Friday, February 27, 2015

Signature Additions

With the semi-working office parsing currently committed, I've now been focusing on creating additional functionality using Cuckoo's signature engine. Relating to the office file subject, we now have signatures which will fire a warning alert if a macro is detected in a document. We then do some basic string parsing for common phishing lures that I've seen (If you know of more, send them over and I'll add them to the signature). If a lure is detected, we bump up the severity to 'danger' (bootstrap term). I plan to also bump up the severity if we parse the macro and can 95% determine that it is malicious. However I do not feel the IOC parsing is capable of being that accurate currently.

Example of a macro with no phishing lures detected:




Example of a macro with phishing lure(s) detected:







Example of a office file that spawned a suspicious process:




The other neat signature I created deals with digging into one of the crypto API's that Cuckoomon hooks. Brad set me up with a function in Cuckoomon to log a larger amount of data, so it was trivial to tell the hook for the API to use the larger buffer. I had noticed decrypted data being passed through the behavioral analysis, however it was always clamped to the 256 bytes max log limit that is enforced with the standard buffer logger. With that restriction lifted, we can now parse out encrypted data. Currently only one API is utilizing the larger buffer as in practice, it's the only one I've seen have any useful data. Be on the lookout for the below signature, you may find similar results depending on your sample :)








I should mention, I've have better luck with crypto extraction when using a 32-bit analysis VM.

3 comments:

  1. It might be advantageous to turn off the delete option in the admin tab. Not sure you want public users having that option.

    ReplyDelete
  2. I currently have not observed any issues with people deleting others' analysis. I have some code to restrict the admin tab and delete view to my LAN (it's a personal dev box at the end of the day) but due to the lack of abuse, it's currently uncommented. From what I can tell, most of the people that use the delete feature had deleted stuff that they submit, which I'm OK with.

    ReplyDelete
  3. The Casino at Penn National Race Course - Dr. MD
    The Casino at Penn National Race 청주 출장마사지 Course 정읍 출장마사지 is a 1 mile, 4 mile, 50 yard oval. The 제주도 출장샵 Race 용인 출장샵 Course features a seating area 울산광역 출장안마 and a casino.

    ReplyDelete