spender-sandbox / cuckoomon-modified Goto Github PK
View Code? Open in Web Editor NEWModified edition of cuckoomon
License: GNU General Public License v3.0
Modified edition of cuckoomon
License: GNU General Public License v3.0
Greetings,
Has anyone successfully compiled it on linux/ubuntu?
I see some files including Windows.h
instead of windows.h
which does not work on Ubuntu.
Other errors are also emitted.
Hi,
may I ask how logs (api calls, process creation...) are written in CuckooMon. My understanding is that, function loq() -- file log.c-- will do the job. But I don't have the general idea how it work exactly. Could you please let me know that; or give me a pointer to where I should take a look?
Thanks
I’m having an issue when submitting a task that runs Internet Explorer 11 in a 64-bit Windows 7 VM. IE throws an error popup and doesn’t run. This issue doesn’t happen in my 32-bit VM. However, if I disable injection, then IE runs.
IE Version - 11.0.9600.16428 (KB2841134)
2017-01-20 09:21:25,812 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://"" with pid 2848
2017-01-20 09:21:25,812 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:25,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2017-01-20 09:21:27,921 [lib.api.process] INFO: Successfully resumed process with pid 2848
2017-01-20 09:21:27,921 [root] INFO: Added new process to list with pid: 2848
2017-01-20 09:21:28,015 [root] INFO: Cuckoomon successfully loaded in process with pid 2848.
2017-01-20 09:21:28,046 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2688
2017-01-20 09:21:28,046 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:28,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2688
2017-01-20 09:21:28,092 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,187 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,203 [root] INFO: Added new process to list with pid: 2688
2017-01-20 09:21:28,203 [root] INFO: Cuckoomon successfully loaded in process with pid 2688.
2017-01-20 09:21:29,875 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2688.
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2848.
2017-01-20 09:21:31,921 [root] INFO: Process with pid 2848 has terminated
2017-01-20 09:21:32,921 [root] INFO: Process with pid 2688 has terminated
2
can't seem to find what might be the error.
hooks work fine on Windows XP Guest OS:
MD5 1929d5db340aac125c3dcbd4bb44202e
SHA1 0ab64275390b2deaf983d751f77f0f77014ef49a
Any interest in porting this feature over from the new Cuckoo 2.0 monitor? Based on a cursory review of the code, only two additional APIs in ncrypt.dll would need to be hooked: PRF and Ssl3GenerateKeyMaterial.
Hi,
may I ask how to compile this using Visual studio C++?
Thank,
Recent Dridex sample (MD5 92b40f871e2273013f6f5211251a0051) uses CreateRemoteThread to inject code into Explorer.exe without Cuckoomon noticing. There are alerts about the process trying to suspend Cuckoomon threads, but the CreateRemoteThread call is not logged, and subsequent malicious activity from within Explorer.exe not monitored as a result.
The injection activity was logged by a Carbon Black agent on the analysis VM, however, and the subsequent 'netsh advfirewall' command executed from within Explorer.exe was a tell-tale sign of Dridex.
I think in
VOID CALLBACK DllLoadNotification(
we should change
if (g_config.file_of_interest && !wcsicmp(library.Buffer, g_config.file_of_interest)) {
set_dll_of_interest((ULONG_PTR)NotificationData->Loaded.DllBase);
to
wchar_t *absolutename = malloc(32768 * sizeof(wchar_t));
ensure_absolute_unicode_path(absolutename, library.Buffer);
if (g_config.file_of_interest && !wcsicmp(absolutename, g_config.file_of_interest)) {
set_dll_of_interest((ULONG_PTR)NotificationData->Loaded.DllBase);
Hello,
I want to try few things, but I getting problems to compile it, how do you compile it?
Thank you
Best regards
PS tried:
Hi
Found signature message below:
Crashed cuckoomon during analysis. Report this error to the Github repo.
Exception reported at offset 0x179de in cuckoomon itself while accessing 0x1e0 from hook RtlDispatchException
OS: Windows 7 SP1
Sample zipped with password 'infected'
These are sometimes useful as behavioral signatures for malware. Any chance these hooks could be added to cuckoomon?
Test sample:
MD5 021f31695fd226cedb5f944860a6dc5b
SHA1 17c8273082cbbf34a0a6d5deaff87bb82d2ce168
There seems to be an abnormal amount of logged consecutive calls to NtDelayExecution for this sample.
I reversed this sample using OllyDbg and traced up to the address in the "behavioral analysis" tab.
The number of call should only be 10 but cuckoomon seems to continuously log infinitely.
Sample SHA1: e54c43312f800c2d9d6d54223af97d6af5387622
284 InternetOpenW
ProxyBypass:
AccessType: 0x00000001
Agent:
Flags: 0x00000000
ProxyName:
->
284 __anomaly__
ThreadIdentifier: 284
Subcategory: cuckoocrash
Message: Exception reported at offset 0xd840 in cuckoomon itself
MD5: ffbb763b95ea8f9ea44e786c0ff43bf5
Creates a child process, then injects a PE image into its virtual address space:
The child process evades analysis by repeatedly calling Sleep(0):
Carving out the injected PE image and loading it into IDA Pro clearly shows the 1 million iteration loop with the Sleep calls:
This evasion tactic seem to work only because it is performed by a child process, which is treated differently by Cuckoomon than the main target process.
Hello,
Can someone detonate this file say four times, with and without --package doc
I think I can consistently notice crash once in every three runs or so.
c1a824f5163c7cb5c05db22c497c8df73309354eab39fe4982509b1b44017427
Thanks
Hi!
Found an indirect crash maybe because of:
HOOK_NOTAIL(user32, CreateWindowExA, 12),
HOOK_NOTAIL(user32, CreateWindowExW, 12),
Crash could be reproduced by opening the save dialog in notepad ( Windows 7 x64 Enterprise SP1 )
Exception Message:
Unhandled exception at 0x000000000018F2F0 in notepad.exe: 0xC000041D: An unhandled exception was encountered during a user callback.
Notepad callstack
000000000018f2f0() <- not in executable region
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!ZwUserDestroyWindow()
shell32.dll!CChangeRouterProxy::Release(void)
shell32.dll!SHChangeNotifyRegisterThread()
comdlg32.dll!CFileOpenSave::Show(struct HWND__ *)
notepad.exe!ShowOpenSaveDialog()
notepad.exe!InvokeSaveDialog()
notepad.exe!NPCommand()
notepad.exe!NPWndProc()
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!NtUserTranslateAccelerator()
user32.dll!TranslateAcceleratorW()
notepad.exe!WinMain()
UserCallWinProcCheckWow:
0000000077049AF4 mov rax,rsp
0000000077049AF7 mov qword ptr [rax+8],rsi
0000000077049AFB mov qword ptr [rax+18h],rdi
0000000077049AFF mov qword ptr [rax+20h],r12
0000000077049B03 mov qword ptr [rax+10h],rdx
0000000077049B07 push r13
0000000077049B09 push r14
0000000077049B0B push r15
0000000077049B0D sub rsp,0A0h
0000000077049B14 mov r13d,r9d
0000000077049B17 mov r15,r8
0000000077049B1A mov r14,rcx
0000000077049B1D and qword ptr [rax-80h],0
0000000077049B22 mov rax,qword ptr gs:[30h]
0000000077049B2B mov rdx,qword ptr [rax+860h]
0000000077049B32 test rdx,rdx
0000000077049B35 je UserCallWinProcCheckWow+4Ch (077049B40h)
0000000077049B37 test byte ptr [rdx],4
0000000077049B3A jne UserCallWinProcCheckWow+0FFFFB9E5h (0770454D9h)
0000000077049B40 xor r12d,r12d
0000000077049B43 mov dword ptr [rsp+40h],r12d
0000000077049B48 lea edi,[r12+1]
0000000077049B4D mov qword ptr [rsp+50h],48h
0000000077049B56 mov dword ptr [rsp+58h],edi
0000000077049B5A xor edx,edx
0000000077049B5C lea r8d,[rdx+38h]
0000000077049B60 lea rcx,[rsp+60h]
0000000077049B65 call memset (0770497ECh)
0000000077049B6A xor esi,esi
0000000077049B6C mov dword ptr [rsp+30h],esi
0000000077049B70 test r12d,r12d
0000000077049B73 jne UserCallWinProcCheckWow+0B7h (077049BABh)
0000000077049B75 mov rdx,r14
0000000077049B78 lea rcx,[rsp+50h]
0000000077049B7D call qword ptr [__imp_RtlActivateActivationContextUnsafeFast (0770B2078h)]
0000000077049B83 lock add dword ptr [gcCallUserApiHook (0770C2100h)],edi
0000000077049B8A cmp qword ptr [ghmodUserApiHook (0770C21F8h)],rsi
0000000077049B91 je UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)
0000000077049B97 cmp dword ptr [gfUserApiHook (0770C2130h)],esi
0000000077049B9D je UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)
0000000077049BA3 mov esi,edi
0000000077049BA5 mov dword ptr [rsp+30h],edi
0000000077049BA9 jmp UserCallWinProcCheckWow+0B7h (077049BABh)
0000000077049BAB test esi,esi
0000000077049BAD je UserCallWinProcCheckWow+100h (077049BF4h)
0000000077049BAF cmp dword ptr [rsp+0F8h],0
0000000077049BB7 je UserCallWinProcCheckWow+100h (077049BF4h)
0000000077049BB9 mov edx,r13d
0000000077049BBC shr edx,3
0000000077049BBF mov r8,qword ptr [guah+60h (0770C23E0h)]
0000000077049BC6 test r8,r8
0000000077049BC9 je UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)
0000000077049BCF cmp edx,dword ptr [guah+68h (0770C23E8h)]
0000000077049BD5 jae UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)
0000000077049BDB mov ecx,r13d
0000000077049BDE and ecx,7
0000000077049BE1 shl edi,cl
0000000077049BE3 movzx ecx,byte ptr [rdx+r8]
0000000077049BE8 and edi,ecx
0000000077049BEA jmp UserCallWinProcCheckWow+0F8h (077049BECh)
0000000077049BEC test edi,edi
0000000077049BEE jne UserCallWinProcCheckWow+0FFFFEE4Ah (07704893Eh)
0000000077049BF4 mov r9,qword ptr [rsp+0E8h]
0000000077049BFC mov r8,qword ptr [rsp+0E0h]
0000000077049C04 mov edx,r13d
0000000077049C07 mov rcx,r15
0000000077049C0A call qword ptr [rsp+0C8h] <--------------- CALLED from here
0000000077049C11 mov qword ptr [rsp+38h],rax
0000000077049C16 test r12d,r12d
0000000077049C19 jne UserCallWinProcCheckWow+13Bh (077049C2Fh)
0000000077049C1B test esi,esi
0000000077049C1D je UserCallWinProcCheckWow+130h (077049C24h)
...
RegCopyTree
RegCreateKeyTransacted
RegDeleteKeyTransacted
RegDeleteTree
RegGetValue
They are not supported on Windows XP, so perhaps that is why they were missed.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.