search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.48k stars 1.7k forks source link

Submit file to cuckoo with arguments #2822

Open RazviAlex opened 4 years ago

RazviAlex commented 4 years ago

When execute a file, needs a parameter to run it, for example just an 'aaa' or anything.

I have looked at similar doubts and found nothing. What I found in the guide is to put this: cuckoo submit --options arguments=--aaa /path/to/binary.exe doesn't work, cuckoo just execute the file and not write 'aaa'

Also try with: cuckoo submit /path/to/binary.exe --options arguments "aaa" and the same

How would I go about submit the file to cuckoo so that it runs? Thank you!

ryanbekabe commented 4 years ago

Use API here: https://cuckoo.readthedocs.io/en/latest/usage/api/#tasks-create-file

RazviAlex commented 4 years ago

Thank you @ryanbekabe I appreciate it. but there is no other way to do it? don't know how to do it in the normal way, so with API REST I totally confuse how to submit with arguments (the only example there just show normal submit) :(

something strange that I notice is the log:

2019-07-30 17:45:21,000 [analyzer] DEBUG: Starting analyzer from: C:\tmphzrzu7 2019-07-30 17:45:21,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\CahvVAlxvzIPuJwlfKRVkZMWwAXTjBg 2019-07-30 17:45:21,000 [analyzer] DEBUG: Log pipe server name: \??\PIPE\AOvrXkYsTAqVjteCWJ 2019-07-30 17:45:21,000 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2019-07-30 17:45:21,000 [analyzer] INFO: Automatically selected analysis package "exe" 2019-07-30 17:45:21,108 [analyzer] DEBUG: Started auxiliary module DbgView 2019-07-30 17:45:21,312 [analyzer] DEBUG: Started auxiliary module Disguise 2019-07-30 17:45:21,467 [analyzer] DEBUG: Loaded monitor into process with pid 484 2019-07-30 17:45:21,467 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2019-07-30 17:45:21,467 [analyzer] DEBUG: Started auxiliary module Human 2019-07-30 17:45:21,467 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2019-07-30 17:45:21,467 [analyzer] DEBUG: Started auxiliary module Reboot 2019-07-30 17:45:21,655 [analyzer] DEBUG: Started auxiliary module RecentFiles 2019-07-30 17:45:21,655 [analyzer] DEBUG: Started auxiliary module Screenshots 2019-07-30 17:45:21,655 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2019-07-30 17:45:23,500 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\xxxx\AppData\Local\Temp\xxxxx2.2.exe' with arguments ['--aaa'] and pid 3124 2019-07-30 17:45:23,671 [analyzer] DEBUG: Loaded monitor into process with pid 3124 2019-07-30 08:47:35,148 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2019-07-30 08:47:35,148 [analyzer] INFO: Analysis completed.

It say 'with arguments ['--aaa'] ' why?? in the screenshot never put aaa, also I know that the argument aaa it's doesn't put to the console because I analyze a malware and without an argument the malware don't start, and don't show the real behavior..

ryanbekabe commented 4 years ago

You are right @RazviAlex , the argument function also does not function properly in my place. https://github.com/ryanbekabe/picstuff/blob/master/cuckoosandboxarguments.png

In my opinion, you have to re-customize the file using SFX (.exe) Zip / RAR for example, by inserting the command you want.

RazviAlex commented 4 years ago

You try this sentence @ryanbekabe : cuckoo submit /path/to/binary.exe --options arguments="aaa" with this in my case it show the argument in the log, but just there. The file does not recive any argument

Yes, finally I re-customize, deleting the file arguments option, but just curiosity I want to know how to add argumetnos in cuckoo :)

ryanbekabe commented 4 years ago

I try your command @RazviAlex, and some other commands: cuckoo submit pafish.exe --options arguments="aaa" cuckoo submit --package exe --options arguments=--dosomething pafish.exe cuckoo submit --package exe --options arguments=--bkb pafish.exe cuckoo submit --package exe pafish.exe --options arguments=--bkb

I'm also curious about hard-to-implement features like IRMA and Remote Control guacamole directly when files are being analyzed. :)

Update: I make a demo of my report with some arguments : https://youtu.be/i-kLWeo6AM8 Screeeshot : https://github.com/ryanbekabe/picstuff/blob/master/cuckoosandboxarguments2.png It's look like your said "The file does not recive any argument" is right.