Pafish Macro: what malscore you get?

spender-sandbox / cuckoo-modified

Modified edition of cuckoo

395 stars 178 forks source link

Pafish Macro: what malscore you get? #316

Open garanews opened 8 years ago

garanews commented 8 years ago

https://github.com/joesecurity/pafishmacro Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by recent malicious documents found in the public.

The VBS / VBA code is open source, you can study the code of all evasion tricks.

What malscore you get? I'm getting 3.0 or 4.0

doomedraven commented 8 years ago

all clear

Nwinternights commented 8 years ago

malscore 10. pafish2 pafish

doomedraven commented 8 years ago

see the dropped pafish.log for more interesting information

Nwinternights commented 8 years ago

2 Detections

[] Checking Application.RecentFiles.Count ... OK [] Checking Application.Tasks.Count ... OK [] Checking Application.Tasks.Name ... OK [] Checking Zone.Identifier ... DETECTED [_] Checking Win32ComputerSystem.PartOfDomain ... DETECTED [] Checking Win32Bios.SMBIOSBIOSVersion & SerialNumber ... OK [] Checking Win32PnPEntity.DeviceId ... OK [] Checking Win32ComputerSystem.Username ... OK [] Checking Filename Hashname ... OK [] Checking Bad Filename ... OK [] Checking Precise Filename ... OK [_] Checking Win32_Processor.NumberOfCores ... OK OK

spender-sandbox commented 8 years ago

I would suggest also reading the vba code, there's one major bug in it that doesn't match up with ITW techniques that will cause a FN report ;)

-Brad

doomedraven commented 8 years ago

yah, 50 processes, maxmind etc missed

jgajek commented 8 years ago

This thing completely missed the "bad" vendor ids in the pci device enumeration.

mallorybobalice commented 8 years ago

Checking Win32_ComputerSystem.PartOfDomain ...

any simpler options than a virtual DC?

[] Checking Bad Filename ... [] Checking Precise Filename []Checking Filename Hashname

those are really nasty if you parse the files out and or normalize names or change them to file hash... or add any _ prefix to avoid name collisions ... (I'm guessing I'm not alone here)

any thoughts?

I'd almost say need a submit.py or api or web 'original file name' entry and then we can play around with it in the submission scripts etc.

mallorybobalice commented 8 years ago

yah, 50 processes, maxmind etc missed

Isn't the task a bit more weird. Either ui process or current user processes?

doomedraven commented 8 years ago

works fine with current user processes