Analysis of nested archives with Cuckoo Sandbox: SFlock 0.1 release

Posted on Sat 10 September 2016 in sflock by Jurriaan Bremer and Sander Ferdinand

It has been almost six years since Cuckoo Sandbox started out. Ever since then, it’s had the same, basic file submission capabilities. With the release of the first version of the SFlock library and Cuckoo’s new and upcoming Web Interface (still to be announced) this is about to change.

Those analyzing malicious documents attached to incoming emails with Cuckoo may have noticed the lack of proper .zip support, let alone other popular archive formats such as .rar, .7z, and .ace (an ancient archive format that’s been getting a lot of attention in spamruns in recent months).

Although we are still actively working on the new Web Interface, which has not yet been finished off, we can already show some screenshots regarding the new submission page that represent the functionality the sflock library exposes to Cuckoo Sandbox.

Following we have submitted a couple of files. Namely the following three:

  • eml_nested_eml.eml, an email with another email as attachment containing a Microsoft Office Word document as well as a cuckoo.png image, based on a sample by @edwincheese.
  • msg_invoice.msg, an email with an embedded Microsoft Outlook Macro object containing a Firefox 43.0.1 installer executable, based on ...

Continue reading