Open nadamnr opened 8 years ago
The reason for this __anomaly__
to pop up is the fact that the monitor is throwing too many exceptions. Could you please share the entire analysis and/or some more information on what you're analyzing?
Any update here @nadamnr ?
So just to confirm, the category "category": "__notification__"
have four api which are : "api": "__anomaly__", "api": "__exception__",__missing__ and __process__
, an example of some of them is in the report, these are not really windows APIs which the sample did call like the others , right ? .. As they are not documented! I was confused by this page
and i think if I monitor the API calls with another tool I will not find these APIs mentioned above .
__anomaly__
, __exception__
, __missing__
and __process__
are really not APIs in any system modules of Windows OS. But they are in the monitor API list just because these events should be notified in some way "like an API". The macro MONITOR_FIRSTHOOKIDX defines where the REAL API hook index starts.
md5: b1da99b281905036a6baf330c1f19a33
PS with latest monitor from github, i don't this issue
The latest monitor seems prone to exceptions/evasion. For example I came across to this last ransom but the analysis was not accurate (message: Encountered 1025 exceptions, quitting. subcategory: exception ....) Using @jbremer test monitor https://cuckoo.sh/8fd5b7ccebf2969d/san2san.tgz the analysis went smootly!! MD5 of the sample : 15f3c821f74ee1d594da5d38191bdf7e
Good to hear @Nwinternights, we'll be pushing out the latest version in the upcoming release (most likely).
This is not an issue, just want to ask about this API as I couldn't find it on windows API website .. and I saw it on some samples, below is an example:
is Anomaly a real API or it just something named by cuckoo developers ... . if it has a page on windows website can someone please refer me to it ?