Friday, February 27, 2015

Signature Additions

With the semi-working office parsing currently committed, I've now been focusing on creating additional functionality using Cuckoo's signature engine. Relating to the office file subject, we now have signatures which will fire a warning alert if a macro is detected in a document. We then do some basic string parsing for common phishing lures that I've seen (If you know of more, send them over and I'll add them to the signature). If a lure is detected, we bump up the severity to 'danger' (bootstrap term). I plan to also bump up the severity if we parse the macro and can 95% determine that it is malicious. However I do not feel the IOC parsing is capable of being that accurate currently.

Example of a macro with no phishing lures detected:




Example of a macro with phishing lure(s) detected:







Example of a office file that spawned a suspicious process:




The other neat signature I created deals with digging into one of the crypto API's that Cuckoomon hooks. Brad set me up with a function in Cuckoomon to log a larger amount of data, so it was trivial to tell the hook for the API to use the larger buffer. I had noticed decrypted data being passed through the behavioral analysis, however it was always clamped to the 256 bytes max log limit that is enforced with the standard buffer logger. With that restriction lifted, we can now parse out encrypted data. Currently only one API is utilizing the larger buffer as in practice, it's the only one I've seen have any useful data. Be on the lookout for the below signature, you may find similar results depending on your sample :)








I should mention, I've have better luck with crypto extraction when using a 32-bit analysis VM.

2 comments:

  1. It might be advantageous to turn off the delete option in the admin tab. Not sure you want public users having that option.

    ReplyDelete
  2. I currently have not observed any issues with people deleting others' analysis. I have some code to restrict the admin tab and delete view to my LAN (it's a personal dev box at the end of the day) but due to the lack of abuse, it's currently uncommented. From what I can tell, most of the people that use the delete feature had deleted stuff that they submit, which I'm OK with.

    ReplyDelete