一、配置
首先已经有一套搭建好的cuckoo的host-guest环境,cuckoo已经可以顺利运行,配置了smbshare与客户机共享目录,在cuckoo的host服务器ubuntu上打开virtualbox并Clone客户机,选择完全clone,clone所有snapshot。完成后启动新clone的客户机,修改客户机的ip。原客户机ip为192.168.56.101,新clone的改为192.168.56.102,如未完全clone,找不到C:\agent\agent.py时,拷贝smbshare里的agent文件夹到c盘,启动cmd窗口,执行:python c:\agent\agent.py。启动后,删除老的snapshot快照,建立新的snapshot1,以此类推clone十个guest,建立十个snapshot。
修改配置文件:
Vim virtualbox.conf
#客户机,如配了某客户机则下面也必须有相应的配置项,否则cuckoo启动不了
machines = cuckoo0,cuckoo1,cuckoo2,cuckoo3,cuckoo4,cuckoo5,cuckoo6,cuckoo7,cuckoo8
#添加客户机名称对应的配置项
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo1,cuckoo2,cuckoo3,cuckoo4,cuckoo5
[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101
# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = Snapshot1
# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =
# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =
# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =
# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =
# Mostly unused for now. Please don't fill it out.
options =
# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =
配置完成,保存重启cuckoo服务
前台起
#cuckoo
可以通过以下方法查看是否正常启动:
1、可以通过日志看到样本已经被一个一个的分配到多个客户机上了
2、启动cuckoo后,先不上传样本,可以看到被初始化的客户机状态都是从poweroff变成了saved状态,上传样本后,配置的客户机状态都变成了running,随着样本检测完成与否来回的跳动状态,配置不成功则客户机状态不会发生变化,始终为poweroff
二、测试结果
客户机个数(个) 样本个数(个) 检测时段(hⓂ️s–hⓂ️s) 用时(分钟) 单个文件平均用时(分钟)
10 100 11:16–12:00 44 4.4
8 100 12:47–13:31 44 3.52
6 100 09:18–10:02 44 2.64
5 100 14:30–15:18 48 2.4
4 100 12:40–13:34 54 2.16
2 100 15:20–16:47 87 1.74
1 100 16:50–19:25 148 1.48
Windows的dll、exe等
客户机个数(个) 样本个数(个) 检测时段(hⓂ️s–hⓂ️s) 用时(分钟) 单个文件平均用时(分钟)
6 65 13:51–14:04 13 1.2
4 65 14:09–14:22 13 0.8
3 65 14:26–14:38 12 0.55
2 65 14:42–14:54 12 0.37
1 65 14:55–15:16 21 0.32
客户机个数(个) 样本个数(个) 检测时段(hⓂ️s–hⓂ️s) 用时(分钟) 单个文件平均用时(分钟)
10 750 15:21–18:31 190 2.53
6 750 09:37–14:57 320 2.56
4 750 16:47–23:15 388 2.07