Closed threatlead closed 10 years ago
botherder
commented
10 years ago Currently there is no way to do any of that and it would require a considerable restructuring of the code to make this happen. For now, just take the dropped file and issue a new analysis with it.
threatlead
commented
10 years ago Most of the times, if the dropped file is put back into Cuckoo's queue it repeats the flow and adds itself to AutoRun registry ( or file-path ) and doesn’t do much.
I was wondering, if I can write an auxiliary module ( similar to those in cuckoo/analyzer/windows/modules/auxiliary/ ) to detect if a file is dropped in certain locations or if particular registry keys are changed and then execute them automatically.
I have bumped into a few samples that drops dlls or executables, adds it to registry or filesystem for auto-run, but doesn't executes it.
Therefore, the malware is placed on the machine, but doesn't triggers any C2 communication. I was wondering if we can write something in the analyzer to overcome this. Maybe detect the: Installs itself for autorun at Windows startup signature and run it automatically, if not executed before.