MerX1030
commented
9 years ago Probably a problem in the process injection function as it was heavily revamped.
Closed MerX1030 closed 8 years ago
MerX1030
commented
9 years ago Probably a problem in the process injection function as it was heavily revamped.
brad-sp
commented
9 years ago Can you explain the difference in results? I have no problems with the hash you posted. It's possible for some logs to be lost near the end of analysis if a process crashes, but that has to do with the reverting of the log flushing code. I need to determine the cause of IE hanging with that code in place before I can add it back.
MerX1030
commented
9 years ago I'm using Windows XP virtual machine. Here are the results:
Processtree looks like this: sample.exe sample.exe explorer.exe 1.tmp 1.tmp 2.tmp 3.tmp 3.tmp
New DLL: Processtree looks like this: sample.exe sample.exe explorer.exe
It seems that for the new DLL, the API logging stopped at VirtualProtectEx in explorer.exe just right before it should perform WriteProcessMemory.
Previous DLL:
New DLL:
I ran the same sample using the latest cuckoomon uploaded in cuckoo-modified and got very different results as compared with using the cuckoomon in commit cb53f9620754713c1e8031de18cc6d743ed17f80
Here's the sample's hash for your reference. MD5 4a58c571d112513dc81b52e5c0962c37 SHA1 25da31c947cb61bd5fa9a0b9c8541bfbd70ed74a