Today we will create a simple script in python able to read emails then submit attachments to Cuckoo Sandbox.
This script will adopt a custom flow of work. He will be able to connect to a specific mail server, check attachments in all emails received today, download them and then will submit to Cuckoo Sandbox. This approach is nice to be used in a internal network where is not possible to integrate email server directly with sandbox.
Required for this script to work is a valid email address with password and some python modules. Every user who think he have received a malicious attachment will need to forward email to Cuckoo email address. Then script will check email from time to time and if a new email is received with attachment will download it. If same attachment is sent by multiple peoples in same day script will not download attachment and send to sandbox, make no sense to submit same attachments many times.
This script is build to be saved on Cuckoo VM. Also is needed to add a Linux cron to run script every few minutes.
Add the following line to /etc/crontab. This line will execute script every 15 minutes. Change root user with the sandbox user. Also grant required rights for sandbox user to path /opt/cuckoo/, also make script executable.
*/15 * * * * root /opt/cuckoo/mail_downloader.pyAdd the following code block to file /opt/cuckoo/mail_downloader.py:
import os
from imbox import Imbox
import traceback
import datetime
from datetime import date
import pathlib
import time
#mail server host + credentials variables
host = "MAL_SERVER"
username = "USERNAME"
password = "PASSWORD"
#no need to change this variables
today = date.today()
date_year = today.strftime("%Y")
date_mo = today.strftime("%m")
date_day = today.strftime("%d")
folder = date_year+"-"+date_mo+"-"+date_day
download_folder = "."
path = os.path.join(download_folder, folder)
#sandbox machine name. is recommended for cuckoo to be used VMs with lowercase names
sandbox_machine = "win10"
# Create daily folder
if not os.path.exists(path):
os.mkdir(path)
if not os.path.isdir(download_folder):
os.makedirs(download_folder, exist_ok=True)
# Connect to mail server
mail = Imbox(host, username=username, password=password, ssl=True, ssl_context=None, starttls=False)
messages = mail.messages(date__on=datetime.date(int(date_year), int(date_mo), int(date_day)))
# Iterate mails, download attachments, submit to sandbox
for (uid, message) in messages:
mail.mark_seen(uid)
for idx, attachment in enumerate(message.attachments):
try:
att_fn = attachment.get('filename')
download_path = f"{path}/{att_fn}"
if not os.path.exists(download_path):
with open(download_path, "wb") as fp:
print(download_path)
fp.write(attachment.get('content').read())
cmd = "cuckoo submit --machine " + sandbox_machine + " " + download_path
#print(cmd)
os.system(cmd)
except:
pass
print(traceback.print_exc())
#log out from mail server
mail.logout()
0 Comments