cuckoo tips’n’tricks€¦ · 1. agenda and best practices rtfm and do searches in issues =
TRANSCRIPT
Cuckoo Tips’n’Tricks
hello!I am Andriy Brukhovetskyy
● Senior Security Researcher at FireEye iSight Intelligence
● Member of -> meh boring stuff● Cuckoo FANboy
1.Agenda and Best practices
RTFM and do searches in Issues = <333Initial tips ‘n’ tricks
HooksSignatures += Extractors
GoodiesEverything can be applied to Cuckoo V2 and Cuckoo-
modified
What is Cuckoo?● Official Page - Official repository● Main dev - Jurriaan Bremer● F**k yeah, it has the documentation● Scalable? Official dist VS mine dist.py - can be ported to
v2○ Don’t use tags in distributed cuckoo - it will break it
+ ----+ --------+ ----------------+ ---------+
| id | nam e | url | enabled |
+ ----+ --------+ ----------------+ ---------+
| 1 | node1 | http://X:8090/ | 1 |
| 2 | node2 | http://X:8090/ | 1 |
| 3 | node3 | http://x:8090/ | 1 |
| 4 | node4 | http://X:8090/ | 1 |
| 5 | node5 | http://X:8090/ | 1 |
+ ----+ --------+ ----------------+ ---------+
Supported platforms:● Windows● Linux● Darwin● Android (use cuckoo
v1.2)
What is Cuckoo?
Supported hypervisors:
● KVM <333● QEMU● VirtualBox +(remote)● VmWare/ESX/VsPhere● XEN● Physical (FOG)● “Openstack” platform
“Why reinvent the
wheel!?
2
Why Cuckoo?
● Active project● Coded in python● Good setup -> KVM● Easy to extend● Kernel Driver aka Zer0m0n integration are
coming● Alternatives? Forks? Clones?
○ Demo 1 - Cuckoo v2 VS Cuckoo-Modified(Dead)
○ Cuckoo - CAPE (based on cuckoo-modified)
3
How easily retrieve our goodies aka configs● In all signatures use common key as ->
mlw_config● Add to views.py or api.py (need to add /iocs)
if "m lw _config" in buf:
data["m lw _config"] = buf["m lw _config"]
● Forget about that huge jsons with more than xxx MBs
Hooks in Cuckoo v2
● MSDN● Hooks documentation● Current Hooks
● Dependencies:○ sudo apt-get install mingw-w64 python-pip
nasm○ sudo pip install sphinx docutils pyyaml
● To compile just type make○ Replace files in
$CUCKOO_ROOT/data/monitor/latest with files from monitor/bin/
HeapFree
= = = = = = = =
Signature::
* Interesting: yes
* Library: kernel32
* Return value: BO O L
Param eters::
* HAND LE hHeap
* DW O RD dw Flags
* LPVO ID lpM em
Pre::
int buflen = 0;
LPVO ID buffer;
buflen = HeapSize(hHeap,dw Flags,lpM em );
buffer = HeapAlloc(hHeap,dw Flags,buflen+ 2);
copy_bytes(buffer,lpM em ,buflen);
Logging::
P Address lpM em
b buf buflen,buffer
i size buflen
s buf1 buffer
Post::
m em _free(buffer);
Hooks in Cuckoo-Modified
● How to compile?● Visual Studio(Express >=
2015)● Load solution file, modify the
files● Select Release and press build
■ ctrl+shift+b● Place cuckoomod*.dll in:
○ $CUCKOO_ROOT/analyzer/windows/dll
# # # # cuckoom on.c
HO O K(kernel32, HeapFree)
# # # # hooks.h
extern HO O KD EF(BO O L, W INAPI, HeapFree,
__in HANDLE hHeap,
__in DW O RD dw Flags,
__in LPVO ID lpM em
);
# # # # hook_file.c
HO O KDEF(BO O L, W INAPI, HeapFree,
__in HANDLE hHeap,
__in DW O RD dw Flags,
__in LPVO ID lpM em
) {
int buflen = 0;
LPVO ID buffer;
buflen = HeapSize(hHeap, dw Flags, lpM em );
buffer = HeapAlloc(hHeap, dw Flags, buflen + 2);
m em cpy(buffer, lpM em , buflen);
BO O L ret = O ld_HeapFree(hHeap, dw Flags, lpM em );
LO Q _bool("process", "Pib", "Address", lpM em , "buflen", buflen, "buf",
buflen+ 2, buffer);
return ret;
}
Supervisor + FDs
● Too many open files? No please :(
● Ulimit? - no
●In case if you using Supervisor set minfds in supervisord.conf
Signatures -> abstracts.py
● Signatures VS modules● Skeleton of basic signature:
○ filter_apinames○ on_call○ on_complate
● My extra checks:○ Check if detected from behavior
(on_call)○ Check Suricata○ Check file name (scripted upload)
Extractors
● Bridge between Signature <> Volatility/others○ from m odules.processing.m em ory im port VolatilityAPI
○ Filter the tasks by pids
● Why?● How?● Dumped processes VS vm memory dump
Demo 2 - Andromeda/Gamarue
● Andromeda_vol.py + Josemi = <3● Was:
signatures = {
'androm ': """rule androm eda {
strings:
$fm t1 = "id:% lu|bid:% lu|os:% lu"
$fm t2 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu"
$s1 = "aReport"
$s2 = "aStart"
$s3 = "aUpdate"
$s4 = "User-Agent: M ozi1la/4.0"
condition: 1 of ($fm t*) and 1 of ($s*)
}
"""
}
● @DoomedRaven: @Seifreed make me an yara
● @Seifreed: No!● @DoomedRaven: sudo
@Seifreed make me an yara● @Seifreed: Done :)
● @Seifreed we love you <3
Demo 2 - Andromeda/Gamarue
● Andromeda_vol.py + Josemi = <3● Become:
signatures = {
'androm ': """rule androm eda {
strings:
$fm t1 = "id:% lu|bid:% lu|os:% lu"
$fm t2 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu"
$fm t3 = "id:% lu|bid:% lu|bv:% lu|sv:% lu|pa:% lu|la:% lu|ar:% lu"
$fm t4 = "id:% lu|bid:% lu|bv:% lu|os:% lu|la:% lu|rg:% lu"
$fm t5 = "id:% lu|bid:% lu|os:% lu|la:% lu|rg:% lu"
$fm t6 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu,\\"la\\":% lu,\\"rg\\":% lu}"
$fm t7 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu,\\"la\\":% lu,\\"rg\\":% lu,\\"bb\\":% lu}"
condition: 1 of ($fm t*)
}
"""
}
/*
Update this function w hen a new version is seen -->
id:% lu|bid:% lu|bv:% lu|sv:% lu|pa:% lu|la:% lu|ar:% lu (< = 2.06)
id:% lu|bid:% lu|bv:% lu|os:% lu|la:% lu|rg:% lu (2.07/2.08)
id:% lu|bid:% lu|os:% lu|la:% lu|rg:% lu (2.09)
{"id":% lu,"bid":% lu,"os":% lu,"la":% lu,"rg":% lu} (2.10?)
{"id":% lu,"tid":% lu,"err":% lu,"w 32":% lu} (version 2.10)
{"id":% lu,"bid":% lu,"os":% lu,"la":% lu,"rg":% lu,"bb":% lu} (2.10.2)
m ore at http://eternal-todo.com /blog/androm eda-gam arue-loves-json
*/
Demo 2 - Andromeda/Gamarue
● Andromeda_vol.py + Josemi = <3● Igual:
Demo 3 - Locky
● Step by step manual
must read!
Now time for real goodies ;)
Now time for real goodies ;)
WebGui visualization of configs● In Cuckoo-Modified
○ Vim $CUCKOO_ROOT/web/templates/analysis/report.html
● Cuckoo v2 - See customizations slide
{% if analysis.m lw _config % }
< li> < a href= "# config" data-toggle= "tab"> Config< /a> < /li>
{% endif % }
< li> < a href= "# statistics" data-toggle= "tab"> Statistics< /a> < /li>
< li> < a href= "# adm in" data-toggle= "tab"> Adm in< /a> < /li>
{% if analysis.m lw _config% }
< div class= "tab-pane fade" id= "locky">
{% include "analysis/configs/index.htm l" % }
{% endif % }
< div class= "tab-pane fade" id= "statistics">
{% include "analysis/statistics/index.htm l" % }
< /div>
< div class= "tab-pane fade" id= "adm in">
{% include "analysis/adm in/index.htm l" % }
< /div>
< /div>
{% endblock % }
Goodies - Exit nodes
● - From our friends @charly837 & @hackplayers
Goodies - Packages
Goodies - Reporting
Goodies - EK Troller 2000
● Cuckoo v2 supports Mitmproxy, so here is time to play● Inject EK expected header(s) on the fly to request(s) which comes from
Cuckoo.
def request(context, flow ):
res = sqliter(flow.request.url, 'select')
if res:
headers = json.loads(res)
exit_node = headers.get('exit_node', False)
if exit_node:
< rem oved>
for header, value in headers.item s():
if header and value:
flow.request.headers[bytes(header)] = bytes(value)
Goodies - SMTP Sinkhole
● Don’t be a spammer, intercept and process it!
w get https://raw.githubusercontent.com /cuckoosandbox/cuckoo/legacy/utils/sm tp_sinkhole.py -O sm tp_sinkhole.py
m kdir dum ps
python sm tp_sinkhole.py 0.0.0.0 1025 --dir dum ps
# sm tp
sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --dport 25 -j RED IRECT --to-ports 1025
sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --sport 25 -j REDIRECT --to-ports 1025
# tls + ssl
sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --dport 465 -j REDIRECT --to-ports 1025
Goodies - Work in progress in cuckoo V2
Goodies - Work in progress in cuckoo V2
Goodies - Work in progress in cuckoo V2
Goodies - Work in progress in cuckoo V2
Goodies - Work in progress in cuckoo V2
Extracted Powershell Artifacts
Goodies - toaster.huntingmalware.com
Customizations? Why Not?
Any many others...
¿Q&A?M y tw itter:
@ d00m 3dr4v3
n
Special thanks to:
m y team and orgs