Malware Injection Not Followed

[kevross33]

Hi,

I have noticed the malware execution isn't completely followed in cuckoo-2.0 missing behaviours due to it not identifying the execution path. Also this analysis while done with different versions of cuckoo took place in the exact same VM with the same settings using the same malware sample. I am not sure what it is that is different that results in this and Brad would be best to ask but I think it could be any of these:

• Handling of WoW64 filesystem redirection
• Correlates API calls to malware call chains
• Ability to follow APC injection and stealth explorer injection

PS. Sorry for bringing up issues like this. Just in my comparisons to try and get over what sigs I can and where new signatures could be done from scratch I am finding these things :-)

[kevross33]

I have seen various examples of this now in my testing. Even cases where intermediary processes aren't followed. There was one where backoff POS was followed, dropped javaw.exe and injected into explorer. Now cuckoo 2.0 followed backoff and somehow had explorer.exe stuff too but it never traced javaw.exe so missed self deletion events I wanted to move sig over for and missed the explorer process injection. The weird thing was it was a normal drop & create process that wasn't followed

[jbremer]

Thanks for these detailed write-ups, I'll investigate each of 'em soon-ish.

[jbremer]

Could you share some hashes for these samples that don't follow properly @kevross33?

[kevross33]

On malwr.com uploaded pos.exe (MD5 05f2c7675ff5cda1bee6a168bdbecac0). And makub sample md5 7ec89220dde5a1c2714d7dc0cd55e3c3.

[kevross33]

I have another example but this was not even injection. A vskimmer POS sample 03fe4ec93b5ea4f00ac693cbec92c0dc. Now I am trying to migrate the signature "Creates hidden window": https://github.com/spender-sandbox/community-modified/blob/master/modules/signatures/stealth_window.py

Now on cuckoo-modified there is a call to ShellExecuteExW with parameter Show: SW_HIDE and the child process svchost is created and there is more events (about 3 pages worth). However on cuckoo-2.0 while svchost.exe is shown as a child process there is only 1 page of events ShellExecuteExW is missing as well as various otehr events so there is no indication as to why svchost.exe is a child process of the main POS process even though this is a straight process creation rather than injection which was followed by cuckoo but not displayed.

[kevross33]

I have uploaded vSkimmerpos.exe MD5 03fe4ec93b5ea4f00ac693cbec92c0dc up to malwr.com for you.

[kevross33]

I have another example for 2015-01-26-Neutrino-EK-malware-payload.exe. This is also not followed missing quite a bit of malicious activity: http://www.malware-traffic-analysis.net/2015/01/26/index.html

[kevross33]

Just so you know top image was cuckoo 2.0 process tree. Bottom picture is cuckoo modified

[kevross33]

Heres another. The cerber sample http://www.malware-traffic-analysis.net/2016/05/10/index.html. If you run cuckoo-modified for it you will see a difference. There is again malicious activities missed yet a lot of the actual signatures are covered aside from a couple but it is just that the processes aren't followed through the injections that it is not highlighted.

[kevross33]

Hi,

I have an update; I have found new Dridex samples which use CreateRemoteThreat injection are not followed correctly either. Samples include MD5s 66e9ff85c9361127cd4b873d48008c9b & 2eaf243bad4b1c22089e7654524f0e5a. Now as most of the malicious payload is in the injected process it is not detected.

Cuckoomodified Injection:

Cuckoo 2.0: Interestingly here you can see it identifies the process creation as suspicious

Code injection is clearly taking place here: ![Uploading cuckoo2_injectionapis.PNG…]()

In the process tree however injected process is not followed and so a lot of other malicious activity is missed.

[kevross33]

Cuckoo Injection APIs missing from above

[kevross33]

Nymaim sample 2d927eb861f5f363d00615d349a2ddfd injection/process creation not followed (prevents detected behaviours & also conversion of sig https://github.com/spender-sandbox/community-modified/blob/master/modules/signatures/nymaim_apis.py)

Cuckoo 2.0 nymaim.exe (2836) "C:\Users\REMOVED\AppData\Local\Temp\nymaim.exe" nymaim.exe (2188) "C:\UsersREMOVED\AppData\Local\Temp\nymaim.exe"

Cuckoo-Modified nymaim.exe 640 nymaim.exe 2640 rundll32.exe 2936 -k wdza.dll winlogon.exe 396 winlogon.exe taskhost.exe 1988 "taskhost.exe" explorer.exe 2116 WerFault.exe 1344 -u -p 640 -s 220 WerFault.exe 2900 -u -p 640 -s 232

[kevross33]

Vawtrak is also the same. Injection is not followed right at start missing most injected & created processes. Sample MD5: 6fad86a0fcc912f32474f6c7a86fe37a

[jbremer]

@kevross33 I don't remember in which issue you requested this feature, but new monitoring binaries will have the filepath argument for NtWriteFile calls (see also https://github.com/cuckoosandbox/monitor/commit/927ee9baa70571d18b03069bd98829b758ef1823).

[kevross33]

Great thanks. I believe it was the ransomware note stuff but I will check. need to do more research in that area to ensure detection of ransomware reliable and accurate in cuckoo 2.0 as some of the signatures I submitted were my first cuckoo 2.0 sigs.

I will update pull requests when ready. Thanks again.

On 2 August 2016 at 23:47, Jurriaan Bremer notifications@github.com wrote:

@kevross33 https://github.com/kevross33 I don't remember in which issue you requested this feature, but new monitoring binaries will have the filepath argument for NtWriteFile calls (see also cuckoosandbox/monitor@ 927ee9b https://github.com/cuckoosandbox/monitor/commit/927ee9baa70571d18b03069bd98829b758ef1823 ).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/900#issuecomment-237072185, or mute the thread https://github.com/notifications/unsubscribe-auth/ACTXtU3DFgiyYxfN0r66p0WL0rcdPuZtks5qb8kMgaJpZM4IXBY6 .