Closed threatlead closed 10 years ago
Currently there is no way to do any of that and it would require a considerable restructuring of the code to make this happen. For now, just take the dropped file and issue a new analysis with it.
Most of the times, if the dropped file is put back into Cuckoo's queue it repeats the flow and adds itself to AutoRun registry ( or file-path ) and doesn’t do much.
I was wondering, if I can write an auxiliary module ( similar to those in cuckoo/analyzer/windows/modules/auxiliary/
) to detect if a file is dropped in certain locations or if particular registry keys are changed and then execute them automatically.
I have bumped into a few samples that drops dlls or executables, adds it to registry or filesystem for auto-run, but doesn't executes it.
Therefore, the malware is placed on the machine, but doesn't triggers any C2 communication. I was wondering if we can write something in the analyzer to overcome this. Maybe detect the: Installs itself for autorun at Windows startup signature and run it automatically, if not executed before.