Automated malware analysis: Mail server -> Cuckoo
Here’s something I threw together over a beer. Some real basic bash scripts to automatically submit anything that is quarantined by the mail server to my Cuckoo Sandbox instance for analysis.
I’m sure there are much more graceful ways to do this, but hey, it works:
Quarantine on the mail server is carried out by Amavisd, to /var/spool/amavisd/quarantine
.
Here’s the bash script to monitor the quarantine directory with inotify, unpack the attachment from the email and SCP the file to the Cuckoo box:
#!/bin/bash
inotifywait -me close_write /var/spool/amavisd/quarantine/ | while read dir ev file; do
echo "Sending ""$file"
mkdir "/home/overlord/UNPACKED_$file"
munpack -C "/home/overlord/UNPACKED_$file" "$dir$file"
cd /home/overlord/UNPACKED_$file
scp -r -P 2222 *.exe overlord@cuckoo.tribalchicken.net:/home/overlord/from_mail
done
Public/private key exchange is of course configured between the mail server and cuckoo box and appropriate firewall rules in place.
Here’s pretty much the same thing, but on the cuckoo box, waiting for the file to arrive:
#!/bin/bash
## NOTE: Monitoring for 'close_write' event to avoid submitting partial files to cuckoo
inotifywait -me close_write ~/from_mail/ | while read dir ev file; do
echo "Submitting ""$file to Cuckoo..."
python ~/cuckoo/utils/submit.py $dir$file
done
So lets see if it works, by sending a dodgy file to myself (Ignore discrepancies in the message ID, screenshots are from different test runs):
Oops, the content-filter found it (Either matched a ClamAV sig or listed as a ‘banned’ file… in this case banned (ClamAV thinks it’s clean)):
The mail server dumps it in the quarantine dir, so the script picks it up and shoots it off to the Cuckoo box:
Cuckoo box sees it and submits to Cuckoo:
Success! Cuckoo analyses the binary:
As I said, just a throw-together. I’m sure I will refine it at some point in the future.