search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

Cuckoo API not selecting attachments of a .msg file by default #2715

Open sabyasachisamanta opened 5 years ago

sabyasachisamanta commented 5 years ago

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is: I have automated the submission of suspicious emails with attachments for sandbox analysis through file submissions. However the attachments are not getting scanned by default. How can i include in the default scan setting through API analysis?
My Cuckoo version and operating system are: Cuckoo Sandbox 2.0.6 and Ubuntu 17.10
This can be reproduced by: Submitting a .msg file (outlook email) with an attachment through Cuckoo API file submission analysis
The log, error, files etc can be found at:
sabyasachisamanta commented 5 years ago

Yes i have read it and could not find anything related to it. Would really help if some can let me on how to do it for a curl request.

mkrsfcmp commented 5 years ago

As far as I can see there is no analysis package to handle Outlook msgs, so you have to either: 1) Create your own analysis package to handle Outlook msg (probably opening Outlook inside the guest VM and so on - can be tricky), or 2) Modify your script to extract attachments first and then submitting only attachments to cuckoo and let it run the chosen package apropriate for given file.

sabyasachisamanta commented 5 years ago

Ok. Thanks!

On Thu, May 30, 2019, 3:42 PM mkrsfcmp notifications@github.com wrote:

As far as I can see there is no analysis package to handle Outlook msgs, so you have to either:

  1. Create your own analysis package to handle Outlook msg (probably opening Outlook inside the guest VM and so on - can be tricky), or
  2. Modify your script to extract attachments first and then submitting only attachments to cuckoo and let it run the chosen package apropriate for given file.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2715?email_source=notifications&email_token=ALEA24XKRMSJS5RR23DMOADPX64SNA5CNFSM4HIB5QG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWSDSZQ#issuecomment-497301862, or mute the thread https://github.com/notifications/unsubscribe-auth/ALEA24X3ZEMALC3KSEKXFVDPX64SNANCNFSM4HIB5QGQ .