-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inject issue to malware service process by CreateService API #77
Comments
just FYI cape doesn't using old cuckoomon anymore, it was rewritten and loader also |
Thank you very much for your comment. |
is the issue in cuckoo mon yes, but not related to cape at all, could be related to old cuckoomon, but as i told cape doesn't use it anymore |
Oh, I see ! Thank you! I want to patch the code to solve this issue. |
sorry can't help here, but you always can do https://hatching.io/solutions |
oops. I understand what you want to say. |
I found the issue the cuckoo monitor doesn't inject the malware service process by CreateServiceAPI.
The cuckoo monitor tracks the Windows API Calls related to Windows Service
https://github.com/cuckoosandbox/monitor/blob/master/sigs/services.rst
However it didn't add the spawn service PID to add monitor process list.
My Cuckoo environments are following.
I use Cuckoo v2.0.6 and Cuckoo v2.0.7.
I tested by Cuckoo monitors which version hashes are "e071e63a66e831163a40abc45109fdf71fee829e" and
"2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b"
I think that was enabled and succeeded in the old cuckoomon.
For example, this public CAPE's analysis could inject the service process.
https://capesandbox.com/analysis/8790/#
https://cape.contextis.com/analysis/116015/#
They are recent Emotet malware.
SHA256:
0caf8d097eb1865c30dedef5b77dcc7391ab1315ef9c9d3ffb4615f46444853e
0a97eac011861579aede08a858014590e4f814ef3050ba4cba0d90c217723293
Emotet executes the main C2 procedure under the spawn service process when executed by admin privilege.
As you know, Emotet is on the rise.
Please teach any clue for patching the code to solve this issue.
The text was updated successfully, but these errors were encountered: