cssxn
commented
5 years ago I found out that it could adjust the invoke order with Signature.order property, if set it to zero which signature will run after the other signatures.
Open cssxn opened 5 years ago
cssxn
commented
5 years ago I found out that it could adjust the invoke order with Signature.order property, if set it to zero which signature will run after the other signatures.
cssxn
commented
5 years ago from lib.cuckoo.common.abstracts import Signature
import logging
log = logging.getLogger(__name__)
class Test3(Signature):
name = "test_3"
description = "Running calc.exe and notepad.exe"
severity = 3
categories = ["downloader"]
authors = ["Cuckoo Technologies"]
minimum = "2.0"
order = 0
sig_list = []
def on_signature(self, signature):
log.debug(signature.name)
self.sig_list.append(signaure.name)
required = ["test_1", "test_2"]
for sig in required:
if sig not in self.sig_list:
return False
return Truethis works fine for me to combine more signatures
RicoVZ
commented
5 years ago Hey cssxn,
Thanks for posting an issue.
Indeed, you can use the order attribute to manipulate the order the signatures are processed in. :smile:
when I submitted a malware sample which matched seven signatures,but the signature Test3 above only print out one signature.name
Mhm, that is odd. I cannot reproduce this behavior. With your signature example, it calls the on_signature for every match on ym Cuckoo 2.0.6.2 instance.
2018-07-17 14:37:51,083 [cuckoo.core.plugins] DEBUG: Running 541 signatures
2018-07-17 14:37:51,265 [signatures.windows.aaaaa] DEBUG: SIGNATURE: antivm_memory_available
2018-07-17 14:37:51,389 [signatures.windows.aaaaa] DEBUG: SIGNATURE: antivm_network_adapters
2018-07-17 14:37:51,545 [signatures.windows.aaaaa] DEBUG: SIGNATURE: allocates_rwx
2018-07-17 14:37:51,748 [signatures.windows.aaaaa] DEBUG: SIGNATURE: modifies_proxy_wpad
2018-07-17 14:37:51,771 [signatures.windows.aaaaa] DEBUG: SIGNATURE: process_martian
2018-07-17 14:37:51,791 [signatures.windows.aaaaa] DEBUG: SIGNATURE: memdump_urls
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: allocates_rwx
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_memory_available
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: modifies_proxy_wpad
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_network_adapters
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_martian
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls@RicoVZ could you show me your code?
cssxn
commented
5 years ago @RicoVZ I'm useing Cuckoo Version of 2.0.5 , It happens again,
My Signature here
rom lib.cuckoo.common.abstracts import Signature
import logging
log = logging.getLogger(__name__)
class MaliciousOffice(Signature):
name = "malicious_office"
description = "an office file that contains maliciously behaviors"
severity = 0
categories = ["downloader"]
authors = ["wdy"]
minimum = "2.0"
core = True
order = 0
sig_list = []
sig_names = []
def on_signature(self, signature):
self.sig_list.append(signature)
self.sig_names.append(signature.name)
ps_condition = [
"powerfun",
"powershell_unicorn",
"powershell_reg_add",
"amsi_bypass",
"powershell_bitstransfer",
"powershell_ddi_rc4",
"powershell_dfsp",
"powershell_download",
"powershell_empire",
"powershell_meterpreter",
"powershell_c2dns",
"martian_command_process",
"applocker_bypass",
]
doc_condition = [
"document_open",
"office_dde",
"Detects_macro",
"office_packager",
"office_http_request",
"office_indirect_call",
"office_check_doc_name",
"office_platform_detect",
"document_close",
"network_document_file",
]
proc_condition = ["suspicious_process"]
ps = False
doc = False
proc = False
for sig in self.sig_list:
if sig.name in ps_condition:
self.mark_ioc("PowerShell Signature", sig.description)
ps = True
if sig.name in doc_condition:
self.mark_ioc("Office Signature", sig.description)
doc = True
if sig.name in proc_condition:
self.mark_ioc("Process Signature", sig.description)
proc = True
if (ps and doc) or ((ps or doc) and proc):
log.debug("================ Matched Signatures =========")
log.debug(self.sig_names)
return True
else:
return FalseThe Cuckoo log
my log.debug print out all the signature that through on_signature, and it didn't match the Cuckoo log with DEBUG: Analysis matched signature
2018-07-18 11:25:40,997 [cuckoo.core.plugins] DEBUG: Running 519 signatures
2018-07-18 11:25:43,904 [signatures.windows.malicious_office] DEBUG:================Matched Signatures =========
2018-07-18 11:25:43,906 [signatures.windows.malicious_office] DEBUG: ['Detects_macro', 'dumped_buffer', 'network_http', 'antisandbox_foregroundwindows', 'persistence_autorun', 'document_open', 'creates_exe', 'creates_service', 'creates_shortcut', 'suspicious_process']
2018-07-18 11:25:44,931 [cuckoo.core.plugins] DEBUG: Analysis matched signature: malicious_office
2018-07-18 11:25:44,935 [cuckoo.core.plugins] DEBUG: Analysis matched signature: dumped_buffer
2018-07-18 11:25:44,937 [cuckoo.core.plugins] DEBUG: Analysis matched signature: network_http
2018-07-18 11:25:44,937 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antisandbox_foregroundwindows
2018-07-18 11:25:44,938 [cuckoo.core.plugins] DEBUG: Analysis matched signature: persistence_autorun
2018-07-18 11:25:44,944 [cuckoo.core.plugins] DEBUG: Analysis matched signature: document_open
2018-07-18 11:25:44,944 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_exe
2018-07-18 11:25:44,945 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_service
2018-07-18 11:25:44,945 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_shortcut
2018-07-18 11:25:44,946 [cuckoo.core.plugins] DEBUG: Analysis matched signature: suspicious_process
2018-07-18 11:25:44,947 [cuckoo.core.plugins] DEBUG: Analysis matched signature: generates_crypto_key
2018-07-18 11:25:44,947 [cuckoo.core.plugins] DEBUG: Analysis matched signature: Detects_macro
2018-07-18 11:25:44,951 [cuckoo.core.plugins] DEBUG: Analysis matched signature: Reg_Get_Computer_Name
2018-07-18 11:25:44,951 [cuckoo.core.plugins] DEBUG: Analysis matched signature: martian_command_process
2018-07-18 11:25:44,952 [cuckoo.core.plugins] DEBUG: Analysis matched signature: network_document_file
2018-07-18 11:25:44,952 [cuckoo.core.plugins] DEBUG: Analysis matched signature: office_vuln_modules
2018-07-18 11:25:44,953 [cuckoo.core.plugins] DEBUG: Analysis matched signature: powershell_download
2018-07-18 11:25:44,954 [cuckoo.core.plugins] DEBUG: Analysis matched signature: powershell_request
2018-07-18 11:25:44,957 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_interest
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_martian
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_ip_urls
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls
2018-07-18 11:25:44,959 [cuckoo.core.plugins] DEBUG: Analysis matched signature: query_computername
2018-07-18 11:25:44,960 [cuckoo.core.plugins] DEBUG: Analysis matched signature: removes_zoneid_ads
2018-07-18 11:25:44,963 [cuckoo.core.plugins] DEBUG: Analysis matched signature: suspicious_write_exe
2018-07-18 11:25:50,022 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
Pumpkinbro
commented
5 years ago @RicoVZ hello, This error occurs when the sandbox processes multiple files (malicious files and normal files are committed simultaneously). Hope there is a solution
here is my signature code below
when I submitted a malware sample which matched seven signatures,but the signature Test3 above only print out one signature.name