spender-sandbox / cuckoo-modified

Modified edition of cuckoo
394 stars 178 forks source link

Behavior Plotting Functionality #357

Open keithjjones opened 7 years ago

keithjjones commented 7 years ago

I wrote this library:

https://github.com/keithjjones/visualize_logs#cuckoo-json-reports

It plots the JSON report. Check out the gallery there. Is this something you would like to include in the behavior reports?

BTW - I'm not sure why running that ransomware in cuckoo-modified it doesn't show all the modified files.

spender-sandbox commented 7 years ago

Pretty cool, I'm usually not a fan of visualizations because to most people it just means "throw it blindly into a graph" but this is actually pretty functional and can help with quickly finding processes responsible for certain network activity. Would you be able to make it so that clicking on some action would bring you to that part of the behavior logs?

-Brad

keithjjones commented 7 years ago

Thanks for your kind words! Try drawing boxes around different parts of the graph - it zooms in! You can also export a PNG in the upper right hand corner.

Right now my library will generate the plot given some parameters, like if you want to see network, files, registry, or whatever. I also add the ability to ignore or include paths for files and registry as regular expressions. I can either create the graph as an HTML file, or I can provide back as a string that is delimited with "div".

It's very Windows specific at this point. I don't have time right now to add Linux or Mac graphing. I will explore that at the point I start having to analyze more Linux or Mac malware.

I haven't dug into cuckoo-modified reporting modules to know enough how best to put it in, so that is why I created this issue to discuss it. Worst case scenario we could plot different views (similar to my gallery page) for the JSON report as static HTML file and then make them clickable somewhere in behavior? I'm not sure what vision you have for this. Feel free to toss some examples around and I will try to accommodate.

Plotting usually take about 30 seconds, average, per view. I imagine you would make the plots during the processing phase before the analysis completes.

Through this plotting I am able to see that cuckoo-modified misses the scripting engine calls (issue #349) from Kovter versus the same plot in ProcMon. This library will plot both data sets for you. The cuckoo data, outside the scripting engine misses, is much more rich than ProcMon and I prefer it.

I'm not a JavaScript guru, yet, but you can supposedly attach functionality to different types of actions. In theory, I think that could go to the process behavior if you click on a process? I haven't explored this part much yet. I need to figure out how it would lay into cuckoo-modified first.