Open cssxn opened 5 years ago
I found out that it could adjust the invoke order with Signature.order
property, if set it to zero which signature will run after the other signatures.
from lib.cuckoo.common.abstracts import Signature
import logging
log = logging.getLogger(__name__)
class Test3(Signature):
name = "test_3"
description = "Running calc.exe and notepad.exe"
severity = 3
categories = ["downloader"]
authors = ["Cuckoo Technologies"]
minimum = "2.0"
order = 0
sig_list = []
def on_signature(self, signature):
log.debug(signature.name)
self.sig_list.append(signaure.name)
required = ["test_1", "test_2"]
for sig in required:
if sig not in self.sig_list:
return False
return True
this works fine for me to combine more signatures
Hey cssxn,
Thanks for posting an issue.
Indeed, you can use the order attribute to manipulate the order the signatures are processed in. :smile:
when I submitted a malware sample which matched seven signatures,but the signature Test3 above only print out one signature.name
Mhm, that is odd. I cannot reproduce this behavior. With your signature example, it calls the on_signature
for every match on ym Cuckoo 2.0.6.2 instance.
2018-07-17 14:37:51,083 [cuckoo.core.plugins] DEBUG: Running 541 signatures
2018-07-17 14:37:51,265 [signatures.windows.aaaaa] DEBUG: SIGNATURE: antivm_memory_available
2018-07-17 14:37:51,389 [signatures.windows.aaaaa] DEBUG: SIGNATURE: antivm_network_adapters
2018-07-17 14:37:51,545 [signatures.windows.aaaaa] DEBUG: SIGNATURE: allocates_rwx
2018-07-17 14:37:51,748 [signatures.windows.aaaaa] DEBUG: SIGNATURE: modifies_proxy_wpad
2018-07-17 14:37:51,771 [signatures.windows.aaaaa] DEBUG: SIGNATURE: process_martian
2018-07-17 14:37:51,791 [signatures.windows.aaaaa] DEBUG: SIGNATURE: memdump_urls
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: allocates_rwx
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_memory_available
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: modifies_proxy_wpad
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivm_network_adapters
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_martian
2018-07-17 14:37:51,865 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls
@RicoVZ could you show me your code?
@RicoVZ I'm useing Cuckoo Version of 2.0.5 , It happens again,
My Signature here
rom lib.cuckoo.common.abstracts import Signature
import logging
log = logging.getLogger(__name__)
class MaliciousOffice(Signature):
name = "malicious_office"
description = "an office file that contains maliciously behaviors"
severity = 0
categories = ["downloader"]
authors = ["wdy"]
minimum = "2.0"
core = True
order = 0
sig_list = []
sig_names = []
def on_signature(self, signature):
self.sig_list.append(signature)
self.sig_names.append(signature.name)
ps_condition = [
"powerfun",
"powershell_unicorn",
"powershell_reg_add",
"amsi_bypass",
"powershell_bitstransfer",
"powershell_ddi_rc4",
"powershell_dfsp",
"powershell_download",
"powershell_empire",
"powershell_meterpreter",
"powershell_c2dns",
"martian_command_process",
"applocker_bypass",
]
doc_condition = [
"document_open",
"office_dde",
"Detects_macro",
"office_packager",
"office_http_request",
"office_indirect_call",
"office_check_doc_name",
"office_platform_detect",
"document_close",
"network_document_file",
]
proc_condition = ["suspicious_process"]
ps = False
doc = False
proc = False
for sig in self.sig_list:
if sig.name in ps_condition:
self.mark_ioc("PowerShell Signature", sig.description)
ps = True
if sig.name in doc_condition:
self.mark_ioc("Office Signature", sig.description)
doc = True
if sig.name in proc_condition:
self.mark_ioc("Process Signature", sig.description)
proc = True
if (ps and doc) or ((ps or doc) and proc):
log.debug("================ Matched Signatures =========")
log.debug(self.sig_names)
return True
else:
return False
The Cuckoo log
my log.debug print out all the signature that through on_signature
, and it didn't match the Cuckoo log with DEBUG: Analysis matched signature
2018-07-18 11:25:40,997 [cuckoo.core.plugins] DEBUG: Running 519 signatures
2018-07-18 11:25:43,904 [signatures.windows.malicious_office] DEBUG:================Matched Signatures =========
2018-07-18 11:25:43,906 [signatures.windows.malicious_office] DEBUG: ['Detects_macro', 'dumped_buffer', 'network_http', 'antisandbox_foregroundwindows', 'persistence_autorun', 'document_open', 'creates_exe', 'creates_service', 'creates_shortcut', 'suspicious_process']
2018-07-18 11:25:44,931 [cuckoo.core.plugins] DEBUG: Analysis matched signature: malicious_office
2018-07-18 11:25:44,935 [cuckoo.core.plugins] DEBUG: Analysis matched signature: dumped_buffer
2018-07-18 11:25:44,937 [cuckoo.core.plugins] DEBUG: Analysis matched signature: network_http
2018-07-18 11:25:44,937 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antisandbox_foregroundwindows
2018-07-18 11:25:44,938 [cuckoo.core.plugins] DEBUG: Analysis matched signature: persistence_autorun
2018-07-18 11:25:44,944 [cuckoo.core.plugins] DEBUG: Analysis matched signature: document_open
2018-07-18 11:25:44,944 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_exe
2018-07-18 11:25:44,945 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_service
2018-07-18 11:25:44,945 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_shortcut
2018-07-18 11:25:44,946 [cuckoo.core.plugins] DEBUG: Analysis matched signature: suspicious_process
2018-07-18 11:25:44,947 [cuckoo.core.plugins] DEBUG: Analysis matched signature: generates_crypto_key
2018-07-18 11:25:44,947 [cuckoo.core.plugins] DEBUG: Analysis matched signature: Detects_macro
2018-07-18 11:25:44,951 [cuckoo.core.plugins] DEBUG: Analysis matched signature: Reg_Get_Computer_Name
2018-07-18 11:25:44,951 [cuckoo.core.plugins] DEBUG: Analysis matched signature: martian_command_process
2018-07-18 11:25:44,952 [cuckoo.core.plugins] DEBUG: Analysis matched signature: network_document_file
2018-07-18 11:25:44,952 [cuckoo.core.plugins] DEBUG: Analysis matched signature: office_vuln_modules
2018-07-18 11:25:44,953 [cuckoo.core.plugins] DEBUG: Analysis matched signature: powershell_download
2018-07-18 11:25:44,954 [cuckoo.core.plugins] DEBUG: Analysis matched signature: powershell_request
2018-07-18 11:25:44,957 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_interest
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_martian
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_ip_urls
2018-07-18 11:25:44,958 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls
2018-07-18 11:25:44,959 [cuckoo.core.plugins] DEBUG: Analysis matched signature: query_computername
2018-07-18 11:25:44,960 [cuckoo.core.plugins] DEBUG: Analysis matched signature: removes_zoneid_ads
2018-07-18 11:25:44,963 [cuckoo.core.plugins] DEBUG: Analysis matched signature: suspicious_write_exe
2018-07-18 11:25:50,022 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
@RicoVZ hello, This error occurs when the sandbox processes multiple files (malicious files and normal files are committed simultaneously). Hope there is a solution
here is my signature code below
when I submitted a malware sample which matched seven signatures,but the signature Test3 above only print out one signature.name