.

以下是 $CWD/conf/auxiliary.conf 的文件内容. .. note:

【译者注】 文件内容就不翻译了，选项含义都较为明确

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes

# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/sbin/tcpdump

# We used to define the network interface to capture on in auxiliary.conf, but
# this has been moved to the "interface" field of each Virtual Machinery
# configuration.

# Specify a Berkeley packet filter to pass to tcpdump.
# Note: packer filtering is not possible when using "nictrace" functionality
# from VirtualBox (for example dumping inter-VM traffic).
bpf = 

[mitm]
# Enable man in the middle proxying (mitmdump) [yes/no].
enabled = no

# Specify the path to your local installation of mitmdump. Make sure this
# path is correct.
mitmdump = /usr/local/bin/mitmdump

# Listen port base. Each virtual machine will use its own port to be
# able to make a good distinction between the various running analyses.
# Generally port 50000 should be fine, in this case port 50001, 50002, etc
# will also be used - again, one port per analyses.
port_base = 50000

# Script file to interact with the network traffic. Please refer to the
# documentation of mitmproxy/mitmdump to get an understand of their internal
# workings. (https://mitmproxy.org/doc/scripting/inlinescripts.html)
script = stuff/mitm.py

# Path to the certificate to be used by mitmdump. This file will be
# automatically generated for you if you run mitmdump once. It's just that
# you have to copy it from ~/.mitmproxy/mitmproxy-ca-cert.p12 to somewhere
# in the analyzer/windows/ directory. Recommended is to write the certificate
# to analyzer/windows/bin/cert.p12, in that case the following option should
# be set to bin/cert.p12.
certificate = bin/cert.p12

[services]
# Provide extra services accessible through the network of the analysis VM
# provided in separate, standalone, Virtual Machines [yes/no].
enabled = no

# Comma-separated list with each Virtual Machine containing said service(s).
services = honeyd

# Time in seconds required to boot these virtual machines. E.g., some services
# will only get online after a minute because initialization takes a while.
timeout = 0

[reboot]
# This auxiliary module should be enabled for reboot analysis support.
enabled = yes

<machinery>.conf

虚拟机模块定义了Cuckoo与选择的虚拟机引擎之间是如何交互的.

每种虚拟机引擎都有独立的配置文件，例如KVM引擎就是kvm.conf.

Cuckoo 默认使用的是 Virtualbox.

以下即是 $CWD/conf/Virtualbox.conf 的文件内容.

不同虚拟机的配置文件看起来类似, 只是稍有不同. 例如., XenServer 通过API操作，所以需要填写URL和认证信息.

配置文件中对选项含义也有详细备注.

以下是 $CWD/conf/kvm.conf 的文件内容.

[kvm]
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo1

# Specify the name of the default network interface that will be used
# when dumping network traffic with tcpdump.
# Example (virbr0 is the interface name):
interface = virbr0


[cuckoo1]
# Specify the label name of the current machine as specified in your
# libvirt configuration.
label = cuckoo1

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail. You may want to configure your network settings in
# /etc/libvirt/<hypervisor>/networks/
ip = 192.168.122.101

# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the KVM MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = 

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump.
# Example (virbr0 is the interface name):
interface = 

# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip = 

# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port = 

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags = 

# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =

memory.conf

Volatility 工具提供的内存分析的大量插件，其中一部分插件运行很慢。 $CWD/conf/volatility.conf 配置文件可以让你配置开关哪些插件。如果需要运行内存分析，需要打开两个开关:

启用 $CWD/conf/processing.conf 中的 volatility

启用 $CWD/conf/cuckoo.conf 中的 memory_dump

$CWD/conf/memory.conf 文件的基础配置一节中，可以配置是否在内存分析完成后，删除转储文件。可以节省大量的磁盘空间，配置内存如下:

# Basic settings
[basic]
# Profile to avoid wasting time identifying it
guest_profile = WinXPSP2x86
# Delete memory dump after volatility processing.
delete_memdump = no

在此之下，每个插件都有相应的配置:

# Scans for hidden/injected code and dlls
# http://code.google.com/p/volatility/wiki/CommandReference#malfind
[malfind]
enabled = on
filter = on

# Lists hooked api in user mode and kernel space
# Expect it to be very slow when enabled
# http://code.google.com/p/volatility/wiki/CommandReference#apihooks
[apihooks]
enabled = off
filter = on

每个插件都可以单独是否开启白名单filter. [mask] 中的 pid_generic 可以配置进程id 白名单，在白名单中的进程不做内存分析:

# Masks. Data that should not be logged
# Just get this information from your plain VM Snapshot (without running malware)
# This will filter out unwanted information in the logs
[mask]
# pid_generic: a list of process ids that already existed on the machine before the malware was started.
pid_generic = 4, 680, 752, 776, 828, 840, 1000, 1052, 1168, 1364, 1428, 1476, 1808, 452, 580, 652, 248, 1992, 1696, 1260, 1656, 1156

processing.conf

该配置文件用于开关以及配置结果分析模块. 结果分析模块属于 cuckoo.processing 模块，主要用于对原始数据进行分析 .

$CWD/conf/processing.conf 中每一个分析模块都有相应的配置section.

# Enable or disable the available processing modules [yes/no].
# If you add a custom processing module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.

[analysisinfo]
enabled = yes

[apkinfo]
enabled = no
# Decompiling dex files with androguard in a heavy operation. For large dex
# files it can really take quite a while - it is recommended to limit to a
# certain filesize.
decompilation_threshold = 5000000

[baseline]
enabled = no

[behavior]
enabled = yes

[buffer]
enabled = yes

[debug]
enabled = yes

[droidmon]
enabled = no

[dropped]
enabled = yes

[dumptls]
enabled = yes

[extracted]
enabled = yes

[googleplay]
enabled = no
android_id = 
google_login = 
google_password = 

[memory]
# Create a memory dump of the entire Virtual Machine. This memory dump will
# then be analyzed using Volatility to locate interesting events that can be
# extracted from memory.
enabled = no

[misp]
enabled = no
url = 
apikey = 

# Maximum amount of IOCs to look up (hard limit).
maxioc = 100

[network]
enabled = yes

# Allow domain whitelisting
whitelist_dns = no

# Allow DNS responses from your configured DNS server for whitelisting to
# deactivate when responses come from some other DNS
# Can be also multiple like : 8.8.8.8,8.8.4.4
allowed_dns = 

[procmemory]
# Enables the creation of process memory dumps for each analyzed process right
# before they terminate themselves or right before the analysis finishes.
enabled = yes
# It is possible to load these process memory dumps in IDA Pro through the
# generation of IDA Python-based script files. Although currently symbols and
# such are not properly recovered, it is still nice to get a quick look at
# specific memory addresses of a process.
idapro = no
# Extract executable images from this process memory dump. This allows us to
# relatively easily extract injected executables.
extract_img = yes
# Also extract DLL files from the process memory dump.
extract_dll = no
# Delete process memory dumps after analysis to save disk space.
dump_delete = no

[procmon]
# Enable procmon processing. This only takes place when the "procmon=1" option
# is set for an analysis.
enabled = yes

[screenshots]
enabled = yes
# Set to the actual tesseract path (i.e., /usr/bin/tesseract or similar)
# rather than "no" to enable OCR analysis of screenshots.
# Note: doing OCR on the screenshots is a rather slow process.
tesseract = no

[snort]
enabled = no
# Following are various configurable settings. When in use of a recent 2.9.x.y
# version of Snort there is no need to change any of the following settings as
# they represent the defaults.
#
snort = /usr/local/bin/snort
conf = /etc/snort/snort.conf

[static]
enabled = yes
# On bigger PDF files PeePDF may take a substantial amount of time to perform
# static analysis of PDF files, with times of over an hour per file estimated
# in production. This option will by default limit the maximum processing time
# to one minute, but this may be adjusted accordingly. Note that if the timeout
# is hit, no static analysis results through PeePDF will be available.
pdf_timeout = 60

[strings]
enabled = yes

[suricata]
enabled = no

# Following are various configurable settings. When in use of a recent version
# of Suricata there is no need to change any of the following settings as they
# represent the defaults.
suricata = /usr/bin/suricata
conf = /etc/suricata/suricata.yaml
eve_log =  eve.json
files_log = files-json.log
files_dir = files

# By specifying the following line our processing module can use the socket
# mode in Suricata. This is quite the performance improvement as instead of
# having to load all the Suricata rules for each time the processing module is
# ran (i.e., for every task), the rules are only loaded once and then we talk
# to its API. This does require running Suricata as follows or similar;
# "suricata --unix-socket -D".
# (Please find more information in utils/suricata.sh for now).
# socket = /var/run/suricata/cuckoo.socket
socket = 

[targetinfo]
enabled = yes

[virustotal]
enabled = no
# How much time we can wait to establish VirusTotal connection and get the
# report.
timeout = 60
# Enable this option if you want to submit files to VirusTotal not yet available
# in their database.
# NOTE: if you are dealing with sensitive stuff, enabling this option you could
# leak some files to VirusTotal.
scan = no
# Add your VirusTotal API key here. The default API key, kindly provided
# by the VirusTotal team, should enable you with a sufficient throughput
# and while being shared with all our users, it shouldn't affect your use.
key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088

[irma]
enabled = no
# IRMA @ github : https://github.com/quarkslab/irma
# How much time we can wait to establish IRMA connection and get the report.
timeout = 60
# Enable this option if you want to submit files to IRMA not yet available.
scan = no
# Force scan of submitted files
force = no
# URL to your IRMA installation
# For example : https://your.irma.host
url =

如果你有私有的 VirusTotal key，可以将它修改为自己的key.

reporting.conf

$CWD/conf/reporting.conf 主要用于配置报告生成.

主要包含以下内容.

# Enable or disable the available reporting modules [on/off].
# If you add a custom reporting module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.

[feedback]
# Automatically report errors that occurred during an analysis. Requires the
# Cuckoo Feedback settings in cuckoo.conf to have been filled out properly.
enabled = no

[jsondump]
enabled = yes
indent = 4
calls = yes

[singlefile]
# Enable creation of report.html and/or report.pdf?
enabled = no
# Enable creation of report.html?
html = no
# Enable creation of report.pdf?
pdf = no

[misp]
enabled = no
url = 
apikey = 

# The various modes describe which information should be submitted to MISP,
# separated by whitespace. Available modes: maldoc ipaddr hashes url.
mode = maldoc ipaddr hashes url

[mongodb]
enabled = no
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
# MongoDB authentication (optional).
username = 
password = 

[elasticsearch]
enabled = no
# Comma-separated list of ElasticSearch hosts. Format is IP:PORT, if port is
# missing the default port is used.
# Example: hosts = 127.0.0.1:9200, 192.168.1.1:80
hosts = 127.0.0.1
# Increase default timeout from 10 seconds, required when indexing larger
# analysis documents.
timeout = 300
# Set to yes if we want to be able to search every API call instead of just
# through the behavioral summary.
calls = no
# Index of this Cuckoo instance. If multiple Cuckoo instances connect to the
# same ElasticSearch host then this index (in Moloch called "instance") should
# be unique for each Cuckoo instance.
index = cuckoo

# Logging time pattern.  This sets how elasticsearch creates indexes
# by default it is yearly in most instances this will be sufficient
# valid options: yearly, monthly, daily
index_time_pattern = yearly

# Cuckoo node name in Elasticsearch to identify reporting host. Can be useful
# for automation and while referring back to correct Cuckoo host.
cuckoo_node = 

[moloch]
enabled = no
# If the Moloch web interface is hosted on a different IP address than the
# Cuckoo Web Interface then you'll want to override the IP address here.
host = 
# If you wish to run Moloch in http (insecure) versus https (secure) mode,
# set insecure to yes.
insecure = no

# Following are various configurable settings. When in use of a recent version
# of Moloch there is no need to change any of the following settings as they
# represent the defaults.
moloch_capture = /data/moloch/bin/moloch-capture
conf = /data/moloch/etc/config.ini
instance = cuckoo

[notification]
# Notification module to inform external systems that analysis is finished.
# You should consider keeping this as very last reporting module.
enabled = no

# External service URL where info will be POSTed.
# example : https://my.example.host/some/destination/url
url = 

# Cuckoo host identifier - can be hostname.
# for example : my.cuckoo.host
identifier = 

[mattermost]
enabled = no

# Mattermost webhook URL.
# example : https://my.mattermost.host/hooks/yourveryrandomkey
url = 

# Cuckoo host URL to make analysis ID clickable.
# example : https://my.cuckoo.host/
myurl = 

# Username to show when posting message
username = cuckoo

# What kind of data to show apart from default.
# Show virustotal hits.
show_virustotal = no

# Show matched cuckoo signatures.
show_signatures = no

# Show collected URL-s by signature "network_http".
show_urls = no

# Hide filename and create hash of it
hash_filename = no
# Hide URL and create hash of it
hash_url = no

通过将选项值修改为 on 或者 off 来开关相应的报告生成