Cuckoo is an open-source malware sandbox written in Python.  Cuckoo can be configured to work with VirtualBox or KVM virtualization software.  It processes samples of malware within several minutes and can provide actionable indicators (Domains/IPs, File/Registry changes, Mutexes, etc.).  This post will go over installation and configuration of Cuckoo, and then lightly touch on some ways to validate the findings using IDA Pro.

Installation:

Below are the steps required to configure Cuckoo sandbox on Ubuntu with VirtualBox:

Downloading Cuckoo:

Installing the required dependencies:

Configuration:

Creating a user for Cuckoo:

Allows Cuckoo to use tcpdump without root privileges:

At this point you need to configure the following files based on how you plan to use Cuckoo.

Cuckoo.conf:

Virtualbox.conf:

processing.conf: