Cuckoo Tips’n’Tricks

hello!I am Andriy Brukhovetskyy

● Senior Security Researcher at FireEye iSight Intelligence

● Member of -> meh boring stuff● Cuckoo FANboy

1.Agenda and Best practices

RTFM and do searches in Issues = <333Initial tips ‘n’ tricks

HooksSignatures += Extractors

GoodiesEverything can be applied to Cuckoo V2 and Cuckoo-

modified

What is Cuckoo?● Official Page - Official repository● Main dev - Jurriaan Bremer● F**k yeah, it has the documentation● Scalable? Official dist VS mine dist.py - can be ported to

v2○ Don’t use tags in distributed cuckoo - it will break it

+ ----+ --------+ ----------------+ ---------+

| id | nam e | url | enabled |

+ ----+ --------+ ----------------+ ---------+

| 1 | node1 | http://X:8090/ | 1 |

| 2 | node2 | http://X:8090/ | 1 |

| 3 | node3 | http://x:8090/ | 1 |

| 4 | node4 | http://X:8090/ | 1 |

| 5 | node5 | http://X:8090/ | 1 |

+ ----+ --------+ ----------------+ ---------+

Supported platforms:● Windows● Linux● Darwin● Android (use cuckoo

v1.2)

What is Cuckoo?

Supported hypervisors:

● KVM <333● QEMU● VirtualBox +(remote)● VmWare/ESX/VsPhere● XEN● Physical (FOG)● “Openstack” platform

“Why reinvent the

wheel!?

2

Why Cuckoo?

● Active project● Coded in python● Good setup -> KVM● Easy to extend● Kernel Driver aka Zer0m0n integration are

coming● Alternatives? Forks? Clones?

○ Demo 1 - Cuckoo v2 VS Cuckoo-Modified(Dead)

○ Cuckoo - CAPE (based on cuckoo-modified)

3

How easily retrieve our goodies aka configs● In all signatures use common key as ->

mlw_config● Add to views.py or api.py (need to add /iocs)

if "m lw _config" in buf:

data["m lw _config"] = buf["m lw _config"]

● Forget about that huge jsons with more than xxx MBs

Hooks in Cuckoo v2

● MSDN● Hooks documentation● Current Hooks

● Dependencies:○ sudo apt-get install mingw-w64 python-pip

nasm○ sudo pip install sphinx docutils pyyaml

● To compile just type make○ Replace files in

$CUCKOO_ROOT/data/monitor/latest with files from monitor/bin/

HeapFree

= = = = = = = =

Signature::

* Interesting: yes

* Library: kernel32

* Return value: BO O L

Param eters::

* HAND LE hHeap

* DW O RD dw Flags

* LPVO ID lpM em

Pre::

int buflen = 0;

LPVO ID buffer;

buflen = HeapSize(hHeap,dw Flags,lpM em );

buffer = HeapAlloc(hHeap,dw Flags,buflen+ 2);

copy_bytes(buffer,lpM em ,buflen);

Logging::

P Address lpM em

b buf buflen,buffer

i size buflen

s buf1 buffer

Post::

m em _free(buffer);

Hooks in Cuckoo-Modified

● How to compile?● Visual Studio(Express >=

2015)● Load solution file, modify the

files● Select Release and press build

■ ctrl+shift+b● Place cuckoomod*.dll in:

○ $CUCKOO_ROOT/analyzer/windows/dll

# # # # cuckoom on.c

HO O K(kernel32, HeapFree)

# # # # hooks.h

extern HO O KD EF(BO O L, W INAPI, HeapFree,

__in HANDLE hHeap,

__in DW O RD dw Flags,

__in LPVO ID lpM em

);

# # # # hook_file.c

HO O KDEF(BO O L, W INAPI, HeapFree,

__in HANDLE hHeap,

__in DW O RD dw Flags,

__in LPVO ID lpM em

) {

int buflen = 0;

LPVO ID buffer;

buflen = HeapSize(hHeap, dw Flags, lpM em );

buffer = HeapAlloc(hHeap, dw Flags, buflen + 2);

m em cpy(buffer, lpM em , buflen);

BO O L ret = O ld_HeapFree(hHeap, dw Flags, lpM em );

LO Q _bool("process", "Pib", "Address", lpM em , "buflen", buflen, "buf",

buflen+ 2, buffer);

return ret;

}

Supervisor + FDs

● Too many open files? No please :(

● Ulimit? - no

●In case if you using Supervisor set minfds in supervisord.conf

Signatures -> abstracts.py

● Signatures VS modules● Skeleton of basic signature:

○ filter_apinames○ on_call○ on_complate

● My extra checks:○ Check if detected from behavior

(on_call)○ Check Suricata○ Check file name (scripted upload)

Extractors

● Bridge between Signature <> Volatility/others○ from m odules.processing.m em ory im port VolatilityAPI

○ Filter the tasks by pids

● Why?● How?● Dumped processes VS vm memory dump

Demo 2 - Andromeda/Gamarue

● Andromeda_vol.py + Josemi = <3● Was:

signatures = {

'androm ': """rule androm eda {

strings:

$fm t1 = "id:% lu|bid:% lu|os:% lu"

$fm t2 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu"

$s1 = "aReport"

$s2 = "aStart"

$s3 = "aUpdate"

$s4 = "User-Agent: M ozi1la/4.0"

condition: 1 of ($fm t*) and 1 of ($s*)

}

"""

}

● @DoomedRaven: @Seifreed make me an yara

● @Seifreed: No!● @DoomedRaven: sudo

@Seifreed make me an yara● @Seifreed: Done :)

● @Seifreed we love you <3

Demo 2 - Andromeda/Gamarue

● Andromeda_vol.py + Josemi = <3● Become:

signatures = {

'androm ': """rule androm eda {

strings:

$fm t1 = "id:% lu|bid:% lu|os:% lu"

$fm t2 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu"

$fm t3 = "id:% lu|bid:% lu|bv:% lu|sv:% lu|pa:% lu|la:% lu|ar:% lu"

$fm t4 = "id:% lu|bid:% lu|bv:% lu|os:% lu|la:% lu|rg:% lu"

$fm t5 = "id:% lu|bid:% lu|os:% lu|la:% lu|rg:% lu"

$fm t6 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu,\\"la\\":% lu,\\"rg\\":% lu}"

$fm t7 = "{\\"id\\":% lu,\\"bid\\":% lu,\\"os\\":% lu,\\"la\\":% lu,\\"rg\\":% lu,\\"bb\\":% lu}"

condition: 1 of ($fm t*)

}

"""

}

/*

Update this function w hen a new version is seen -->

id:% lu|bid:% lu|bv:% lu|sv:% lu|pa:% lu|la:% lu|ar:% lu (< = 2.06)

id:% lu|bid:% lu|bv:% lu|os:% lu|la:% lu|rg:% lu (2.07/2.08)

id:% lu|bid:% lu|os:% lu|la:% lu|rg:% lu (2.09)

{"id":% lu,"bid":% lu,"os":% lu,"la":% lu,"rg":% lu} (2.10?)

{"id":% lu,"tid":% lu,"err":% lu,"w 32":% lu} (version 2.10)

{"id":% lu,"bid":% lu,"os":% lu,"la":% lu,"rg":% lu,"bb":% lu} (2.10.2)

m ore at http://eternal-todo.com /blog/androm eda-gam arue-loves-json

*/

Demo 2 - Andromeda/Gamarue

● Andromeda_vol.py + Josemi = <3● Igual:

Demo 3 - Locky

● Step by step manual

must read!

Now time for real goodies ;)

Now time for real goodies ;)

WebGui visualization of configs● In Cuckoo-Modified

○ Vim $CUCKOO_ROOT/web/templates/analysis/report.html

● Cuckoo v2 - See customizations slide

{% if analysis.m lw _config % }

< li> < a href= "# config" data-toggle= "tab"> Config< /a> < /li>

{% endif % }

< li> < a href= "# statistics" data-toggle= "tab"> Statistics< /a> < /li>

< li> < a href= "# adm in" data-toggle= "tab"> Adm in< /a> < /li>

{% if analysis.m lw _config% }

< div class= "tab-pane fade" id= "locky">

{% include "analysis/configs/index.htm l" % }

{% endif % }

< div class= "tab-pane fade" id= "statistics">

{% include "analysis/statistics/index.htm l" % }

< /div>

< div class= "tab-pane fade" id= "adm in">

{% include "analysis/adm in/index.htm l" % }

< /div>

< /div>

{% endblock % }

Goodies - Exit nodes

● - From our friends @charly837 & @hackplayers

Goodies - Packages

Goodies - Reporting

Goodies - EK Troller 2000

● Cuckoo v2 supports Mitmproxy, so here is time to play● Inject EK expected header(s) on the fly to request(s) which comes from

Cuckoo.

def request(context, flow ):

res = sqliter(flow.request.url, 'select')

if res:

headers = json.loads(res)

exit_node = headers.get('exit_node', False)

if exit_node:

< rem oved>

for header, value in headers.item s():

if header and value:

flow.request.headers[bytes(header)] = bytes(value)

Goodies - SMTP Sinkhole

● Don’t be a spammer, intercept and process it!

w get https://raw.githubusercontent.com /cuckoosandbox/cuckoo/legacy/utils/sm tp_sinkhole.py -O sm tp_sinkhole.py

m kdir dum ps

python sm tp_sinkhole.py 0.0.0.0 1025 --dir dum ps

# sm tp

sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --dport 25 -j RED IRECT --to-ports 1025

sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --sport 25 -j REDIRECT --to-ports 1025

# tls + ssl

sudo iptables -t nat -A PRERO UTING -i IFACE -p tcp -m tcp --dport 465 -j REDIRECT --to-ports 1025

Goodies - Work in progress in cuckoo V2

Goodies - Work in progress in cuckoo V2

Goodies - Work in progress in cuckoo V2

Goodies - Work in progress in cuckoo V2

Goodies - Work in progress in cuckoo V2

Extracted Powershell Artifacts

Goodies - toaster.huntingmalware.com

Customizations? Why Not?

Any many others...

¿Q&A?M y tw itter:

@ d00m 3dr4v3

n

Special thanks to:

m y team and orgs