There is something I don't really understand about indicators. They are not identical for the same sample on differents machines, with the same modules enabled and the same configuration.
Let's say I submit Pafish.exe to 4 differents machines. I get 4 differents Malscore (1.0, 3.0, 9.4, 10.0) on these machines (W7-32, W10-64, W8.1-64, W7-64).
(Maybe W10 is out of this question since it's not entirely compatible with cuckoo-modified.)
Moreover, I don't get the same indicators. On W7-32, the only indicator raised is that data is compressed or encrypted. On W7-64, I have more indicators about the detection of the system done by Pafish (not considering some false positives raised by Suricata involving my nameserver (OpenDNS) or my NTP server).
Is it normal? Did that come from different rules for different OS? Do you know how is it possible to get something more logical?
There is something I don't really understand about indicators. They are not identical for the same sample on differents machines, with the same modules enabled and the same configuration.
Let's say I submit Pafish.exe to 4 differents machines. I get 4 differents Malscore (1.0, 3.0, 9.4, 10.0) on these machines (W7-32, W10-64, W8.1-64, W7-64). (Maybe W10 is out of this question since it's not entirely compatible with cuckoo-modified.)
Moreover, I don't get the same indicators. On W7-32, the only indicator raised is that data is compressed or encrypted. On W7-64, I have more indicators about the detection of the system done by Pafish (not considering some false positives raised by Suricata involving my nameserver (OpenDNS) or my NTP server).
Is it normal? Did that come from different rules for different OS? Do you know how is it possible to get something more logical?
Thank's