How to Integrate RSA Malware Analysis with Cuckoo Sandbox | By Luiz Henrique Borges

How to Integrate RSA Malware Analysis with Cuckoo Sandbox

Users would like to integrate RSA Malware Analysis with sandbox solutions, so they can:

  • Automatically submit malicious artifacts to these other solutions, and
  • See the results from RSA Malware Analysis and a sandbox solution together.

In this document, we consider the Cuckoo Sandbox, and describe how to integrate this solution with RSA Malware Analysis.

You will need:

  • RSA NetWitness for Packets, with the Malware Analysis module.
  • Cuckoo Sandbox

Enable the File Sharing Protocol

The first step is to enable the File Sharing Protocol on the RSA Malware Analysis Service.

 

Change the Share Name

Next, you need to change the share name on the Malware Analysis service.

  1. Connect to the RSA Malware Analysis service through SSH.
  2. Change the share name from File Store to repository.

  1. Restart the smb service.

/etc/init.d/smb restart

Configure the Cuckoo Sandbox

On the Cuckoo Sandbox, you need to create a script file.

  1. Connect to the Cuckoo Sandbox through SSH.
  2. Create a directory named /mnt/rsamalware.
  3. Create a script file named rsamalware.sh in Cuckoo's utils directory, and set executable permission for

the file.

  1. Enter the following code into the script file using a text editor (replace your_rsa_malware with the IP address for your RSA Malware Analysis service):

Run the Script Periodically

Finally, add a cron job to run the script periodically, for example every 5 minutes. You can change the period based on the demands of your installation.

In the following procedure, we set the frequency so the script runs every 5 minutes.

  1. Open a terminal on your Cuckoo sandbox.
  2. Run the following command:

crontab -e

This opens crontab in a vim editor.

  1. Press ‘i’ to enter edit mode, and navigate to the final line in the file.
  2. Copy the following line into the editor:

*/5 * * * * /utils/rsamalware.sh

This runs the script every 5 minutes.

  1. Press the Escape key, then enter :wq! to save your work and close the vim editor.

The following message is displayed, indicating that the job is installing correctly:

crontab: installing new crontab

The job will run every 5 minutes.

Script Contents

Below is the text version of the rsamalware.sh script. You can copy this code when you are editing your file.

Originally published here: https://community.rsa.com/docs/DOC-86551

April 16, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013