Merge a bunch of sigs at once (Thanks Kevin Ross!)

[RicoVZ]

Thanks for all the signatures Kevin Ross!

This merge contains:

• Fix description mistake on modifies_seccenter sig: https://github.com/cuckoosandbox/community/pull/357
• Change deletes self sig name to deletes executed: https://github.com/cuckoosandbox/community/pull/333
• Create signature for info on console output messages: https://github.com/cuckoosandbox/community/pull/358
• Add in commands & tidyup windows_utilities signature structure & sigs: https://github.com/cuckoosandbox/community/pull/349
• Update RWX to cover all allocations & add sig for remote alloc: https://github.com/cuckoosandbox/community/pull/339
• Delete duplicate signature c2details: https://github.com/cuckoosandbox/community/pull/335
• Add in clickfraud cookies signature: https://github.com/cuckoosandbox/community/pull/353
• Add in signature for IRMA scan results: https://github.com/cuckoosandbox/community/pull/341
• Create sig for writing EXE (and generic code sig) to memory of another process (needs improved to to highlight writes to non-child procs): https://github.com/cuckoosandbox/community/pull/338
• Add in signature for OCR analysis for ransomware message https://github.com/cuckoosandbox/community/pull/334
• Create signature for explorer Shell_TrayWnd injection code technique (Notes on this one so check them): https://github.com/cuckoosandbox/community/pull/329
• Add netsh method into bypass firewall sig: https://github.com/cuckoosandbox/community/pull/325
• Create signature for suspicious privilege checks: https://github.com/cuckoosandbox/community/pull/319
• Create registry fileless persistence signature (this also fixes JavaScript persistence spelling mistake): https://github.com/cuckoosandbox/community/pull/355
• Add sig for JavaScript appearing in command line process: https://github.com/cuckoosandbox/community/pull/359

Signatures I still had in master are also included in this PR. In this PR: https://github.com/cuckoosandbox/community/pull/282

All signatures have been tested.

Some of Kevross's PRs include comments/requests about adding new hooks for some calls of the win api.

PR https://github.com/cuckoosandbox/community/pull/329 contains:

GetWindowLong & more importantly SetWindowLong is not hooked. SetWindowLong is a key part of this technique so if the hook could be added it would be great to detect each stage https://msdn.microsoft.com/en-us/library/windows/desktop/ms633591%28v=vs.85%29.aspx. However with the unique values in sig and the method of identifying explorer pid, checking Shell_TrayWnd called which is key stage too and pretty unique and then checking SendNotifyMessageA goes to explorer to the Shell_TrayWnd window it should never false positive and hopefully false negative.

I have raised this as an issue but you will see in test once explorer.exe has been injected while you can still see traffic (malware traffic sig fires for me and you can get IDS alerts for explorer.exe traffic) cuckoo 2.0 fails to follow the injection. Cuckoo-modified follows it sucessfully if you want to see more of the behaviour.

PR https://github.com/cuckoosandbox/community/pull/319 contains:

The next step is to call AdjustTokenPrivileges to try and give itself the suspicious permissions but this does not seem to be hooked so if someone has the time it would be great if it could be hooked and I will sig it :-) https://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx

[kevross33]

Thanks for doing this. One thing I noticed as a typo on my side is too few Fs in the memory address on the injection sigs (write memory) where 0xfffffff should be 0xffffffff. I think though maybe the the following to more precisely cover 32 bit and 64 bit addresses as not sure startswith would be good enough now I think about if as you could have memory addresses like 0xffffffff00000001 which would be missed so maybe:

and not call["arguments"]["process_handle"] == "0xffffffff" and not call["arguments"]["process_handle"] == "0xffffffffffffffff":

[RicoVZ]

Thanks for the comment/update! I didn't notice that. :) I've made a new commit in which I changed the address verification according to your comment.

[kevross33]

Hi,

Another thing on the WriteMemory injeciton sigs NtWow64WriteVirtualMemory64 might need added to APIs like below. This is not hooked by cuckoo currently but could be in the future to provide this missing coverage so might be worth adding it so sig does not need changed later although currently it will never match.

filter_apinames = [
    "NtWow64WriteVirtualMemory64",
    "NtWriteVirtualmemory",
    "WriteProcessMemory",
]

[kevross33]

Hi.

I also have a quick question around the changes you made to the non-child process stuff for memory injection. I have been using it to create other injection sigs and they do work it seems for instance you can see Dridex output now below. I have a few questions:

• How accurate should this be in assuring the process being manipulated is truly not a child process as I have seen some cases where it is manipulating a process it created. Now this is fundamentally weird in itself so fine but still want to be sure as I am messing with non-child processes are key to some of my injection detection ideas.

• Is something like process["pid"] != injected_pid needed too in the sigs because in one case of this code being used I saw it be for instance "process 382 injected into process 382" kind of thing but maybe I am using this wrong.

Generally it seems OK though and is letting me begin creating and tightening some injection sigs. I am taking the concept of describing anomalies at injection stages rather than complete beginning to end of every injection technique as it is false negative prone. For instance the ones i have done (many submitted) are:

• Writing to memory of another process
• Modifying a non-child process' memory. for instance VirtualProtect to another non-child process.
• Anomalies like opening access to a non-child process, duplicating access token to another process etc.
• Experimental sigs (not submitted) for createremotethread to non-child process and NtQueueApcThread if API accessing PID not equal to the current process PID. The actual process handle check the current remotethread sig uses would never match NtQueueApcThread as process_handle is not an argument that is part of this and also the CreateRemoteThread sig just seems to fundamentally not work in majority of cases in its current form.

The reason though for highlighting each anomaly is more if it is a new technique, something is missed or the method differs from the current signature anomalies can be reliably highlighted showing code injection. I am finding while not 100% here the sigs are highlighting combinations of code injection methods without necessarily describing the whole code injection beginning to end but it is picking this stuff up.

injection_thread.txt

Dridex:

Dridex Alternative NtQueueApcThread injection (dbf96ab40b728c12951d317642fbd9da)

Vawtrak

[jbremer]

Merged, thanks! Checking hashes later.