Installing Cuckoo 1.1 on Mac OS X Maverick

From Zam Wiki

Installing Cuckoo 1.1 on Max OS X Mavericks

Setting up the environment

  1. sudo easy_install pip
  2. ruby -e "$(curl -fsSL"
  3. brew install ssdeep
  4. sudo pip install --upgrade sqlalchemy bson jinja2 pymongo bottle pefile maec==4.0 django chardet python-magic pydeep yara
  5. brew install libmagic
  6. download dpkt source code from (current version is dpkt-1.8.tar.gz May 2013)
    1. extract file and move to dpkt folder
    2. python build
    3. sudo python install
  7. sudo pip install Mako
  8. install tcpdump
  9. sudo chmod +s /usr/sbin/tcpdump

Setting up the virtual machine

  1. install VirtualBox on your Mac OS X
  2. install either Windows XP SP1 or SP2 or SP3 or Windows 7
  3. set the network connection as Host-Only Adapter. You also can choose Bridge Adapter if you want
  4. power on Windows XP image
  5. download and install Python 2.7 (
  6. download and install PIL (
  7. install additional software e.g. Microsoft Office, Adobe Reader, Mozilla Firefox, Google Chrome, Java JRE & SDK

Setting up cuckoo agent

  1. copy agent ( to virtual machine
  2. place it on "C:\Python27\"
  3. rename to agent.pyw
  4. double click agent.pyw to run the agent
  5. to verify agent has started:
    • netstat -an an look for listening port 8000

Setting up the sandbox

  1. download & extract Cuckoo from
  2. edit conf/virtualbox.conf file.
  3. search for label = cuckoo1 and change "cuckoo1" to your virtual box label name
    • this name refer at Virtualbox -> Settings -> General -> Basic -> Name

Internet for Analysis Machine

  • Enable IP forwarding:
sudo sysctl net.inet.ip.forwarding=1
  • Basic example of rules to allow the guest Host-Only network on vboxnet0 to talk outside via the wireless adaptor (en1) on the host.
  • We going to save this rule to file pfrule
echo "nat on en1 from vboxnet0:network to any -> (en1)" > ./pfrule
echo "pass inet proto icmp all" >> ./pfrule
echo "pass in on vboxnet0 proto udp from any to any port domain keep state" >> ./pfrule
echo "pass quick on en1 proto udp from any to any port domain keep state" >> ./pfrule
  • Enable the packet filter (pfctl)
sudo pfctl -e
  • Load the rules contained in file:
sudo pfctl -f ./pfrule

Do this on your host(Mac OS X)!

Saving the Virtual Machine

  • Before doing this make sure you rebooted it softly and that it’s currently running, with Cuckoo’s agent running and with Windows fully booted.
  1. VBoxManage snapshot "<Name of VM>" take "<Name of snapshot>" --pause
    • e.g. - VBoxManage snapshot "XP" take "XP1" --pause

After the snapshot creation is completed, you can power off the machine and restore it:

  1. VBoxManage controlvm "<Name of VM>" poweroff
  2. VBoxManage snapshot "<Name of VM>" restorecurrent


  • - VBoxManage controlvm "XP" poweroff
  • - VBoxManage snapshot "XP" restorecurrent

Running a Sample for the first time
On terminal, open 3-seperated tabs.

On tab 1,

  • cd cuckoo
  • python

On tab 2,

  • cd cuckoo/utils
  • python
  • then open localhost:8080 on your web browser

On tab 3,

  • cd cuckoo/utils
  • python <filename>

Watching the first tab, wait till analysis is done. Next refresh your browser. You should see the results there.

blog comments powered by Disqus