Security Stuff!!
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode

Cuckoo 3 Installation

This guide in inspired by Estonian CERT cuckoo 3 documentation and and This guide has been tested on Ubuntu server 22.04 and python 3.10.


  • Ubuntu server 22.04
  • Python 3.10
  • username cuckoo

Dependency installation

sudo apt update && sudo apt upgrade -y

sudo apt install git build-essential python3-dev python3.10-venv libhyperscan5 libhyperscan-dev libjpeg8-dev zlib1g-dev unzip p7zip-full rar unace-nonfree cabextract yara tcpdump genisoimage qemu-system-x86 qemu-utils qemu-system-common -y

KVM permissions

sudo adduser cuckoo kvm
sudo chmod 666 /dev/kvm

TCPdump Configuration

Allow cuckoo user (non-root) to use tcpdump

sudo groupadd pcap
sudo adduser cuckoo pcap
sudo chgrp pcap /usr/bin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
sudo ln -s /etc/apparmor.d/usr.bin.tcpdump /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.bin.tcpdump
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.tcpdump

Cuckoo 3 Download, install and configuration

sudo chown cuckoo /opt && cd /opt
git clone
cd cuckoo3

Edit processing/ and change pefile and hyperscan version in install_requires to

Install cuckoo 3
python3 -m venv venv
source venv/bin/activate
pip install wheel

Create Cuckoo working directory
cuckoo createcwd

import monitor and stager binaries and extract cuckoo signatures
cuckoo getmonitor
unzip -d ~/.cuckoocwd/signatures/cuckoo/

vmcloak installation and VM configuration

git clone && cd vmcloak
Edit vmcloak/ and Change pefile version in install_requires to

Edit vmcloak/platforms/ and change _create_snapshot_disk function to

subprocess.check_call(["qemu-img", "create", "-F", "qcow2", "-o",
                    "lazy_refcounts=on,cluster_size=2M", "-b",
                    image_path, "-f", "qcow2", path])

Install vmcloak
pip install . && cd ..

Create VM interface
sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0
sudo mkdir -p /etc/qemu
echo 'allow br0' | sudo tee /etc/qemu/bridge.conf
sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper
Download windows 10 ISO file
vmcloak isodownload --win10x64 --download-to ~/win10x64.iso
sudo mkdir /mnt/win10x64
Mount windows 10 ISO
sudo mount -o loop,ro /home/cuckoo/win10x64.iso /mnt/win10x64
Install windows 10 base image
vmcloak --debug init --win10x64 --hddsize 128 --cpus 2 --ramsize 4096 --network --vm qemu --ip --iso-mount /mnt/win10x64 win10base br0
Optionally install extra utilities
vmcloak --debug install win10base dotnet:4.7.2 java:7u80 vcredist:2013 vcredist:2019 edge carootcert wallpaper disableservices
Taking 1 snapshot with ip, feel free to add more instances by increasing count
vmcloak --debug snapshot --count 1 win10base win10vm_

Cuckoo 3 extra configuration

Import VM into cuckoo
cuckoo machine import qemu ~/.vmcloak/vms/qemu
Delete example template
cuckoo machine delete qemu example1
Cuckoo database initialization
cuckoomigrate database all Ignore all errors

Configure the correct IP of the result server in the file ~/.cuckoocwd/conf/cuckoo.yaml


remove loop=self.loop from
nano node/cuckoo/node/ in line 443

Change tcpdump path to /usr/bin/tcpdump
nano ~/.cuckoocwd/conf/cuckoo.yaml

Edit allowed_subnets to your subnet, in my case (
nano ~/.cuckoocwd/conf/web/web.yaml
Install cuckoo 3 docs
cd /opt/cuckoo3/docs
pip install -r requirements.txt
mkdocs build
cp -R site ../web/cuckoo/web/static/docs

Run cuckoo in debug mode
cuckoo --debug

Web server installation and configuration

pip install uwsgi
sudo apt-get install uwsgi uwsgi-plugin-python3 nginx -y
sudo adduser www-data cuckoo
Generate uwsgi configuration
cuckoo web generateconfig --uwsgi > cuckoo-web.ini
sudo mv cuckoo-web.ini /etc/uwsgi/apps-available/
sudo ln -s /etc/uwsgi/apps-available/cuckoo-web.ini /etc/uwsgi/apps-enabled/cuckoo-web.ini
nano ~/.cuckoocwd/web/
STATIC_ROOT = "/opt/cuckoo3/web/cuckoo/web/static"
Generate nginx configuration
cuckoo web generateconfig --nginx > cuckoo-web.conf
Nginx configuration
nano cuckoo-web.conf
In server section, change listen value from listen; to listen 80;
sudo mv cuckoo-web.conf /etc/nginx/sites-available/cuckoo-web.conf
sudo ln -s /etc/nginx/sites-available/cuckoo-web.conf /etc/nginx/sites-enabled/cuckoo-web.conf
Delete Nginx default page sudo rm /etc/nginx/sites-enabled/default
Restart Nginx and uwsgi
sudo systemctl restart nginx uwsgi

Cuckoo launcher

You could use this script to start cuckoo 3 daemon

sudo /opt/cuckoo3/venv/bin/vmcloak-qemubridge br0
source /opt/cuckoo3/venv/bin/activate
cuckoo --quiet