Tribal Chicken

Security. Malware Research. Digital Forensics.

Automated malware analysis: Mail server -> Cuckoo

Here’s something I threw together over a beer. Some real basic bash scripts to automatically submit anything that is quarantined by the mail server to my Cuckoo Sandbox instance for analysis.

I’m sure there are much more graceful ways to do this, but hey, it works:

Quarantine on the mail server is carried out by Amavisd, to /var/spool/amavisd/quarantine.

Here’s the bash script to monitor the quarantine directory with inotify, unpack the attachment from the email and SCP the file to the Cuckoo box:

inotifywait -me close_write /var/spool/amavisd/quarantine/ | while read dir ev file; do
    echo "Sending ""$file" 
    mkdir "/home/overlord/UNPACKED_$file"
    munpack -C "/home/overlord/UNPACKED_$file" "$dir$file"
    cd /home/overlord/UNPACKED_$file
    scp -r -P 2222 *.exe [email protected]:/home/overlord/from_mail

Public/private key exchange is of course configured between the mail server and cuckoo box and appropriate firewall rules in place.

Here’s pretty much the same thing, but on the cuckoo box, waiting for the file to arrive:

## NOTE: Monitoring for 'close_write' event to avoid submitting partial files to cuckoo
inotifywait -me close_write ~/from_mail/ | while read dir ev file; do
    echo "Submitting ""$file to Cuckoo..."
    python ~/cuckoo/utils/ $dir$file

So lets see if it works, by sending a dodgy file to myself (Ignore discrepancies in the message ID, screenshots are from different test runs):

Screen Shot 2014-10-17 at 10.48.26 pm

Oops, the content-filter found it (Either matched a ClamAV sig or listed as a ‘banned’ file… in this case banned (ClamAV thinks it’s clean)):

Screen Shot 2014-10-17 at 10.51.19 pm

The mail server dumps it in the quarantine dir, so the script picks it up and shoots it off to the Cuckoo box:

Screen Shot 2014-10-17 at 11.16.22 pm

Cuckoo box sees it and submits to Cuckoo:

Screen Shot 2014-10-17 at 11.16.38 pm

Screen Shot 2014-10-17 at 11.16.49 pm

Success! Cuckoo analyses the binary:

Screen Shot 2014-10-17 at 11.17.21 pm

As I said, just a throw-together. I’m sure I will refine it at some point in the future.