projects‎ > ‎

MalNetXtract0r for Cuckoo Sandbox

MalNetXtract0r is an integrated system tool for malware analysis that can be used to automatically analyze the malicious files that transit on your network, without any manual operation.

It can be installated on a host acting  as Gateway for the other machines on the same network. It works by sniffing on the gateway network interface in order to extract the payload (.zip, .exe, .doc, .pdf, ecc.. ) downloaded from the Internet / Intranet, and then send them to the Cuckoo Sandbox (https://cuckoosandbox.org/) for the analysis.

Tested with success on the following application Protocol:
- HTTP
- SMTP
- FTP
- IRC

######External Packages Required####

- Tcpdump v4.9 (http://www.tcpdump.org) ;
- TCPflow v 1.4.6 (https://github.com/simsong/tcpflow)
- Foremost 1.5.7 ( http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz );
- munpack v1.5 (http://ftp.andrew.cmu.edu/pub/mpack/);
- Python v 2.7 (https://www.python.org/downloads/release/python-2713/)
- Cuckoo Sandbox 2.0 ( https://cuckoosandbox.org/ ).


#######How To use######

- Create a local directory on your choose, and extract the eXtract0r.zip content

- In the cuckoo_submitter.sh script, configure the variable "cuckoo_path" with the current path of your cuckoo sandbox installation;

- In the starter.sh script, configure the variable "interface" with your Network Interface (default: eth0)

- Run starter.sh script;


Output:
-Analysis_log: Log File with the details of intercepted file (source, destination, URL) and the path at cuckoo sandbox analysis result file


#Feedback
For any question about the tool, please send your feedback:

giovanni.delvecchio -at -smartnersecurity.net

Comments