search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

Cuckoo analysis on new Zbot sample #2339

Open Nwinternights opened 6 years ago

Nwinternights commented 6 years ago

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is:

Http traffic doesn't been detected on Bot sample

My Cuckoo version and operating system are:

2.0.6

This can be reproduced by:

download the sample https://www.hybrid-analysis.com/sample/7f0b0054d8a90eaec6e33ed04940aaa6f06e58d1517bf7b890b4a44051d18dd6?environmentId=100

The log, error, files etc can be found at:

Hi, I got the sample above and ran it on 3 different cuckoos machines(cukoo 2.0.6, Cape and cuckoo-modified) . In the last 2 machines I got Http traffic probably referred to C2 and other IOCs. cap_json.zip cape_pcap.zip Cuckoo2_analyzer.zip looking at Behavioral analisys on cuckoo 2 it seems that the Api call "GetFileInformationByHandle" makes a sort of loop. any help is greatly appreciated Cuckoo2_dump.zip

RicoVZ commented 6 years ago

Hi Nwinternights,

Thanks for posting an issue. :smile:

We will look into it. It looks like it exits if it finds a specific process, as it exits immediately after using Process32NextW.

Nwinternights commented 6 years ago

@RicoVZ let me know if you need further logs and/or infos. tks a lot. regards