Open mehgrmlhmpf opened 8 years ago
can you share doc hash? i can't reproduce this issue
document is bd4b028d6815171f04aefccd27bf1c48.
can share the sample if necessary.
can't reproduce it, if i do filtering in behaviour by all GetSystemTimeAsFileTime, NtWaitForSingleObject
i don't see any crash, uniq __anomaly__
is tries to unhook, but nothing else
Hi,
The sample is working well in Cuckoo
Drop the EXE file in the machine
The exe dropped is Locky
Scanned on : 2016-07-05 16:09:44
Detections: 34/54 Positives/Total
Kaspersky Trojan-Ransom.Win32.Locky.alm 15.0.1.13 20160705
McAfee Generic.xu 6.0.6.653 20160705
ESET-NOD32 a variant of Win32/Injector.DBKX 13756 20160705
Results for MD5 : 16bfb6b71c586b121f9708074c2e2c7d
Results for SHA1 : 8a0316d21cf5767a83256e360459505e6c867f2e
Results for SHA256 : cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2
Permanent Link : https://www.virustotal.com/file/cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2/analysis/1467734984/ <https://www.virustotal.com/file/cbf2d6d77b2c714af3492b3f610199d20ea08184b7c145e7d7c17d296e493ee2/analysis/1467734984/>
Which machinery are u using?
Regards,
Marc Rivero López | @seifreed | www.ecrime.info http://www.ecrime.info/
El 5 jul 2016, a las 21:57, machmalfix notifications@github.com escribió:
bd4b028d6815171f04aefccd27bf1c48
It's a stack overflow, looking into the cause.
-Brad
using unpatched win7x64 SP1 in a virtualbox 5.0.24r108355 on with antivmdetection from nsmfoo applied.
Repository is synced. I was able to reproduce on two separate physical cuckoo installations with the same "result".
Running without injection works totally fine - as far as the files being encrypted and such standard locky behaviour.
on hardened kvm works fine
Appears to be due to heap corruption -- we trigger stack recursion by trying to use HeapAlloc in our exception handler code which will throw the same heap corruption detected exception. The heap corruption though might not be caused by cuckoomon.
-Brad
Pulled the current monitor dlls and I was able to take a deeper dive into the error. It does not directly seem to be related to the injection into the process, but to the "automatic interaction" with the machine.
Deactivating the "interaction" does reliably create the beloved locky screens.
After download via doc Sample MD5 16bfb6b71c586b121f9708074c2e2c7d triggers reproducable an application exception directly after being injected. (current repo)
Received one signature:
message: Exception reported at offset 0x6537 in cuckoomon itself while accessing 0x43f2ffc from hook RtlDispatchException
Behavioural logs show issues after querying GetSystemTimeAsFileTime and NtWaitForSingleObject multiple times
Sample is processed fine without injection.
Any idea on what happened with the injection and how to bypass the "feature" of the sample?