cuckoosandbox / monitor

The new Cuckoo Monitor.
GNU General Public License v3.0
338 stars 166 forks source link

Inject issue to malware service process by CreateService API #77

Open Tatsuya-hasegawa opened 4 years ago

Tatsuya-hasegawa commented 4 years ago

I found the issue the cuckoo monitor doesn't inject the malware service process by CreateServiceAPI.

The cuckoo monitor tracks the Windows API Calls related to Windows Service https://github.com/cuckoosandbox/monitor/blob/master/sigs/services.rst However it didn't add the spawn service PID to add monitor process list. image

My Cuckoo environments are following. I use Cuckoo v2.0.6 and Cuckoo v2.0.7. I tested by Cuckoo monitors which version hashes are "e071e63a66e831163a40abc45109fdf71fee829e" and "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b"

I think that was enabled and succeeded in the old cuckoomon. For example, this public CAPE's analysis could inject the service process. https://capesandbox.com/analysis/8790/# https://cape.contextis.com/analysis/116015/# success-oldcuckoomon

They are recent Emotet malware. SHA256: 0caf8d097eb1865c30dedef5b77dcc7391ab1315ef9c9d3ffb4615f46444853e 0a97eac011861579aede08a858014590e4f814ef3050ba4cba0d90c217723293

Emotet executes the main C2 procedure under the spawn service process when executed by admin privilege. As you know, Emotet is on the rise.

Please teach any clue for patching the code to solve this issue.

doomedraven commented 4 years ago

just FYI cape doesn't using old cuckoomon anymore, it was rewritten and loader also

Tatsuya-hasegawa commented 4 years ago

Thank you very much for your comment. Do you think , is this an issue ?

doomedraven commented 4 years ago

is the issue in cuckoo mon yes, but not related to cape at all, could be related to old cuckoomon, but as i told cape doesn't use it anymore

Tatsuya-hasegawa commented 4 years ago

Oh, I see ! Thank you!

I want to patch the code to solve this issue. Unfortunately, I haven't catch the code point to patch.....

doomedraven commented 4 years ago

sorry can't help here, but you always can do https://hatching.io/solutions

Tatsuya-hasegawa commented 4 years ago

oops. I understand what you want to say. Thanks.