When I ran the Cuckoo Sandbox, I got angry about Yara, so I'll investigate the cause and solve it. I thought that the cause was the version, and when I tried to insert a different version of Yara, it got stuck, so make a note so don't forget. When I solved one error, a new error appeared, so I didn't get bored. I wrote the process of trial and error as it is, thinking that it is originally for myself and that it will be useful for those who have the same error, but it is summarized at the end.
I got angry when I ran cuckoo.py.
The following is the content.
$ python cuckoo/cuckoo.py
_____________________________________/\/\_______________________________
___/\/\/\/\__/\/\__/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
_/\/\________/\/\__/\/\__/\/\________/\/\/\/\____/\/\__/\/\__/\/\__/\/\_
___/\/\/\/\____/\/\/\/\____/\/\/\/\__/\/\__/\/\____/\/\/\______/\/\/\___
________________________________________________________________________
Cuckoo Sandbox 1.2-dev
www.cuckoosandbox.org
Copyright (c) 2010-2014
Checking for updates...
Good! You have the latest version available.
2014-10-11 17:13:09,487 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager
2014-10-11 17:13:09,919 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2014-10-11 17:13:09,925 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2014-10-11 17:13:30,206 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/cuckoo/ZeuS_binary_9498ff82a64ff445398c8426ed63ea5b.exe" (task=2)
2014-10-11 17:13:30,218 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/cuckoo/cuckoo/storage/binaries/8b2e701e91101955c73865589a4c72999aeabc11043f712e05fdb1c17c4ab19a"
2014-10-11 17:13:30,331 [lib.cuckoo.core.scheduler] INFO: Task #2: acquired machine Windows7_default_1412852245584_47636 (label=Windows7_default_1412852245584_47636)
2014-10-11 17:13:30,339 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 14069 (interface=hostonly0, host=192.168.124.2, dump path=/home/cuckoo/cuckoo/storage/analyses/2/dump.pcap)
2014-10-11 17:13:39,623 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows7_default_1412852245584_47636, ip=192.168.124.2)
2014-10-11 17:14:06,404 [lib.cuckoo.core.guest] INFO: Windows7_default_1412852245584_47636: analysis completed successfully
2014-10-11 17:14:08,420 [modules.processing.behavior] WARNING: Analysis results folder does not contain any file.
2014-10-11 17:14:08,748 [lib.cuckoo.common.objects] WARNING: Unable to import pydeep (install with `pip install pydeep`)
2014-10-11 17:14:08,749 [lib.cuckoo.common.objects] WARNING: Unable to match Yara signatures: 'error_on_warning' is an invalid keyword argument for this function
2014-10-11 17:14:09,797 [lib.cuckoo.core.scheduler] INFO: Task #2: reports generation completed (path=/home/cuckoo/cuckoo/storage/analyses/2)
2014-10-11 17:14:09,894 [lib.cuckoo.core.scheduler] INFO: Task #2: analysis procedure completed
There are two WARNINGs, but I'd like to set them aside for the time being and solve Yara's WARNING first.
2014-10-11 17:14:08,749 [lib.cuckoo.common.objects] WARNING: Unable to match Yara signatures: 'error_on_warning' is an invalid keyword argument for this function
Here it is. After investigating, there is a story that the version of Yara may be different. Cuckoo said that I should use Yara v1.7 or higher, so I was using v1.7, but I will try the latest version.
Currently, v3.1.0 seems to be the latest. https://github.com/plusvic/yara/releases/tag/v3.1.0 I would like to follow Yara's documentation. http://yara.readthedocs.org/en/latest/gettingstarted.html
$ wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
$ tar zxvf v3.1.0.tar.gz
$ cd yara-3.1.0/
$ ./bootstrap.sh
== bootstraping yara
libtoolize...
Did not find a supported libtoolize
I was angry with something.
It seems that there is no libtoolize, so I will install the libtool package.
$ sudo apt-get install libtool
./bootstrap.sh
== bootstraping yara
libtoolize...
libtoolize: putting auxiliary files in `.'.
libtoolize: linking file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: linking file `m4/libtool.m4'
libtoolize: linking file `m4/ltoptions.m4'
libtoolize: linking file `m4/ltsugar.m4'
libtoolize: linking file `m4/ltversion.m4'
libtoolize: linking file `m4/lt~obsolete.m4'
aclocal...
Did not find a supported aclocal
I think it's more advanced than before, but this time it's said that there is no ʻaclocal. In order to include ʻaclocal, it seems that you should include the ʻautomake` package (or was it not included).
$ sudo apt-get install automake
$ ./bootstrap.sh
== bootstraping yara
libtoolize...
libtoolize: putting auxiliary files in `.'.
libtoolize: linking file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: linking file `m4/libtool.m4'
libtoolize: linking file `m4/ltoptions.m4'
libtoolize: linking file `m4/ltsugar.m4'
libtoolize: linking file `m4/ltversion.m4'
libtoolize: linking file `m4/lt~obsolete.m4'
aclocal...
autoheader...
automake...
autoconf...
Oh, it looks like it's good. So I would like to compile it.
First, put in the required libraries.
In the case of cuckoo, it seems that Jansson is used to parse JSON, so you need to install it in advance, but it seems that it is included in libjansson-dev, so install it.
In addition, magic seems to require libmagic-dev, so install it as well.
It may not be necessary, but I don't want to get hooked on it later (I'm tired).
$ sudo apt-get install libjansson-dev libmagic-dev
After the installation is complete, look at the documentation.
It seems that you have to add --enable-cuckoo when using it with cuckoo.
So add an option and make.
$ ./configure --enable-cuckoo --enable-magic
(Omitted)
checking for pthread_create in -lpthread... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating libyara/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
$ make
$ sudo make install
It is OK if there is no particular error.
Cuckoo also needs yara-python after adding yara, so put it in. It's in the directory when you dropped yara earlier, so just build and install it! Easy! (I thought it was)
$ cd yara-python/
$ python setup.py build
$ sudo python setup.py install
Now that you're ready, try running cuckoo again.
After running cuckoo.py, submit the appropriate malware with submit.py.
$ python ~/cuckoo/cuckoo.py
_ _ _ _ _ _
/\ \ /\_\ /\ \ /\_\ /\ \ /\ \
/ \ \ / / / _ / \ \ / / / _ / \ \ / \ \
/ /\ \ \ \ \ \__ /\_\ / /\ \ \ / / / /\_\ / /\ \ \ / /\ \ \
/ / /\ \ \ \ \___\ / / // / /\ \ \ / / /__/ / / / / /\ \ \ / / /\ \ \
/ / / \ \_\ \__ / / / // / / \ \_\ / /\_____/ / / / / \ \_\ / / / \ \_\
/ / / \/_/ / / / / / // / / \/_/ / /\_______/ / / / / / // / / / / /
/ / / / / / / / // / / / / /\ \ \ / / / / / // / / / / /
/ / /________ / / /___/ / // / /________ / / / \ \ \ / / /___/ / // / /___/ / /
/ / /_________\/ / /____\/ // / /_________\/ / / \ \ \ / / /____\/ // / /____\/ /
\/____________/\/_________/ \/____________/\/_/ \_\_\\/_________/ \/_________/
Cuckoo Sandbox 1.2-dev
www.cuckoosandbox.org
Copyright (c) 2010-2014
Checking for updates...
Good! You have the latest version available.
2014-10-11 21:54:13,566 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager
2014-10-11 21:54:14,611 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2014-10-11 21:54:14,618 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2014-10-11 21:54:22,819 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/cuckoo/ZeuS_binary_9498ff82a64ff445398c8426ed63ea5b.exe" (task=7)
2014-10-11 21:54:22,830 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/cuckoo/cuckoo/storage/binaries/8b2e701e91101955c73865589a4c72999aeabc11043f712e05fdb1c17c4ab19a"
2014-10-11 21:54:22,959 [lib.cuckoo.core.scheduler] INFO: Task #7: acquired machine Windows7_default_1412852245584_47636 (label=Windows7_default_1412852245584_47636)
2014-10-11 21:54:22,967 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 13437 (interface=hostonly0, host=192.168.124.2, dump path=/home/cuckoo/cuckoo/storage/analyses/7/dump.pcap)
2014-10-11 21:54:39,130 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows7_default_1412852245584_47636, ip=192.168.124.2)
2014-10-11 21:55:11,988 [lib.cuckoo.core.guest] INFO: Windows7_default_1412852245584_47636: analysis completed successfully
2014-10-11 21:55:13,435 [modules.processing.behavior] WARNING: Analysis results folder does not contain any file.
2014-10-11 21:55:13,843 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources)
2014-10-11 21:55:14,883 [lib.cuckoo.core.scheduler] INFO: Task #7: reports generation completed (path=/home/cuckoo/cuckoo/storage/analyses/7)
2014-10-11 21:55:15,028 [lib.cuckoo.core.scheduler] INFO: Task #7: analysis procedure completed
I'm getting the error again. sad...
WARNING: Unable to import yara (please compile from sources)
Compile yara from source? I did it a while ago! !!
Apparently it didn't import well.
$ python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: libyara.so.3: cannot open shared object file: No such file or directory
Certainly not able to import.
https://github.com/styx/YARA/tree/master/yara-python
When I look at, it says ldconfig if an error occurs.
According to http://www.atmarkit.co.jp/flinux/rensai/linuxtips/300sharelib.html
The / usr / local / lib directory is not registered, so you must edit the /etc/ld.so.conf file before running the ldconfig command.
It seems that. So
$ sudo su
# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig
I will try.
If / usr / local / lib is already written in ld.so.conf, I think you should probably just do ldconfig.
So I tried again.
$ python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>>
This time the error is gone. If you run it in this state, you should get no error.
$ python ~/cuckoo/cuckoo.py
(Omitted)
2014-10-11 23:44:29,156 [lib.cuckoo.core.plugins] DEBUG: Running non-evented signatures
2014-10-11 23:44:29,156 [lib.cuckoo.core.plugins] DEBUG: Running signature "creates_exe"
2014-10-11 23:44:29,157 [lib.cuckoo.core.plugins] DEBUG: Running signature "generic_metrics"
2014-10-11 23:44:29,178 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2014-10-11 23:44:29,462 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "ReportHTML"
2014-10-11 23:44:29,462 [lib.cuckoo.core.scheduler] INFO: Task #18: reports generation completed (path=/home/cuckoo/cuckoo/storage/analyses/18)
2014-10-11 23:44:29,601 [lib.cuckoo.core.scheduler] INFO: Task #18: analysis procedure completed
This was good.
I posted the process of trial and error as it is, but to summarize
#Libraries required at compile time, etc.
$ sudo apt-get install libtool automake
#Libraries required for use with Cuckoo etc.
$ sudo apt-get install libjansson-dev libmagic-dev
#Put the latest version of yara and compile
$ wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
$ tar zxvf v3.1.0.tar.gz
$ cd yara-3.1.0/
$ ./bootstrap.sh
$ ./configure --enable-cuckoo --enable-magic
$ make
$ sudo make install
#yara-Compile python
$ cd yara-python/
$ python setup.py build
$ sudo python setup.py install
#ldconfig
$ sudo su
# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig
These operations no longer cause errors in my environment. I do not know in the environment of other people, so please do it at your own risk.