Cuckoo Sandbox

This Integration is part of the Cuckoo Sandbox Pack.#

Overview

This integration was integrated and tested with Cuckoo Sandbox v2.0.7.

Cuckoo Sandbox Playbook

CuckooDetonateFile : Gets a file and detonates it on Cuckoo, returns report when available.
CuckooDetonateURL : Gets a URL and detonates it on Cuckoo, returns report when available.
CuckooGetScreenshots : Gets a taskID of Cuckoo's investigation and returns zipped screenshots

Use Cases

Analyze files and URLs in a safe environment (sandbox)
View Cuckoo's tasks and machines

Configure Cuckoo Sandbox on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for Cuckoo Sandbox.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Username (Only if your Cuckoo service requires HTTP auth)
- In order to authenticate with an API token, insert '__token' in the "Username" textbox, and the token itself in the "Password" textbox.
- Trust any certificate (not secure)
- Use system proxy settings
Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Create a task from a file: cuckoo-create-task-from-file
Get a task report: cuckoo-get-task-report
Get a list of all tasks: cuckoo-list-tasks
Submit a URL for analysis: cuckoo-create-task-from-url
Get task information: cuckoo-view-task
Delete a task: cuckoo-delete-task
Get analysis screenshots: cuckoo-task-screenshot
Get a list of analysis machines: cuckoo-machines-list
Get analysis machine information: cuckoo-machine-view

1. Create a task from a file

Retrieves a file's entry ID and creates a task with it.

Base Command

cuckoo-create-task-from-file

Input

Argument Name	Description	Required
entryID	File entry ID	Optional
fileID	File ID	Optional
machine	Label of the machine to use for analysis	Optional
package	Analysis package to be used for the analysis	Optional
timeout	Analysis timeout (in seconds)	Optional
enforce_timeout	Enable to enforce the execution for the full timeout value	Optional
platform	Name of the platform to select the analysis machine from (e.g., “windows”)	Optional
tags	Define machine to start by tags. Platform must be set to use that. Tags are comma-separated	Optional
memory	Enables the creation of a full memory dump of the analysis machine	Optional
options	Options to pass to the analysis package	Optional

Context Output

Path	Description
Cuckoo.Task.ID	ID of the task

Command Example

!cuckoo-create-task-from-file entryID=814@a969c6ba-e443-4287-8dce-378aa183e2d5

Context Example

Human Readable Output

2. Get a task report

Retrieves a task report by a task ID.

Base Command

cuckoo-get-task-report

Input

Argument Name	Description	Required
id	Task ID	Required

Context Output

Path	Description
Cuckoo.Task.Category	Category of task
Cuckoo.Task.Machine	Machine of task
Cuckoo.Task.Errors	Errors of task
Cuckoo.Task.Target	Target of task
Cuckoo.Task.Package	Package of task
Cuckoo.Task.SampleID	Sample ID of task
Cuckoo.Task.Guest	Task guest
Cuckoo.Task.Custom	Custom values of task
Cuckoo.Task.Owner	Task owner
Cuckoo.Task.Priority	Priority of task
Cuckoo.Task.Platform	Platform of task
Cuckoo.Task.Options	Task options
Cuckoo.Task.Status	Task status
Cuckoo.Task.EnforceTimeout	Is timeout of task enforced
Cuckoo.Task.Timeout	Task timeout
Cuckoo.Task.Memory	Task memory
Cuckoo.Task.Tags	Task tags
Cuckoo.Task.ID	ID of task
Cuckoo.Task.AddedOn	Date the task was added
Cuckoo.Task.CompletedOn	Date the task was completed
Cuckoo.Task.Score	Reported score of the the task
Cuckoo.Task.Monitor	Monitor of the reported task
Cuckoo.Task.FileInfo.sha1	The SHA1 hash of the file.
Cuckoo.Task.FileInfo.name	The file name.
Cuckoo.Task.FileInfo.type	The file type.
Cuckoo.Task.FileInfo.sha256	The SHA256 hash of the file.
Cuckoo.Task.FileInfo.urls	Related URLs of the file.
Cuckoo.Task.FileInfo.crc32	The CRC32 of the file.
Cuckoo.Task.FileInfo.path	The file path.
Cuckoo.Task.FileInfo.ssdeep	The ssdeep of the file.
Cuckoo.Task.FileInfo.size	The size of the file.
Cuckoo.Task.FileInfo.sha512	The SHA512 hash of the file.
Cuckoo.Task.FileInfo.md5	The MD5 hash of the file.

Command Example

!cuckoo-get-task-report id=86

Context Example

Human Readable Output

3. Get a list of all tasks

Returns a list of all tasks.

Base Command

cuckoo-list-tasks

Input

There is no input for this command.

Context Output

Path	Description
Cuckoo.Task.Category	Category of task
Cuckoo.Task.Machine	Machine of task
Cuckoo.Task.Errors	Errors of task
Cuckoo.Task.Target	Target of task
Cuckoo.Task.Package	Package of task
Cuckoo.Task.SampleID	Sample ID of task
Cuckoo.Task.Guest	Task guest
Cuckoo.Task.Custom	Custom values of task
Cuckoo.Task.Owner	Task owner
Cuckoo.Task.Priority	Priority of task
Cuckoo.Task.Platform	Platform of task
Cuckoo.Task.Options	Task options
Cuckoo.Task.Status	Task status
Cuckoo.Task.EnforceTimeout	Is timeout of task enforced
Cuckoo.Task.Timeout	Task timeout
Cuckoo.Task.Memory	Task memory
Cuckoo.Task.Tags	Task tags
Cuckoo.Task.ID	ID of task
Cuckoo.Task.AddedOn	Date the task was added
Cuckoo.Task.CompletedOn	Date the task was completed

Command Example

!cuckoo-list-tasks

Context Example

Human Readable Output

4. Submit a URL for analysis

Submits a URL to Cuckoo Sandbox for analysis.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command

cuckoo-create-task-from-url

Input

Argument Name	Description	Required
url	URL to analyze	Required

Context Output

Path	Description
Cuckoo.Task.ID	Task ID

Command Example

!cuckoo-create-task-from-url url=google.com

Context Example

Human Readable Output

5. Get task information

Returns information for a specified task.

Base Command

cuckoo-view-task

Input

Argument Name	Description	Required
id	A comma-separated list of task IDs for which to retrieve information.	Required

Context Output

Path	Description
Cuckoo.Task.Category	Category of task
Cuckoo.Task.Machine	Machine of task
Cuckoo.Task.Errors	Errors of task
Cuckoo.Task.Target	Target of task
Cuckoo.Task.Package	Package of task
Cuckoo.Task.SampleID	Sample ID of task
Cuckoo.Task.Guest	Task guest
Cuckoo.Task.Custom	Custom values of task
Cuckoo.Task.Owner	Task owner
Cuckoo.Task.Priority	Priority of task
Cuckoo.Task.Platform	Platform of task
Cuckoo.Task.Options	Task options
Cuckoo.Task.Status	Task status
Cuckoo.Task.EnforceTimeout	Is timeout of task enforced
Cuckoo.Task.Timeout	Task timeout
Cuckoo.Task.Memory	Task memory
Cuckoo.Task.Tags	Task tags
Cuckoo.Task.ID	ID of task
Cuckoo.Task.AddedOn	Date the task was added
Cuckoo.Task.CompletedOn	Date the task was completed

Command Example

!cuckoo-view-task id=88

Context Example

Human Readable Output

6. Delete a task

Deletes a task from Cuckoo Sandbox.

Base Command

cuckoo-delete-task

Input

Argument Name	Description	Required
id	Task ID	Required

Context Output

There is no context output for this command.

Command Example

!cuckoo-delete-task id=88

7. Get analysis screenshots

Retrieves screenshots taken during a task analysis. If the screenshot number argument is omitted, the command retrieves a ZIP file with all screenshots.

Base Command

cuckoo-task-screenshot

Input

Argument Name	Description	Required
id	ID of the task that generated the screenshot	Required
screenshot	Numerical identifier of a single screenshot (e.g., 0001, 0002)	Optional

Context Output

Path	Description
File.Size	Size of file
File.SHA1	File SHA-1
File.SHA256	File SHA-256
File.Name	File name
File.SSDeep	File SSDeep
File.EntryID	File entry ID
File.Info	File info
File.Type	File type
File.MD5	File MD5
File.Extension	File extension

Command Example

!cuckoo-task-screenshot id=90

Context Example

Human Readable Output

8 Get a list of analysis machines

Returns a list with details on the analysis machines available to Cuckoo.

Base Command

cuckoo-machines-list

Input

There is no input for this command.

Context Output

Path	Description
Machine.Status	Status of machine
Machine.Locked	Is the machine locked
Machine.Name	Name of machine
Machine.ResultserverIP	IP address of machine's result server
Machine.IP	IP address of machine
Machine.Label	Label of the machine
Machine.LockedChangedOn	Last update time of machine lock status
Machine.Platform	Platform of the machine
Machine.Snapshot	Snapshot
Machine.Interface	Interface of machine
Machine.StatusChangedOn	Last update time of machine status
Machine.ID	ID of machine
Machine.ResultserverPort	Port address of machine's result server
Machine.Tags	Machine tags

Command Example

!cuckoo-machines-list

Context Example

Human Readable Output

9. Get analysis machine information

Returns details about the analysis machine associated with the specified machine name.

Base Command

cuckoo-machine-view

Input

Argument Name	Description	Required
name	Name of machine to get information for	Required

Context Output

Path	Description
Machine.Status	Status of machine
Machine.Locked	Is the machine locked
Machine.Name	Name of machine
Machine.ResultserverIP	IP address of machine's result server
Machine.IP	IP address of machine
Machine.Label	Label of machine
Machine.LockedChangedOn	last update time of machine lock status
Machine.Platform	Platform of machine
Machine.Snapshot	Snapshot
Machine.Interface	Interface of machine
Machine.StatusChangedOn	Last update time of machine status
Machine.ID	ID of machine
Machine.ResultserverPort	Port address of machine's result server
Machine.Tags	Machine tags

Command Example

!cuckoo-machine-view name=windowsxp