search

LordNoteworthy / al-khaser

Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
GNU General Public License v2.0
5.79k stars 1.16k forks source link

Program raise exception in Cuckoo #155

Closed gugronnier closed 5 years ago

gugronnier commented 5 years ago

The program don't drop a file contains all results as it should.

When I searched in cuckoo behavioral analysis what is going wrong, I found that the exception below was raise before the process die. stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd7a49d al-khaser_x64+0x1b65 @ 0x13fc31b65 al-khaser_x64+0xe1e8 @ 0x13fc3e1e8 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a8652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77cbc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefdd7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 2856608 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2883184 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2012718689 registers.r13: 0

VM OS: Windows 7 - 64 bits VM RAM: 6144Mo

Cuckoo version : 2.0.6

I try running the binary (al-khaser_x64.exe) on 2 differents sandbox, first in local, second on Internet.

Here you can find the report of the second try: https://cuckoo.cert.ee/analysis/870150/summary/

LordNoteworthy commented 5 years ago

Hello @gugronnier , I will take a loot, thank you for the bug report.

hfiref0x commented 5 years ago

I believe this is a cuckoo issue. Exactly how it handles antidebugging tricks executed by al-khaser. Likely one of them crashed monitoring code injected inside application. Here is the log from al-khaser with disabled antidebugging checks - https://cuckoo.cert.ee/analysis/911348/summary/. In other words - this crash is a sort of analysis detect so it work somewhat expected.

gugronnier commented 5 years ago

ok so it is not really a bug.

So, if I really want to make cuckoo undetectable, I must modify it in order to al-khaser must work with antidebugging checks. And if I want test my cuckoo without modify it, I need to disable antidebugging checks.

I understand now why I had these results,

Thanks you for your answer, I close this issue