spender-sandbox / cuckoomon-modified Goto Github PK

View Code? Open in Web Editor NEW

48.0 48.0 22.0 4.51 MB

Modified edition of cuckoomon

License: GNU General Public License v3.0

Makefile 0.15% C 99.49% Objective-C 0.25% Shell 0.03% C++ 0.07%

cuckoomon-modified's People

Contributors

Stargazers

Watchers

cuckoomon-modified's Issues

how to compile this project in Visual Studio

Hi,
may I ask how to compile this using Visual studio C++?
Thank,

cross compiling on linux/ubuntu

Greetings,

Has anyone successfully compiled it on linux/ubuntu?

I see some files including Windows.h instead of windows.h which does not work on Ubuntu.

Other errors are also emitted.

Dumping SSL/TLS master secrets

Any interest in porting this feature over from the new Cuckoo 2.0 monitor? Based on a cursory review of the code, only two additional APIs in ncrypt.dll would need to be hooked: PRF and Ssl3GenerateKeyMaterial.

dll_of_interest setting

I think in

VOID CALLBACK DllLoadNotification(

we should change

          if (g_config.file_of_interest && !wcsicmp(library.Buffer, g_config.file_of_interest)) {
                        set_dll_of_interest((ULONG_PTR)NotificationData->Loaded.DllBase);


                wchar_t *absolutename = malloc(32768 * sizeof(wchar_t));
                ensure_absolute_unicode_path(absolutename, library.Buffer);
                
                if (g_config.file_of_interest && !wcsicmp(absolutename, g_config.file_of_interest)) {
                        set_dll_of_interest((ULONG_PTR)NotificationData->Loaded.DllBase);

Cuckoomon evasion tactic

MD5: ffbb763b95ea8f9ea44e786c0ff43bf5

Creates a child process, then injects a PE image into its virtual address space:

The child process evades analysis by repeatedly calling Sleep(0):

Carving out the injected PE image and loading it into IDA Pro clearly shows the 1 million iteration loop with the Sleep calls:

This evasion tactic seem to work only because it is performed by a child process, which is treated differently by Cuckoomon than the main target process.

Community signature Exception reported at offset 0x179de in cuckoomon

Hi
Found signature message below:
Crashed cuckoomon during analysis. Report this error to the Github repo.
Exception reported at offset 0x179de in cuckoomon itself while accessing 0x1e0 from hook RtlDispatchException

OS: Windows 7 SP1
Sample zipped with password 'infected'

user.php.zip

abnormal number of logged NtDelayExecution calls

Test sample:
MD5 021f31695fd226cedb5f944860a6dc5b
SHA1 17c8273082cbbf34a0a6d5deaff87bb82d2ce168

2_report.json.txt

There seems to be an abnormal amount of logged consecutive calls to NtDelayExecution for this sample.
I reversed this sample using OllyDbg and traced up to the address in the "behavioral analysis" tab.
The number of call should only be 10 but cuckoomon seems to continuously log infinitely.

Missing registry hooks

RegCopyTree
RegCreateKeyTransacted
RegDeleteKeyTransacted
RegDeleteTree
RegGetValue

They are not supported on Windows XP, so perhaps that is why they were missed.

IE11 errors on 64-bit Win 7 VM

I’m having an issue when submitting a task that runs Internet Explorer 11 in a 64-bit Windows 7 VM. IE throws an error popup and doesn’t run. This issue doesn’t happen in my 32-bit VM. However, if I disable injection, then IE runs.

IE Version - 11.0.9600.16428 (KB2841134)

2017-01-20 09:21:25,812 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://"" with pid 2848
2017-01-20 09:21:25,812 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:25,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2017-01-20 09:21:27,921 [lib.api.process] INFO: Successfully resumed process with pid 2848
2017-01-20 09:21:27,921 [root] INFO: Added new process to list with pid: 2848
2017-01-20 09:21:28,015 [root] INFO: Cuckoomon successfully loaded in process with pid 2848.
2017-01-20 09:21:28,046 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2688
2017-01-20 09:21:28,046 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:28,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2688
2017-01-20 09:21:28,092 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,187 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,203 [root] INFO: Added new process to list with pid: 2688
2017-01-20 09:21:28,203 [root] INFO: Cuckoomon successfully loaded in process with pid 2688.
2017-01-20 09:21:29,875 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2688.
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2848.
2017-01-20 09:21:31,921 [root] INFO: Process with pid 2848 has terminated
2017-01-20 09:21:32,921 [root] INFO: Process with pid 2688 has terminated
2

how log was written to file in Cuckoomon

Hi,
may I ask how logs (api calls, process creation...) are written in CuckooMon. My understanding is that, function loq() -- file log.c-- will do the job. But I don't have the general idea how it work exactly. Could you please let me know that; or give me a pointer to where I should take a look?
Thanks

Crash in InternetSetOptionA

Sample SHA1: e54c43312f800c2d9d6d54223af97d6af5387622

284    InternetOpenW    
ProxyBypass: 
AccessType: 0x00000001 
Agent: 
Flags: 0x00000000 
ProxyName:

284     __anomaly__ 
ThreadIdentifier: 284 
Subcategory: cuckoocrash 
Message: Exception reported at offset 0xd840 in cuckoomon itself

lots of "Unable to hook" status on Windows 7 Guest OS

can't seem to find what might be the error.
hooks work fine on Windows XP Guest OS:
MD5 1929d5db340aac125c3dcbd4bb44202e
SHA1 0ab64275390b2deaf983d751f77f0f77014ef49a

cuckoomon crash (exception in hook RtlDispatchException)

Hello, I would like to report a cuckoomon crash (as instructed by cuckoo :D).

sample: 55bcbb3d600da6e0ec66a63d19638ff0eff25965 (shifu malware)

Hooks for GlobalAddAtom and GlobalFindAtom

These are sometimes useful as behavioral signatures for malware. Any chance these hooks could be added to cuckoomon?

CreateWindowEx Crash

Hi!

Found an indirect crash maybe because of:
HOOK_NOTAIL(user32, CreateWindowExA, 12),
HOOK_NOTAIL(user32, CreateWindowExW, 12),

Crash could be reproduced by opening the save dialog in notepad ( Windows 7 x64 Enterprise SP1 )

Exception Message:

Unhandled exception at 0x000000000018F2F0 in notepad.exe: 0xC000041D: An unhandled exception was encountered during a user callback.

Notepad callstack

000000000018f2f0()  <- not in executable region
user32.dll!UserCallWinProcCheckWow()   
user32.dll!DispatchClientMessage() 
user32.dll!__fnDWORD() 
ntdll.dll!KiUserCallbackDispatcherContinue()   
user32.dll!ZwUserDestroyWindow()   
shell32.dll!CChangeRouterProxy::Release(void)   
shell32.dll!SHChangeNotifyRegisterThread() 
comdlg32.dll!CFileOpenSave::Show(struct HWND__ *)   
notepad.exe!ShowOpenSaveDialog()   
notepad.exe!InvokeSaveDialog() 
notepad.exe!NPCommand()    
notepad.exe!NPWndProc()    
user32.dll!UserCallWinProcCheckWow()   
user32.dll!DispatchClientMessage() 
user32.dll!__fnDWORD() 
ntdll.dll!KiUserCallbackDispatcherContinue()   
user32.dll!NtUserTranslateAccelerator()    
user32.dll!TranslateAcceleratorW() 
notepad.exe!WinMain()

UserCallWinProcCheckWow:

0000000077049AF4  mov         rax,rsp  
0000000077049AF7  mov         qword ptr [rax+8],rsi  
0000000077049AFB  mov         qword ptr [rax+18h],rdi  
0000000077049AFF  mov         qword ptr [rax+20h],r12  
0000000077049B03  mov         qword ptr [rax+10h],rdx  
0000000077049B07  push        r13  
0000000077049B09  push        r14  
0000000077049B0B  push        r15  
0000000077049B0D  sub         rsp,0A0h  
0000000077049B14  mov         r13d,r9d  
0000000077049B17  mov         r15,r8  
0000000077049B1A  mov         r14,rcx  
0000000077049B1D  and         qword ptr [rax-80h],0  
0000000077049B22  mov         rax,qword ptr gs:[30h]  
0000000077049B2B  mov         rdx,qword ptr [rax+860h]  
0000000077049B32  test        rdx,rdx  
0000000077049B35  je          UserCallWinProcCheckWow+4Ch (077049B40h)  
0000000077049B37  test        byte ptr [rdx],4  
0000000077049B3A  jne         UserCallWinProcCheckWow+0FFFFB9E5h (0770454D9h)  
0000000077049B40  xor         r12d,r12d  
0000000077049B43  mov         dword ptr [rsp+40h],r12d  
0000000077049B48  lea         edi,[r12+1]  
0000000077049B4D  mov         qword ptr [rsp+50h],48h  
0000000077049B56  mov         dword ptr [rsp+58h],edi  
0000000077049B5A  xor         edx,edx  
0000000077049B5C  lea         r8d,[rdx+38h]  
0000000077049B60  lea         rcx,[rsp+60h]  
0000000077049B65  call        memset (0770497ECh)  
0000000077049B6A  xor         esi,esi  
0000000077049B6C  mov         dword ptr [rsp+30h],esi  
0000000077049B70  test        r12d,r12d  
0000000077049B73  jne         UserCallWinProcCheckWow+0B7h (077049BABh)  
0000000077049B75  mov         rdx,r14  
0000000077049B78  lea         rcx,[rsp+50h]  
0000000077049B7D  call        qword ptr [__imp_RtlActivateActivationContextUnsafeFast (0770B2078h)]  
0000000077049B83  lock add    dword ptr [gcCallUserApiHook (0770C2100h)],edi  
0000000077049B8A  cmp         qword ptr [ghmodUserApiHook (0770C21F8h)],rsi  
0000000077049B91  je          UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)  
0000000077049B97  cmp         dword ptr [gfUserApiHook (0770C2130h)],esi  
0000000077049B9D  je          UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)  
0000000077049BA3  mov         esi,edi  
0000000077049BA5  mov         dword ptr [rsp+30h],edi  
0000000077049BA9  jmp         UserCallWinProcCheckWow+0B7h (077049BABh)  
0000000077049BAB  test        esi,esi  
0000000077049BAD  je          UserCallWinProcCheckWow+100h (077049BF4h)  
0000000077049BAF  cmp         dword ptr [rsp+0F8h],0  
0000000077049BB7  je          UserCallWinProcCheckWow+100h (077049BF4h)  
0000000077049BB9  mov         edx,r13d  
0000000077049BBC  shr         edx,3  
0000000077049BBF  mov         r8,qword ptr [guah+60h (0770C23E0h)]  
0000000077049BC6  test        r8,r8  
0000000077049BC9  je          UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)  
0000000077049BCF  cmp         edx,dword ptr [guah+68h (0770C23E8h)]  
0000000077049BD5  jae         UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)  
0000000077049BDB  mov         ecx,r13d  
0000000077049BDE  and         ecx,7  
0000000077049BE1  shl         edi,cl  
0000000077049BE3  movzx       ecx,byte ptr [rdx+r8]  
0000000077049BE8  and         edi,ecx  
0000000077049BEA  jmp         UserCallWinProcCheckWow+0F8h (077049BECh)  
0000000077049BEC  test        edi,edi  
0000000077049BEE  jne         UserCallWinProcCheckWow+0FFFFEE4Ah (07704893Eh)  
0000000077049BF4  mov         r9,qword ptr [rsp+0E8h]  
0000000077049BFC  mov         r8,qword ptr [rsp+0E0h]  
0000000077049C04  mov         edx,r13d  
0000000077049C07  mov         rcx,r15  
0000000077049C0A  call        qword ptr [rsp+0C8h]  <--------------- CALLED from here
0000000077049C11  mov         qword ptr [rsp+38h],rax  
0000000077049C16  test        r12d,r12d  
0000000077049C19  jne         UserCallWinProcCheckWow+13Bh (077049C2Fh)  
0000000077049C1B  test        esi,esi  
0000000077049C1D  je          UserCallWinProcCheckWow+130h (077049C24h)
...

crash in word file

Hello,
Can someone detonate this file say four times, with and without --package doc

I think I can consistently notice crash once in every three runs or so.

c1a824f5163c7cb5c05db22c497c8df73309354eab39fe4982509b1b44017427

Thanks

CreateRemoteThread hook bypass

Recent Dridex sample (MD5 92b40f871e2273013f6f5211251a0051) uses CreateRemoteThread to inject code into Explorer.exe without Cuckoomon noticing. There are alerts about the process trying to suspend Cuckoomon threads, but the CreateRemoteThread call is not logged, and subsequent malicious activity from within Explorer.exe not monitored as a result.

The injection activity was logged by a Carbon Black agent on the analysis VM, however, and the subsequent 'netsh advfirewall' command executed from within Explorer.exe was a tell-tale sign of Dridex.

[question] how to compile monitor?

Hello,

I want to try few things, but I getting problems to compile it, how do you compile it?

Thank you
Best regards

PS tried:

visual studio express 2010 on win
mingw on linux

spender-sandbox / cuckoomon-modified Goto Github PK

cuckoomon-modified's People

Contributors

Stargazers

Watchers

Forkers

cuckoomon-modified's Issues

Recommend Projects

Recommend Topics

Recommend Org