Created
August 8, 2020 20:08
-
-
Save BoredHackerBlog/33d38cd22e91e2a498b10918cccea599 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #source: https://medium.com/@soji256/build-a-cape-sandbox-to-analyze-emotet-3d507599dda6 | |
| # https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe | |
| #download IE VM from https://gist.github.com/zmwangx/e728c56f428bc703c6f6#gistcomment-3196040 | |
| # https://drive.google.com/a/pondurance.com/uc?export=download&id=0B76gNAvlBE7eSXp3ZDBSSWdUUjA | |
| #for ubuntu 18.04 desktop | |
| # username must be research | |
| sudo apt update | |
| sudo apt upgrade -y | |
| sudo apt install -y git make automake | |
| sudo apt install -y python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile python-chardet swig libssl-dev clamav-daemon python-geoip geoip-database mono-utils | |
| sudo apt install -y mongodb | |
| sudo apt install -y python python-pip python-setuptools | |
| sudo apt install -y apparmor-utils | |
| sudo apt install -y net-tools | |
| sudo aa-disable /usr/sbin/tcpdump | |
| sudo groupadd pcap | |
| sudo usermod -a -G pcap research | |
| sudo chgrp pcap /usr/sbin/tcpdump | |
| sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump | |
| sudo apt install -y virtualbox | |
| sudo usermod -a -G vboxusers research | |
| sudo vboxmanage hostonlyif create | |
| sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 | |
| pip install sqlalchemy bson | |
| pip install cybox==2.1.0.9 | |
| pip install maec==4.1.0.11 | |
| sudo apt install -y libtool libjansson-dev libmagic-dev | |
| pip install yara-python | |
| wget https://github.com/VirusTotal/yara/archive/v3.10.0.tar.gz | |
| tar -zxf v3.10.0.tar.gz | |
| cd yara-3.10.0 | |
| ./bootstrap.sh | |
| ./configure --enable-cuckoo --enable-magic | |
| make | |
| sudo make install | |
| cd ../ | |
| git clone https://github.com/volatilityfoundation/volatility.git | |
| cd volatility | |
| python setup.py install | |
| cd ../ | |
| pip install distorm3==3.4.4 | |
| pip install pefile | |
| sudo apt install -y pkg-config libvirt-dev libfuzzy-dev libgeoip-dev | |
| git clone --single-branch --branch Dev https://github.com/ctxis/CAPE | |
| cd CAPE/utils/ | |
| python ./community.py --force --rewrite --all | |
| cd ../ | |
| grep -v libvirt requirements.txt > requirements2.txt | |
| pip install libvirt-python==5.10.0 | |
| pip install -r requirements2.txt | |
| cd ../ | |
| sudo service clamav-daemon start | |
| sudo systemctl enable clamav-daemon | |
| sudo service mongodb start | |
| sudo systemctl enable mongodb | |
| # IE VM setup | |
| #Set display resolution to 1024 x 768 | |
| #Disable Windows Update | |
| #Disable Windows Defender | |
| #Disable Windows Firewall | |
| #Disable UAC (Set not to notify) | |
| #Select “Ask me later” when asked to set when starting IE | |
| #Installing Python 2.7 https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi | |
| #Installing PIL-1.1.7.win32-py2.7.exe | |
| #http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe | |
| #Set agent.py in startup folder as agent.pyw | |
| #agent.py : | |
| #https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py | |
| #Startup folder : | |
| #%AppData%\Microsoft\Windows\Start Menu\Programs\Startup | |
| #Network Settings | |
| #- IP address:192.168.56.101 | |
| #- Subnet mask:255.255.255.0 | |
| #- Default gateway:192.168.56.1 | |
| #- Preferred DNS server:8.8.8.8 | |
| #- Alternate DNS server:8.8.4.4 | |
| # network should be set to host-only | |
| # network settings | |
| ls -l /etc/resolv.conf | |
| sudo rm -f /etc/resolv.conf | |
| sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf | |
| sudo service systemd-resolved restart | |
| # ens33 should be replaced with w/e the outgoing interface is, tun0 should work fine | |
| # Initializes iptables settings. | |
| sudo iptables -t nat -F | |
| sudo iptables -F | |
| sudo iptables -L | |
| sudo iptables -A INPUT -i lo -j ACCEPT | |
| sudo iptables -A INPUT -i vboxnet0 -j ACCEPT | |
| sudo iptables -A INPUT -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT | |
| sudo iptables -A FORWARD -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT | |
| sudo iptables -A POSTROUTING -t nat -j MASQUERADE | |
| sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.0.0/16 -i vboxnet0 -o ens33 -j DROP | |
| sudo iptables -A FORWARD -s 192.168.56.0/24 -d 172.16.0.0/12 -i vboxnet0 -o ens33 -j DROP | |
| sudo iptables -A FORWARD -s 192.168.56.0/24 -d 10.0.0.0/8 -i vboxnet0 -o ens33 -j DROP | |
| sudo iptables -A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT | |
| sudo iptables -P INPUT DROP | |
| sudo iptables -P FORWARD DROP | |
| sudo sysctl -w net.ipv4.ip_forward=1 | |
| sudo apt install -y iptables-persistent | |
| sudo bash | |
| echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf | |
| exit | |
| # modify cape/cuckoo config as mentioned in the article | |
| # set up a script to start CAPE at reboot | |
| # reboot | |
| # start CAPE via the scripts | |
| # commands for scripts: | |
| sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 | |
| sudo python CAPE/utils/rooter.py /tmp/cuckoo-rooter -g research | |
| sudo python CAPE/cuckoo -d | |
| sudo python CAPE/web/manage.py runserver |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment