search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
393 stars 178 forks source link

locky samples evade injection #204

Open mehgrmlhmpf opened 8 years ago

mehgrmlhmpf commented 8 years ago

After download via doc Sample MD5 16bfb6b71c586b121f9708074c2e2c7d triggers reproducable an application exception directly after being injected. (current repo)

Received one signature: message: Exception reported at offset 0x6537 in cuckoomon itself while accessing 0x43f2ffc from hook RtlDispatchException

Behavioural logs show issues after querying GetSystemTimeAsFileTime and NtWaitForSingleObject multiple times


2016-07-05 22:07:29,065     2560    0x033dcfcb
0x033dcdc7  __anomaly__     ThreadIdentifier: 2560
Subcategory: cuckoocrash
Message: Exception reported at offset 0x6537 in cuckoomon itself while accessing 0x43f2ffc from hook RtlDispatchException
    success     0x00000000

Sample is processed fine without injection.

Any idea on what happened with the injection and how to bypass the "feature" of the sample?

doomedraven commented 8 years ago

can you share doc hash? i can't reproduce this issue

mehgrmlhmpf commented 8 years ago

document is bd4b028d6815171f04aefccd27bf1c48.

can share the sample if necessary.

doomedraven commented 8 years ago

can't reproduce it, if i do filtering in behaviour by all GetSystemTimeAsFileTime, NtWaitForSingleObject

i don't see any crash, uniq __anomaly__ is tries to unhook, but nothing else

seifreed commented 8 years ago

Hi,

The sample is working well in Cuckoo

Drop the EXE file in the machine

The exe dropped is Locky

Scanned on : 2016-07-05 16:09:44

Detections: 34/54 Positives/Total

Vendor name Result Version Last Update

 Kaspersky   Trojan-Ransom.Win32.Locky.alm      15.0.1.13    20160705
    McAfee   Generic.xu                         6.0.6.653    20160705
ESET-NOD32   a variant of Win32/Injector.DBKX   13756        20160705

Results for MD5    : 16bfb6b71c586b121f9708074c2e2c7d
Results for SHA1   : 8a0316d21cf5767a83256e360459505e6c867f2e
Results for SHA256 : cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2

Permanent Link : https://www.virustotal.com/file/cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2/analysis/1467734984/ <https://www.virustotal.com/file/cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2/analysis/1467734984/>

Which machinery are u using?

Regards,

Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/

El 5 jul 2016, a las 21:57, machmalfix notifications@github.com escribió:

bd4b028d6815171f04aefccd27bf1c48

spender-sandbox commented 8 years ago

It's a stack overflow, looking into the cause.

-Brad

mehgrmlhmpf commented 8 years ago

using unpatched win7x64 SP1 in a virtualbox 5.0.24r108355 on with antivmdetection from nsmfoo applied.

Repository is synced. I was able to reproduce on two separate physical cuckoo installations with the same "result".

Running without injection works totally fine - as far as the files being encrypted and such standard locky behaviour.

doomedraven commented 8 years ago

on hardened kvm works fine

spender-sandbox commented 8 years ago

Appears to be due to heap corruption -- we trigger stack recursion by trying to use HeapAlloc in our exception handler code which will throw the same heap corruption detected exception. The heap corruption though might not be caused by cuckoomon.

-Brad

mehgrmlhmpf commented 8 years ago

Pulled the current monitor dlls and I was able to take a deeper dive into the error. It does not directly seem to be related to the injection into the process, but to the "automatic interaction" with the machine.

Deactivating the "interaction" does reliably create the beloved locky screens.