Friday, February 27, 2015

Signature Additions

With the semi-working office parsing currently committed, I've now been focusing on creating additional functionality using Cuckoo's signature engine. Relating to the office file subject, we now have signatures which will fire a warning alert if a macro is detected in a document. We then do some basic string parsing for common phishing lures that I've seen (If you know of more, send them over and I'll add them to the signature). If a lure is detected, we bump up the severity to 'danger' (bootstrap term). I plan to also bump up the severity if we parse the macro and can 95% determine that it is malicious. However I do not feel the IOC parsing is capable of being that accurate currently.

Example of a macro with no phishing lures detected:




Example of a macro with phishing lure(s) detected:







Example of a office file that spawned a suspicious process:




The other neat signature I created deals with digging into one of the crypto API's that Cuckoomon hooks. Brad set me up with a function in Cuckoomon to log a larger amount of data, so it was trivial to tell the hook for the API to use the larger buffer. I had noticed decrypted data being passed through the behavioral analysis, however it was always clamped to the 256 bytes max log limit that is enforced with the standard buffer logger. With that restriction lifted, we can now parse out encrypted data. Currently only one API is utilizing the larger buffer as in practice, it's the only one I've seen have any useful data. Be on the lookout for the below signature, you may find similar results depending on your sample :)








I should mention, I've have better luck with crypto extraction when using a 32-bit analysis VM.

Monday, February 23, 2015

Better Office File Support

As of earlier this weekend my Cuckoo install supports static analysis of Office Files, 97-2003 (OLE Formats) and 2007+ (XML Formats). I have not published this to GitHub yet as I am still tuning some of the backend code to cope with some of the Dridex variants observed in the wild. There are also a few UI tweaks that I'm thinking of making. Some of the things I've tested and overcome are:
  • Non-ASCII macro names and other metadata
  • Multiple macros embedded into the same document
  • Handling various types of macro obfuscation

Looking for more samples so that I have a larger test bed to work with. I'd like to see what bugs arise before committing this code. It's basically a merger of Decalage's oletools code with the static.py processing module from Cuckoo. All VM's have office 2010 configured to autorun macros, so newer campaigns should still beacon out. This allows me to compare the results of the static analysis / parsers with the results from the behavioral analysis.

PS. Would also appreciate any feedback on UI improvements / enhancements.

EDIT: Based on recent submissions, I made some changes to the IOC parser (best effort at the end of the day). Have not had a chance to dig into the custom Xor functions (like key-based XOR), and currently variable based string concatenation is broken. I have re-ran the reporting modules and updated the front end to display the new IOC's. There is often times good luck in investigating the Dropped Files tab, as I have a button to display ASCII data. You can view many of the temporary files from the web interface itself. (ex. *.vbs / *.bat / *.ps1)

Friday, February 6, 2015

Initial Post

This is the initial post that I am going to do for upkeeping this Cuckoo instance. For reference, all code used in my custom cuckoo install will be available in my GitHub. It may not be 100% up to date, but any functionality on my sandbox will eventually be committed to GitHub.

It should be noted that, for now, analysis may be abandoned at any time due to the current development process. The recent addition of the Statistics Page (Brad's Fork, what my code is based on) made database changes. At this point it's easiest to just wipe the slate and start with fresh databases. This will eventually be updated and more stable. There are future plans to incorporate IDS alerting via Snort/Suricata which may require future database changes for MongoDB. So, just to reiterate, analysis data is currently volatile.

The current setup is using KVM and Libvirt with Cuckoo. At the moment there is only one VM, but in the future I am planning on expanding to five. Currently the VM(s) will have the following software installed:
  • .NET 4.5.2
  • Adobe Flash 16.0.0.305
  • Adobe Reader 11.0.10
  • Google Chrome 40.0.2214.111 m
  • Java 7u25
  • Mozilla Firefox 35.0.1
  • Office 2010 (Macros configured to auto-run)
    • Word
    • Excel
    • PowerPoint
    • Outlook

Feel free to reach out to me if you have any requests.