search

kevoreilly / CAPEv2

Malware Configuration And Payload Extraction
https://capesandbox.com/analysis/
Other
2k stars 424 forks source link

Malware samples falsely detected as Ispy #315

Closed r0ny123 closed 4 years ago

r0ny123 commented 4 years ago

Expected Behavior

This should be detected as AsyncRAT rather than ISpy. https://www.capesandbox.com/analysis/69074/

Current Behavior

https://www.capesandbox.com/analysis/69074/ CAPE detects this as ISpy.

context

I think this iSpy siganture generating lots of false positives ( as there are other samples getting detected as iSpy)

kevoreilly commented 4 years ago

Aye perhaps we should kill the rule...

kevoreilly commented 4 years ago

Not helped by the fact that the process dumps failed :disappointed:

2020-10-08 05:34:11,765 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2672 2020-10-08 05:34:11,765 [root] DEBUG: GetHookCallerBase: thread 1940 (handle 0x0), return address 0x00476ACC, allocation base 0x00470000. 2020-10-08 05:34:11,781 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00210000. 2020-10-08 05:34:11,781 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00212000 2020-10-08 05:34:11,781 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image. 2020-10-08 05:34:11,781 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00210000. 2020-10-08 05:34:11,781 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x0025F000 to 0x0025F200). 2020-10-08 05:34:11,796 [root] INFO: (b'FILE_DUMP', b'C:\\AwuAVDdq\\CAPE\\2672_16867019056131384102020|2672|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\fresh sales.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\fresh sales.exe;?', 'dispatch') 2020-10-08 05:34:11,812 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory. 2020-10-08 05:34:11,812 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00210000, dumping memory region. 2020-10-08 05:34:11,828 [root] INFO: (b'KILL', b'2672', 'dispatch') 2020-10-08 05:34:11,828 [root] INFO: Process with pid 2672 has terminated

doomedraven commented 4 years ago

removed sigs, thanks for notification, closing as resolved

r0ny123 commented 4 years ago

Not helped by the fact that the process dumps failed 😞

2020-10-08 05:34:11,765 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2672 2020-10-08 05:34:11,765 [root] DEBUG: GetHookCallerBase: thread 1940 (handle 0x0), return address 0x00476ACC, allocation base 0x00470000. 2020-10-08 05:34:11,781 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00210000. 2020-10-08 05:34:11,781 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00212000 2020-10-08 05:34:11,781 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image. 2020-10-08 05:34:11,781 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00210000. 2020-10-08 05:34:11,781 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x0025F000 to 0x0025F200). 2020-10-08 05:34:11,796 [root] INFO: (b'FILE_DUMP', b'C:\\AwuAVDdq\\CAPE\\2672_16867019056131384102020|2672|0;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\fresh sales.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\fresh sales.exe;?', 'dispatch') 2020-10-08 05:34:11,812 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory. 2020-10-08 05:34:11,812 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00210000, dumping memory region. 2020-10-08 05:34:11,828 [root] INFO: (b'KILL', b'2672', 'dispatch') 2020-10-08 05:34:11,828 [root] INFO: Process with pid 2672 has terminated

Ah I saw that log but any way around for this? and that file was submitted without process memory enabled, if enabled than could have detected it as AsyncRAT.

kevoreilly commented 4 years ago

The code in the monitor needs improving :relaxed:

At the moment if there is an inaccessible region within a PE image the dump fails, then the monitor attempts to dump the full allocation which also fails.

The option I'm considering is to iterate through the regions as per VirtualQuery, change their protection to make them accessible, then dump, then restore previous protections. Another idea might be to skip them and just leave the range blank in the dump.

r0ny123 commented 4 years ago

removed sigs, thanks for notification, closing as resolved

@doomedraven other samples are still getting deteced as iSpy https://capesandbox.com/analysis/69436/

doomedraven commented 4 years ago

Ya fixed now, I forgot to remove on the server side

El 9 oct 2020, a las 12:08, Rony notifications@github.com escribió:

removed sigs, thanks for notification, closing as resolved

@doomedraven https://github.com/doomedraven other samples are still getting deteced as iSpy https://capesandbox.com/analysis/69436/ https://capesandbox.com/analysis/69436/ — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/315#issuecomment-706093882, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34DFEWIGGK33EZXD53SJ3OLXANCNFSM4SINKCYA.