search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

Custimization Documentation - Auxilary Modual #1358

Open littlejob opened 7 years ago

littlejob commented 7 years ago

I have some questions about the Auxiliary Modules functionality, and I am not quite sure if this is the correct forum to discuss. And yes, I have seen this: http://docs.cuckoosandbox.org/en/latest/customization/auxiliary/

To start, I will outline what I am trying to achieve: During the submission of a file for analysis, in this case a windows host, I want to create a text input field under the advanced options web GUI, where if text is entered, it is then typed/simulated in the VM host. (lets put aside the potential security risks for a moment :) )

The insertion of text from a python module is easy, it's dynamically linking this to an html page and correlating this with the Auxiliary Module I believe, that i am having issues with:

import pyautogui, time
line = input('Enter text:')
time.sleep(3)
pyautogui.click(741, 467);
pyautogui.typewrite(line, 0.10);
pyautogui.typewrite(['enter'])

This loads the pyautogui and time modules, and in this case prompts the user to enter text. I have a delay of three seconds, to then simulate a specific mouse click, to a specific location, which will not change. I then enter the text passed in the line variable, and simulate the 'enter/return' key.

Would anyone have any suggestions or be able to point me in the right direction?

jbremer commented 7 years ago

We intend to work on RDP integration between our Web Interface & the VM where the sample is being analyzed in one of our upcoming releases this year. So that'd solve your issue. The way that you want to setup this mechanism is kind of odd, though. I'm not sure where to start on improving this, to be honest.

littlejob commented 7 years ago

I don't necessarily want RDP integration. Maybe if I give an example this will make more sense.

A common evasion technique, to several world class products, to bypass threat emulation is to simply password protect lets say a word document. For example, user receives a phishing email, there is a unknowingly malicious RTF file attached, which is password protected. In the body of the email, there is a password to unlock and read the file. Well, if the file itself has no matching signatures to any known malicious file in the many different databases you can query, it will come back as clean.

Giving a user the ability to input, in this case a password for the file, then having the sandbox automatically open, and then enter the password, will warrant a better analysis on the file in question.

jbremer commented 7 years ago

Sure, but then we're perhaps better off implementing some feature to allow a certain string to be typed in the VM, rather than creating this realtime passthrough thing which is, in essence, just as complex as the full-blown RDP solution.