Skip to content

ScanCuckoo

Sends files to Cuckoo sandbox.

Attributes:

Name Type Description
username

Username used for authenticating to Cuckoo. This is loaded from the scanner options or the environment variable 'CUCKOO_USERNAME'.
password

Password used for authenticating to Cuckoo. This is loaded from the scanner options or the environment variable 'CUCKOO_PASSWORD'.
auth_check

Boolean that determines if the username and password were previously checked. This ensures that the username and password are only checked once per worker.
Options

url: URL of the Cuckoo sandbox. Defaults to None. priority: Cuckoo priority assigned to the task. Defaults to 3. timeout: Amount of time (in seconds) to wait for the task to upload. Defaults to 10 seconds. unique: Boolean that tells Cuckoo to only analyze samples that have not been analyzed before. Defaults to True. username: See description above. password: See description above.

Source code in strelka/src/python/strelka/scanners/scan_cuckoo.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
class ScanCuckoo(strelka.Scanner):
    """Sends files to Cuckoo sandbox.

    Attributes:
        username: Username used for authenticating to Cuckoo. This is loaded
            from the scanner options or the environment variable
            'CUCKOO_USERNAME'.
        password: Password used for authenticating to Cuckoo. This is loaded
            from the scanner options or the environment variable
            'CUCKOO_PASSWORD'.
        auth_check: Boolean that determines if the username and password were
            previously checked. This ensures that the username and password
            are only checked once per worker.

    Options:
        url: URL of the Cuckoo sandbox.
            Defaults to None.
        priority: Cuckoo priority assigned to the task.
            Defaults to 3.
        timeout: Amount of time (in seconds) to wait for the task to upload.
            Defaults to 10 seconds.
        unique: Boolean that tells Cuckoo to only analyze samples that have
            not been analyzed before.
            Defaults to True.
        username: See description above.
        password: See description above.
    """

    def init(self):
        self.username = None
        self.password = None
        self.auth_check = False

    def scan(self, data, file, options, expire_at):
        url = options.get("url", None)
        priority = options.get("priority", 3)
        timeout = options.get("timeout", 10)
        unique = options.get("unique", True)
        if not self.auth_check:
            self.username = options.get("username", None) or os.environ.get(
                "CUCKOO_USERNAME"
            )
            self.password = options.get("password", None) or os.environ.get(
                "CUCKOO_PASSWORD"
            )
            self.auth_check = True

        if url is not None:
            url += "/tasks/create/file"
            form = {
                "file": (f"strelka_{file.uid}", data),
                "priority": priority,
            }
            if unique:
                form["unique"] = "True"

            try:
                response = requests.post(
                    url,
                    files=form,
                    timeout=timeout,
                    auth=(self.username, self.password),
                )

                if response.status_code == 200:
                    self.event["taskId"] = response.json()["task_id"]
                elif response.status_code == 400:
                    self.flags.append("duplicate_upload")
                else:
                    self.flags.append("upload_failed")

            except requests.exceptions.ConnectTimeout:
                self.flags.append("connect_timeout")

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Failure

No fields to display. The test file may not exist or could not be processed.

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

Failure

Test file not found for scanner cuckoo