Inject issue to malware service process by CreateService API

[Tatsuya-hasegawa]

I found the issue the cuckoo monitor doesn't inject the malware service process by CreateServiceAPI.

The cuckoo monitor tracks the Windows API Calls related to Windows Service https://github.com/cuckoosandbox/monitor/blob/master/sigs/services.rst However it didn't add the spawn service PID to add monitor process list.

My Cuckoo environments are following. I use Cuckoo v2.0.6 and Cuckoo v2.0.7. I tested by Cuckoo monitors which version hashes are "e071e63a66e831163a40abc45109fdf71fee829e" and "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b"

I think that was enabled and succeeded in the old cuckoomon. For example, this public CAPE's analysis could inject the service process. https://capesandbox.com/analysis/8790/# https://cape.contextis.com/analysis/116015/#

They are recent Emotet malware. SHA256: 0caf8d097eb1865c30dedef5b77dcc7391ab1315ef9c9d3ffb4615f46444853e 0a97eac011861579aede08a858014590e4f814ef3050ba4cba0d90c217723293

Emotet executes the main C2 procedure under the spawn service process when executed by admin privilege. As you know, Emotet is on the rise.

Please teach any clue for patching the code to solve this issue.

[doomedraven]

just FYI cape doesn't using old cuckoomon anymore, it was rewritten and loader also

[Tatsuya-hasegawa]

Thank you very much for your comment. Do you think , is this an issue ?

[doomedraven]

is the issue in cuckoo mon yes, but not related to cape at all, could be related to old cuckoomon, but as i told cape doesn't use it anymore

[Tatsuya-hasegawa]

Oh, I see ! Thank you!

I want to patch the code to solve this issue. Unfortunately, I haven't catch the code point to patch.....

[doomedraven]

sorry can't help here, but you always can do https://hatching.io/solutions

[Tatsuya-hasegawa]

oops. I understand what you want to say. Thanks.