Closed gugronnier closed 5 years ago
Hello @gugronnier , I will take a loot, thank you for the bug report.
I believe this is a cuckoo issue. Exactly how it handles antidebugging tricks executed by al-khaser. Likely one of them crashed monitoring code injected inside application. Here is the log from al-khaser with disabled antidebugging checks - https://cuckoo.cert.ee/analysis/911348/summary/. In other words - this crash is a sort of analysis detect so it work somewhat expected.
ok so it is not really a bug.
So, if I really want to make cuckoo undetectable, I must modify it in order to al-khaser must work with antidebugging checks. And if I want test my cuckoo without modify it, I need to disable antidebugging checks.
I understand now why I had these results,
Thanks you for your answer, I close this issue
The program don't drop a file contains all results as it should.
When I searched in cuckoo behavioral analysis what is going wrong, I found that the exception below was raise before the process die.
stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd7a49d al-khaser_x64+0x1b65 @ 0x13fc31b65 al-khaser_x64+0xe1e8 @ 0x13fc3e1e8 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a8652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77cbc521
exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008e
exception.offset: 42141
exception.address: 0x7fefdd7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 2856608
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2883184
registers.r11: 514
registers.r8: 0
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2012718689
registers.r13: 0
VM OS: Windows 7 - 64 bits VM RAM: 6144Mo
Cuckoo version : 2.0.6
I try running the binary (al-khaser_x64.exe) on 2 differents sandbox, first in local, second on Internet.
Here you can find the report of the second try: https://cuckoo.cert.ee/analysis/870150/summary/