search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.54k stars 1.7k forks source link

API Tracing #763

Open yoonack opened 8 years ago

yoonack commented 8 years ago

I have run a sample in the cuckoo sandbox. Here is the API trace until it terminates:

2016-02-12 16:03:56.633246 CreateProcessInternalW thread_identifier => 2928 thread_handle => 0x00000080 process_identifier => 2776 current_directory => filepath => C:\Documents and Settings\th\Local Settings\Temp\686f502517f4e6dfd265476d33b3e3e6.exe command_line => "C:\Documents and Settings\th\Local Settings\Temp\686f502517f4e6dfd265476d33b3e3e6.exe" filepath_r => C:\Documents and Settings\th\Local Settings\Temp\686f502517f4e6dfd265476d33b3e3e6.exe creation_flags => 4 process_handle => 0x0000007c inherit_handles => 0 SUCCESS
2016-02-12 16:03:57.394246 SetErrorMode mode => 32769 SUCCESS
2016-02-12 16:03:57.394246 LdrLoadDll basename => ntdll module_address => 0x7c900000 flags => 0 module_name => ntdll SUCCESS
2016-02-12 16:03:57.394246 SetErrorMode mode => 4 SUCCESS
2016-02-12 16:03:57.394246 LdrGetProcedureAddress ordinal => 0 module => ntdll module_address => 0x7c900000 function_address => 0x7c90df90 function_name => NtWriteVirtualMemory SUCCESS
2016-02-12 16:03:57.394246 SetErrorMode mode => 32769 SUCCESS
2016-02-12 16:03:57.394246 LdrLoadDll basename => ntdll module_address => 0x7c900000 flags => 0 module_name => ntdll SUCCESS
2016-02-12 16:03:57.394246 SetErrorMode mode => 4 SUCCESS
2016-02-12 16:03:57.394246 LdrGetProcedureAddress ordinal => 0 module => ntdll module_address => 0x7c900000 function_address => 0x7c90def0 function_name => NtUnmapViewOfSection SUCCESS
2016-02-12 16:03:57.394246 NtUnmapViewOfSection region_size => 4096 base_address => 0x00400000 process_handle => 0x0000007c SUCCESS
2016-02-12 16:03:57.394246 NtAllocateVirtualMemory region_size => 225280 protection => 64 process_handle => 0x0000007c allocation_type => 12288 base_address => 0x00400000 SUCCESS
2016-02-12 16:03:57.394246 NtClose handle => 0x0000003c SUCCESS
2016-02-12 16:03:57.394246 NtClose handle => 0x00000040 SUCCESS
2016-02-12 16:03:57.394246 NtFreeVirtualMemory free_type => 32768 process_handle => 0xffffffff base_address => 0x00940000 size => 4194304 SUCCESS
2016-02-12 16:03:57.394246 NtFreeVirtualMemory free_type => 32768 process_handle => 0xffffffff base_address => 0x003a0000 size => 65536

However, the program should continue after calling NtAllocateVirtualMemory, I am not sure why it calls NtClose immediately. Is there a way to debug this kind of situation? By the way, where can I modify to let the API tracing show the return output? Thanks a lot

jbremer commented 8 years ago

For any modifications you can build your own Cuckoo Monitor, it's all open source; https://github.com/cuckoosandbox/monitor

Why this sample doesn't work as expected I can't tell from just this dump. Could you perhaps share the sample or its hash?

yoonack commented 8 years ago

This sample is the malware that shows on Virustotal: https://www.virustotal.com/en/file/0f3b640e54af0894266e30fef689a1745a6bcc5884860afca742ff1eca8f1f49/analysis/ Thanks for the help.

yoonack commented 8 years ago

This issue happened to be solved after replacing the new compiled version of Cuckoo monitor into the folder. The process manage to continue. However, another issue just popped up when the malware tried to inject to Cuckoo. Here are the log infor: Cuckoo.log: 2016-02-16 10:49:09,469 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:49:10,477 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:49:11,637 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:49:12,645 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:49:13,654 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:49:14,661 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2) 2016-02-16 10:59:15,753 [lib.cuckoo.core.guest] DEBUG: cuckoo1: error retrieving status: timed out

analysis.log: 2016-02-16 10:48:58,036 [lib.api.process] ERROR: Failed to inject 32-bit process with pid 1964 and process name None 2016-02-16 10:48:58,036 [analyzer] INFO: Injected into process with pid 1964 and name VBoxTray.exe 2016-02-16 10:48:58,460 [analyzer] INFO: Process with pid 1348 has terminated 2016-02-16 10:48:59,309 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2016-02-16 10:49:00,520 [lib.api.process] ERROR: Failed to inject 32-bit process with pid 1348 and process name None 2016-02-16 10:49:00,520 [analyzer] INFO: Injected into process with pid 1348 and name wscntfy.exe 2016-02-16 10:49:00,726 [analyzer] WARNING: Received request to inject Cuckoo processes, skipping it.

It looks like when cuckoo tried to skip the injection, the entire analysis is hanged. I am not sure what is causing the problem. The critical timeout is hit for this case.

yoonack commented 8 years ago

As for the API tracing, where can I find the return address of the API function? I know pin tool has the log that shows the absolute address of where the API is getting call. Is that similar function in Cuckoo does that?