How to Integrate RSA Malware Analysis with Cuckoo Sandbox
Users would like to integrate RSA Malware Analysis with sandbox solutions, so they can:
- Automatically submit malicious artifacts to these other solutions, and
- See the results from RSA Malware Analysis and a sandbox solution together.
In this document, we consider the Cuckoo Sandbox, and describe how to integrate this solution with RSA Malware Analysis.
You will need:
- RSA NetWitness for Packets, with the Malware Analysis module.
- Cuckoo Sandbox
Enable the File Sharing Protocol
The first step is to enable the File Sharing Protocol on the RSA Malware Analysis Service.
Change the Share Name
Next, you need to change the share name on the Malware Analysis service.
- Connect to the RSA Malware Analysis service through SSH.
- Change the share name from File Store to repository.
- Restart the smb service.
Configure the Cuckoo Sandbox
On the Cuckoo Sandbox, you need to create a script file.
- Connect to the Cuckoo Sandbox through SSH.
- Create a directory named /mnt/rsamalware.
- Create a script file named rsamalware.sh in Cuckoo's utils directory, and set executable permission for
- Enter the following code into the script file using a text editor (replace your_rsa_malware with the IP address for your RSA Malware Analysis service):
Run the Script Periodically
Finally, add a cron job to run the script periodically, for example every 5 minutes. You can change the period based on the demands of your installation.
In the following procedure, we set the frequency so the script runs every 5 minutes.
- Open a terminal on your Cuckoo sandbox.
- Run the following command:
This opens crontab in a vim editor.
- Press ‘i’ to enter edit mode, and navigate to the final line in the file.
- Copy the following line into the editor:
*/5 * * * * /utils/rsamalware.sh
This runs the script every 5 minutes.
- Press the Escape key, then enter :wq! to save your work and close the vim editor.
The following message is displayed, indicating that the job is installing correctly:
crontab: installing new crontab
The job will run every 5 minutes.
Below is the text version of the rsamalware.sh script. You can copy this code when you are editing your file.
Originally published here: https://community.rsa.com/docs/DOC-86551