Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inject issue to malware service process by CreateService API #77

Open
Tatsuya-hasegawa opened this issue Dec 5, 2019 · 6 comments
Open

Comments

@Tatsuya-hasegawa
Copy link

I found the issue the cuckoo monitor doesn't inject the malware service process by CreateServiceAPI.

The cuckoo monitor tracks the Windows API Calls related to Windows Service
https://github.com/cuckoosandbox/monitor/blob/master/sigs/services.rst
However it didn't add the spawn service PID to add monitor process list.
image

My Cuckoo environments are following.
I use Cuckoo v2.0.6 and Cuckoo v2.0.7.
I tested by Cuckoo monitors which version hashes are "e071e63a66e831163a40abc45109fdf71fee829e" and
"2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b"

I think that was enabled and succeeded in the old cuckoomon.
For example, this public CAPE's analysis could inject the service process.
https://capesandbox.com/analysis/8790/#
https://cape.contextis.com/analysis/116015/#
success-oldcuckoomon

They are recent Emotet malware.
SHA256:
0caf8d097eb1865c30dedef5b77dcc7391ab1315ef9c9d3ffb4615f46444853e
0a97eac011861579aede08a858014590e4f814ef3050ba4cba0d90c217723293

Emotet executes the main C2 procedure under the spawn service process when executed by admin privilege.
As you know, Emotet is on the rise.

Please teach any clue for patching the code to solve this issue.

@doomedraven
Copy link

just FYI cape doesn't using old cuckoomon anymore, it was rewritten and loader also

@Tatsuya-hasegawa
Copy link
Author

Thank you very much for your comment.
Do you think , is this an issue ?

@doomedraven
Copy link

is the issue in cuckoo mon yes, but not related to cape at all, could be related to old cuckoomon, but as i told cape doesn't use it anymore

@Tatsuya-hasegawa
Copy link
Author

Oh, I see ! Thank you!

I want to patch the code to solve this issue.
Unfortunately, I haven't catch the code point to patch.....

@doomedraven
Copy link

sorry can't help here, but you always can do https://hatching.io/solutions

@Tatsuya-hasegawa
Copy link
Author

oops. I understand what you want to say.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants