search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.53k stars 1.7k forks source link

Signature Events- Same URL's Displayed #1233

Open FuzzyWaffler opened 7 years ago

FuzzyWaffler commented 7 years ago

The same Signature events are being displayed anytime a report is ran. 


url     http://1.gravatar.com/avatar/1bcbc0ec4c7ca7a04eb39970f4dcf238?s=24
url     http://google.com/
url     https://www.google.com/chrome/assets/common/images/marquee/mobile-benefits-3.jpg
url     http://cache.filehippo.com/img/ex/7180t__picasa_new_icon_converted.png
url     http://30423566046e6931d440fd8c12f2fc6d.clo.footprintdns.com/apc/trans.gif
url     http://pdf-format.com/uc/css/reset.css
url     http://cache.filehippo.com/img/ex/6058t__shareit_icon.png
url     https://adobe-reader.en.softonic.com/download
url     https://www.google.com/chrome/browser/thankyou.html?brand=CHBF
url     http://pdf-format.com/uc/images/bg-content.png
url     https://login.live.com/login.srf?wa=wsignin1.0
url     https://2542116.fls.doubleclick.net/activityi
url     https://www.google.com/chrome/assets/common/images/marquee/eula-win.jpg
url     http://pagead2.googlesyndication.com/pagead/osd.js
url     https://www.gravatar.com/avatar/e12e89229416c35c3f2e72d7ac6f8dc2?s=24
url     https://www.google.com/chrome/browser/?utm_source=bing
url     http://pdf-format.com/uc/images/header.png
url     https://www.google.com/chrome/assets/common/images/chrome_logo_2x.png?mmfb=a5234ae3c4265f687c7fffae2760a907
url     http://tags.expo9.exponential.com/tags/FileHippocom/TF_US_Home_Top_300x250/tags.js
url     http://pdf-format.com/uc/images/bg-body.gif
url     http://pdf-format.com/uc/images/arrow.gif
url     https://assets.onestore.ms/cdnfiles/onestorerolling-1612-12000/shell/v3/fonts/shell-icons-0.4.0.eot?
url     https://www.microsoft.com/fonts/segoe-ui/west-european/bold/latest.eot
url     http://effbot.org/media/downloads/PIL-1.1.7.win32-py2.7.exe
url     http://cache.filehippo.com/img/new/background.png
url     http://pdf-format.com/uc/images/bg-footer.png
url     http://cache.btrll.com/default/Pix-1x1.gif
url     http://news.filehippo.com/wp-content/uploads/2016/12/tips-mencegah-galaxy-note-7-terbakar-dan-meledak-X77SVwFLoi-190x110.jpg
url     https://www.google.com/logos/doodles/2016/winter-solstice-2016-northern-hemisphere-4788310770712576-hp.gif
url     http://news.filehippo.com/wp-content/uploads/2016/12/bigstock-Abstract-Car-54247436-composite-190x110.jpg
url     http://pdf-format.com/uc/?cmp=PDF_US_M_S
url     https://platform.twitter.com/widgets.js
url     https://fonts.gstatic.com/s/opensans/v13/PRmiXeptR36kaC0GEAetxrFt29aCHKT7otDW9l62Aag.eot
url     https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/semibold/latest.eot
url     http://static-hp-eus-s-msn-com.akamaized.net/en-us/homepage/_sc/js/f5956224-1f7b6091/direction=ltr.locales=en-us.themes=start.dpi=resolution1x/9a-3309cc-5faa1e65/f8-baa0dd-1b76360e/e3-ae3f2a-5599dabd/5d-da72a2-68ddb2ab/ba-40137f-71a2afc2/69-8a9074-d1f8fb43/b4-16512b-f9c98504/finance-js-d2-3030148dccee23b9b2598044fc306e-e5780970/34-53b613-3e76eb4d/30-78aeed-e2693a18/ad-071125-177cf897/d0-c41f98-86e27032?ver=2.0.6190.2531
url     https://assets.onestore.ms/cdnfiles/onestorerolling-1612-12000/shell/common/js/shell_ie8.js
url     http://rma-api.gravity.com/v1/beacons/log?cbust=172-39
url     https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
url     https://www.google.com/support/accounts/answer/151657?hl=en
url     https://assets.onestore.ms/cdnfiles/external/webcore/4.16.0/stylesheets/ltr.light.min/core.css
url     https://github.com/opensearch.xml
url     https://www.google.com/chrome/assets/common/images/content/close-icon.png
url     http://pagead2.googlesyndication.com/pagead/expansion_embed.js?source=safeframe
url     https://fonts.gstatic.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
url     https://raw.githubusercontent.com/favicon.ico
url     https://www.gravatar.com/avatar/1bcbc0ec4c7ca7a04eb39970f4dcf238?s=24
url     http://pdf-format.com/uc/images/sprite.jpg
url     http://fonts.gstatic.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
url     https://assets.onestore.ms/cdnfiles/onestorerolling-1612-12000/shell/generated/shellservice.v3.min.js
url     http://static.chartbeat.com/js/chartbeat.js

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cuckoo Logs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

2017-01-05 10:58:51,598 [lib.cuckoo.core.scheduler] INFO: Task #16: acquired machine cuckoo1 (label=Win7)
2017-01-05 10:58:51,653 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 6029 (interface=vboxnet0, host=192.168.56.101, pcap=/home/soc/cuckoo/storage/analyses/16/dump.pcap)
2017-01-05 10:58:59,772 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2017-01-05 11:01:12,309 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2017-01-05 11:01:13,291 [lib.cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully
2017-01-05 11:02:18,082 [modules.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label Win7 to path /home/soc/cuckoo/storage/analyses/16/memory.dmp
2017-01-05 11:02:25,679 [modules.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2017-01-05 11:02:25,817 [modules.processing.memory] ERROR: Generic error executing volatility
Traceback (most recent call last):
  File "/home/soc/cuckoo/modules/processing/memory.py", line 1028, in run
    results = VolatilityManager(self.memory_path).run()
  File "/home/soc/cuckoo/modules/processing/memory.py", line 948, in run
    vol = VolatilityAPI(self.memfile, self.osprofile)
  File "/home/soc/cuckoo/modules/processing/memory.py", line 59, in __init__
    self.init_config()
  File "/home/soc/cuckoo/modules/processing/memory.py", line 115, in init_config
    if self.get_dtb():
  File "/home/soc/cuckoo/modules/processing/memory.py", line 65, in get_dtb
    for ep in ps.calculate():
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.6-py2.7.egg/volatility/plugins/filescan.py", line 354, in calculate
    addr_space = utils.load_as(self._config, astype = 'physical')
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.6-py2.7.egg/volatility/utils.py", line 65, in load_as
    raise error
AddrSpaceError: No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 Win10AMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 FileAddressSpace: Invalid profile freddy selected
 ArmAddressSpace: No base Address Space

2017-01-05 11:02:26,357 [lib.cuckoo.core.plugins] WARNING: The processing module "Snort" returned the following error: Snort returned an error processing this pcap: Command '['/usr/local/bin/snort', '-c', '/etc/snort/snort.conf', '-A', 'console', '-r', '/home/soc/cuckoo/storage/analyses/16/dump.pcap', '-q', '-y']' returned non-zero exit status 1
2017-01-05 11:02:28,632 [elasticsearch] WARNING: POST /cuckoo-2017-01-05/cuckoo?op_type=create [status:400 request:0.025s]
2017-01-05 11:02:28,632 [lib.cuckoo.core.plugins] WARNING: The reporting module "ElasticSearch" returned the following error: Failed to save results in ElasticSearch for task #16: TransportError(400, u'action_request_validation_exception', u'Validation Failed: 1: an id must be provided if version type or value are set;')
~~~~~~~~~~~~~~~~~~Analysis Log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``
2017-01-05 10:58:50,000 [analyzer] DEBUG: Starting analyzer from: C:\dljrhdq
2017-01-05 10:58:50,062 [analyzer] DEBUG: Pipe server name: \\.\PIPE\zGwUeJdSPkLnxxCaJ
2017-01-05 10:58:50,062 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\ttlaYAiEREjEfnGSbz
2017-01-05 10:58:50,062 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2017-01-05 10:58:50,062 [analyzer] INFO: Automatically selected analysis package "ie"
2017-01-05 10:58:51,640 [analyzer] DEBUG: Started auxiliary module Disguise
2017-01-05 10:58:52,453 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2017-01-05 10:58:52,515 [analyzer] DEBUG: Started auxiliary module Human
2017-01-05 10:58:52,530 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2017-01-05 10:58:52,530 [analyzer] DEBUG: Started auxiliary module Reboot
2017-01-05 10:58:52,655 [analyzer] DEBUG: Started auxiliary module RecentFiles
2017-01-05 10:58:52,655 [analyzer] DEBUG: Started auxiliary module Screenshots
2017-01-05 10:58:52,655 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2017-01-05 10:58:53,217 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments [u'C:\\Users\\freddy\\AppData\\Local\\Temp\\exc.html'] and pid 1372
2017-01-05 11:01:05,275 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2017-01-05 11:01:09,088 [lib.common.results] ERROR: Exception uploading file c:\users\freddy\appdata\local\temp\tmp5_qm4y to host: [Errno 9] Bad file descriptor
2017-01-05 11:01:09,104 [lib.api.process] INFO: Memory dump of process with pid 1372 completed
2017-01-05 11:01:09,104 [analyzer] INFO: Analysis completed.

Is there something I'm not clearing properly?

doomedraven commented 7 years ago

can you provide more info? as which signatures etc

FuzzyWaffler commented 7 years ago

Added some extra info to original post.. The signature section is where those address's are from. Im not applying any specific yara signatures yet

doomedraven commented 7 years ago

well that still not says nothing about which signature match that urls

FuzzyWaffler commented 7 years ago

The file has this info ---------------------------------

Size 11.7KB Type HTML document, ASCII text, with very long lines, with CRLF line terminators MD5 aec60c798291525aaf513d71ecb9fbdf SHA1 2f9c45724a92a7a212f417e9d5d47f372b0d062d SHA256 8f6b5f7847787dde69a0ad9733e3705f75db76d0a922ee4557d644c0af40684d SHA512
CRC32 6E9D78C0 ssdeep None Yara None matched

Is there a way to export what the signatures are flagging on?

doomedraven commented 7 years ago

but which signature do you speak about? can you post screenshot of signature block with opened signature, which you speak about

jbremer commented 7 years ago

Right, yeah, URLs from process memory dumps still have to be filtered properly. The "hard" part about this is that it is specific to each VM (and even to types of analyses - running PE files and Office documents may have different results). In other words, it's on our todo list to filter all the standard stuff out, but it requires some relatively big changes for which we don't have a process in-place yet (i.e., always running a sort of "collection" analysis for newly registered VMs - we have something like this called the baseline feature, but it's definitely not yet complete). Thanks for your feature request. If you have any additional requests and/or features, please do let me know.